Researchers from the University of Leuven (@vanhoefm and team) have discovered flaws in WPA2 implementation in clients and APs. These flaws create vulnerabilities for replay and decryption attacks on packets transferred over WiFi links. They have named them KRACKs (Key Reinstallation AttaCKs). Both 802.1x (EAP) and PSK (password) based networks are affected. These vulnerabilities have been cataloged under 10 CVEs. In the series of videos below, I explain these CVEs in detail with Vivek Ramachandran, Founder and CEO of Pentester Academy.
Basic understanding of AES-CTR encryption in WPA2 and the peril of packet number reuse therein is essential to comprehend these vulnerabilities.
Watch this video for relevant details on WPA2 encryption process:
Vulnerabilities in EAPOL 4-Way Handshake
This handshake is performed between client and AP at the beginning of the connection to generate and transport temporal WPA2 keys. It is also performed to refresh pairwise temporal key during the connection. Client side implementation flaws in EAPOL 4-way handshake create vulnerability for decryption attack against unicast frames transmitted by the client. The window of exposure is around a few initial frames transmitted by the client after the handshake. The same flaw also creates vulnerability for replay attack on broadcast frames transmitted by the AP during that window. Practical exploit requires a MAC spoofing AP as a Man-in-the-Midddle (MitM) that talks to the client on one radio and talks to the real AP on another radio, and manipulates frames that flow through.
Reference: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079.
Watch this video for more details on EAPOL 4-way handshake vulnerabilities:
Vulnerabilities in Fast Transition (FT) Handover
FT Handover is performed by the client to roam from one AP to another with minimal latency in accordance with 802.11r protocol. During the handover, new keys are established with or obtained from the destination AP. The AP side implementation flaw in FT handover creates a vulnerability for decryption attack on unicast frames transmitted by the AP to the client and replay attack on unicast frames transmitted by the client to the AP. The window of exposure can be an arbitrary length of time and any number of frames during which the client remains connected to the AP after handover. Replays can be particularly perilous for transactional applications such as Internet of Things (IoT). Practical exploit can be launched using a sniffer that can listen to and replay the frames over the wireless medium. Reference: CVE-2017-13082.
Watch this video for more details on FT handover vulnerabilities:
Vulnerabilities in Group Key Handshake
This handshake is performed between the AP and the client when the AP refreshes group keys or when the client acquires current group keys from the AP when waking up from the sleep mode. A client side implementation flaw in the group key handshake creates a vulnerability for a replay attack on broadcast frames transmitted by the AP. The window of exposure is around a few broadcast frames transmitted by the AP after the group key handshake begins. Practical exploit requires a MAC spoofing AP as a Man-in-the-Midddle (MitM) that talks to the client on one radio and talks to the real AP on another radio, and manipulates frames that flow through.
Reference: CVE-2017-13080, CVE-2017-13081, CVE-2017-13087.
Watch this video for more details on group key handshake vulnerabilities:
Countermeasures for WPA2 Key Reinstallation Vulnerabilities
These include patching of the AP and the client software to eliminate respective root causes of vulnerabilities. Patching the AP can also serve as an interim measure to prevent triggering of vulnerabilities on clients. Zero day protection for many vulnerabilities is available in networks that are protected by wireless intrusion prevention system (WIPS) with proven AP MAC spoofing detection and containment capabilities.
Watch this video for details on countermeasures for WPA2 key reinstallation vulnerabilities:
Peer Key Handshake
There are also vulnerabilities disclosed in peer key handshakes in DLS and TDLS. These are performed when two clients connected to an AP wish to establish a direct communication link between them with the AP’s help. This is an uncommon use case in enterprise networks. Further, enterprise APs enforce “client isolation” that prevents clients from directly talking to one another through the AP, which then blocks direct link setup messages. You can ask your client software vendor to provide a patch to fix the root cause of these vulnerabilities.
Reference: CVE-2017-13084, CVE-2017-13086.
Last But Least Clarified
The last of the 10 vulnerabilities, which is CVE-2017-13088, pertains to IGTK transport. Some debate is required on this one to confirm or clarify it. IGTK comes into picture with 802.11w (MFP). With MFP however, GTK/IGTK are piggybacked on WNM Sleep Mode Response and group key handshake is not required to distribute them. Without group key handshake, there isn't group message 2/2 to block to trigger a vulnerability similar to CVE-2017-13087. We will write about this one after more clarity emerges.
Want more information about Mojo Networks security and why we are #1 rated by Gartner for six consecutive years? Click here.