How the KRACK Attacks Work and the Long-Term Impacts

WPA2 is used to secure wireless networks by almost every enterprise, SMB, individual and mobile device. For many years, WPA2 has been considered a secure Wi-Fi protocol, assuming that you have secure authentication setup, such as a strong password (PSK) and/or digital certificate.


The KRACK attacks (Key Reinstallation Attacks) were developed by security researcher, Mathy Vanhoef, who claims that every Wi-Fi device on the planet is vulnerable.

KRACK is achieved through a set of newly discovered security flaws related to how our systems and devices connect to wireless networks. Most wireless attacks target the Wi-Fi network itself, whereas in this case the vulnerabilities are present in the end user devices that affect the confidentiality and integrity of the encrypted wireless data.   Adversaries are now able to set up malicious wireless networks that manipulate the WPA2 handshake of wireless clients to force them to “reinstall” their encryption key. This causes a side effect on the wireless encryption that enables an attacker to decrypt the encrypted wireless traffic, replay encrypted wireless packets, and/or forge valid encrypted wireless traffic into the target Wi-Fi network.

If we take a step back and look at an overview of how wireless security protocols work, then it will provide an insight into the attack.
Encryption is highly dependent upon an “Initialisation Vector” (IV) that can be thought of as a random number that enables data to be scrambled effectively. If this random number is not random then the encrypted data can potentially be decrypted, replayed or forged.

This applies directly to the CCMP and GCMP protocols that protect the confidentiality of wireless networks. These protocols create the IV through the concatenation of the sender MAC address and a nonce (incremental replay counter). CCMP also concatenates some additional flags. The nonce is the key part of the IV that is unknown and is ultimately protecting the wireless data confidentiality.


This is where the “Key Reinstallation Attack” comes in. When the key is installed, the nonce is reset to zero, which means that the IV can now be predicted and the encrypted data cracked and/or manipulated.

In a real-world attack we need to force, or wait for, the wireless access point to request the wireless client to reinstall the key to trigger the weak IV. This can be forced by performing a standard “de-authentication attack” where the attacker kicks the client off the wireless network to force them to reconnect, at which point the vulnerability is exposed.   It was also found that some wireless access points can be forced to send the required requests, and the even scarier part is that this condition could occur on wireless networks even without an attack.

The potential impact associated with these wireless security protocols are as follows:

• If you are using AES-CCMP, then the encrypted wireless network traffic can be replayed and decrypted. This protocol does not allow direct forging of encrypted wireless network traffic; however, by decrypting TCP SYN packets an attacker can get enough information to perform TCP Hijacking attacks to inject arbitrary malicious data into TCP network traffic.
• If you are using WPA-TKIP or GCMP, then encrypted wireless network traffic can be replayed, decrypted, and forged.

 
As can be seen, this is a highly concerning attack technique. The upside is that the attack is dependent upon the vulnerability being present in the wireless client. The downside is that the vulnerability is present to some extent in all major operating systems, including Windows, macOS, iOS, Android and Linux.

Android phones (v6.0) and some Linux devices contained the most critical vulnerability where unencrypted messages can be sent and full control can be gained over the victim’s wireless network traffic. IoT devices typically use Linux, including cameras, TVs, watches, cars, and home automation systems, of which some are likely to also be affected.

The Linux and Android specific vulnerability is due to a flaw in their implementation of the protocol standard where the Temporal Key (TK) is overwritten with zeros. This is basically comparable to your password being overwritten with all zeros to gain access to all of your data. This allows the capture of sensitive information such as usernames and passwords, as well as the ability to inject malicious data into your web browsing. Even after the majority of mobile phones and Linux systems are patched, the major long-term risk to organisations in this case are those IoT devices that remain unpatched for a long time, or simply never have patches released by the vendor. If you fail to patch one of your wireless projectors, wireless cameras, wireless speakers, and so on, then at any point in time an attacker is able to decrypt and manipulate the wireless traffic for these devices on your network.

It is a well-known fact that IoT devices have a terrible history when it comes to security, such as requesting software updates over HTTP. This would enable the attacker to deploy a fake update to the vulnerable device causing it to become compromised, and ultimately provides the attacker with a foothold within your wireless network. If this device is on your corporate network, then your organisation is suddenly at risk of a major security breach.

macOS and OpenBSD were the next most significantly affected with four out of the six attack conditions being present. The primary challenge is that these operating systems only accept encrypted messages to be sent to the wireless client that makes it slightly more difficult. This security control was still able to be bypassed by identifying encrypted messages by their size, and then replaying them against the vulnerable wireless client.

This makes them just as vulnerable as in the Linux example above, except that some additional effort will be required to crack the key. The upside is that the main risk is associated with macOS devices in this case, which are far more likely to be patched across the board than IoT devices. The security researcher also stated that they have developed a more stable and advanced attack for macOS that they will be releasing.

Windows and Apple iOS devices were found to be vulnerable to only the least effective attack technique. There are actually three different areas where keys can be used to abuse wireless encryption, which are the PeerKey, Group Key, and Fast BSS Transition (FT) handshake.

• The Peer Key is negotiated between two Wi-Fi clients to establish uniquely encrypted communications between them that no one else on the wireless network can view the data.
• The Group Key is for encrypting broadcast traffic where all Wi-Fi clients have the key so they can decrypt the broadcast traffic that is destined for everyone.
• Fast BSS Transition (FT) (802.11r) performs a handshake to calculate the Pairwise Transient Key (PTK) before a Wi-Fi client transitions to another Access Point to minimise any delays.
  

Windows and Apple iOS are only affected when the Group Key reinstallation occurs. This means that attackers can decrypt or replay encrypted broadcast traffic onto the target wireless network, which has limited practical uses.   One example is where encrypted NTP packets can be replayed to perform a TimeJacking attack to freeze the time of the systems on the wireless network, which can theoretically affect the expiration of SSL certificates, Kerberos tokens, cached files, and even bitcoins by forcing the system to accept an alternate block-chain to increase the chance of double-spending.

Operating system vendors were notified prior to the release of this research and security patches have been, or are being, released by the major players. The priority is to patch all of your wireless clients, including workstations, laptops, mobile devices, watches, projectors, cameras, SmartTVs, wireless network repeaters, and so on. If you leave any of these devices unpatched then there is a distinct possibility that the device may be used as an entry point into your corporate or home wireless network.

Although still vulnerable, the AES-CCMP in theory causes less of an impact than GCMP, so wireless access points should be configured with AES-CCMP to increase the difficulty of attacks. This attack targets vulnerabilities in wireless clients; however, there were also weaknesses identified in some wireless access points that aided in the ability to trigger the vulnerable condition that is required to perform this attack. With this in mind, updates to wireless access points should also be investigated and updated where appropriate.

Threat Intelligence Expert Provides Insights on the long-term impacts of the KRACK attacks and what organisations should do to protect themselves long-term. Get in touch with us.