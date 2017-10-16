WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (zdnet.com) 46
A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
Public announcement from Mathy Vanhoef is https://www.krackattacks.com/ [krackattacks.com] and his research paper can be found https://papers.mathyvanhoef.co... [mathyvanhoef.com].
it's an attack on the client machine, not on the access point.
it means that any unpatched device connected to a wifi network with WPA2 encryption can expect the same security as being connected to an unsecured wifi (anyone can eavesdrop your communication, or could inject stuff,
how easy it is to do, don't know yet, but it seems to be a feasible attack to carry out.
No it is an attack on both. Though it appears that patched clients would be safe while connected to an upatched AP.
And vice versa, a patched AP can prevent a client from breaking. One or the other side needs to prevent it, but either side by itself is sufficient.
an expect the same security as being connected to an unsecured wifi
Not quite that bad. An unsecured wifi can have packets manipulated, and can snoop both directions. Here the attack cannot change any of the data and can only read one direction of the communication. Still pretty bad, but no reason to suddenly not care about open networks versus secured networks.
Need to build a device with the special software and come within range of a router to sniff the keys. Then can eaves drop on communication between router and client.
It will take a day at least to build it and then one has to come physically close.
Vulnerable places will be coffee shops, malls, airports etc. Stores that use wi-fi between cash registers and router would be the primary target. BTW Target had security cam
Note that I would *hope* point of sale equipment and security equipment would use TLS regardless of the media. If that were the case, then the WPA2 weakness would not suddenly provide access to that material.
For a private laptop connecting to public wifi-hotspots, this attack is harder than just setting up another credible wifi hotspot. Any place where the wifi password is well known knowledge is never going to be rigorous security.
Can anyone shed any light on how serious this actually is? How easy is it to exploit this?
I don't want some theoretical answer, either. I want to know in very practical terms.
Is this as bad as the "Shellshock" bash bug [wikipedia.org] and the "Heartbleed" OpenSSL bug [wikipedia.org] were, where systems were being compromised within hours of these bugs becoming widely known?
From the disclosure:
When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.
nice work ! (Score:2)
this just goes to show who is paying attention :
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
P.S. The user authentication page does submit the user credentials via HTTPS: https://secure.zdnet.com/user/... [zdnet.com]
Well I have an ISP that likes to inject stuff into unencrypted connections is that not reason enough to prefer https sites?
Maybe enable encryption in SMB? What you are still using SMB1, well more fool you then. It's 2017 the world has moved on.
Not every networking protocol can be encapsulated in HTTPS
Exactly. I was going to mirror an above AC who said, "I'm surprised that this still needs saying on an allegedly technical forum", but he was implying HTTPS was all you needed (wrong).
... (just ask Active Directory)
OH FFS! That's one of the easiest ones to move to a secure protocol - LDAPS (it even has its own extra protocol version that adds the SSL/TLS, but can also upgrade an LDAP connection via TLSStart).
Plenty of traffic is sent in the clear, and those are all better examples than HTTP/HTTPS and LDAP/LDAPS.
Not if the attacker was also able to man-in-the-middle attack you as well.
Going back to WEP (Score:3)
Aircrack, which is pretty popular, can hack WEP in a few minutes.
Right and with tools like kismet/or whatever they're using now, it's rather easy to determine which AP you will attack based upon protocol.
Internet of Things (Score:2)
So which is it? (Score:5, Informative)
WPA2 enterprise doesn't use a pre-shared key. So which is it? Does the weakness lie with pre-shared key passwords? Or something else which also affects WPA2 enterprise?
Ah, here we go. The answer is "it's complicated." I'm reading through it right now, but as a PSA:
In the future can we link to original source articles or responses by authoritative organizations, instead of trade rags?
WPA2 enterprise doesn't use a pre-shared key. So which is it? Does the weakness lie with pre-shared key passwords? Or something else which also affects WPA2 enterprise?
The flaw has nothing to do with passwords or pre-shared keys. All WPA2 devices are affected because the flaw is in the WPA2 protocol.
Ah, here we go. The answer is "it's complicated." I'm reading through it right now, but as a PSA:
Because some of those links don't give you the overall summary but delves into details. As a security researcher you would might find those links useful. As a regular person, it doesn't help you understand the fundamentals like: Who is affected? Everyone using WPA2. Everyone.
TLDR; Replay packet 3 (Score:2)
Replay packet 3 in the 4 way handshake, and the client will encrypt two different payloads with the same key and nonce. A big mistake with most encryption methods.
Worse, linux wpa_supplicant nulls out the key memory but still processes the replayed packet, causing the client to use a known (zero) key.
Very cool paper (but something curious) (Score:2)
I wonder about an almost off-hand remark in section 6.2.
"6.2 Example Attack Scenarios
Among other things, our key reinstallation attacks allow an adversary to decrypt a TCP packet, learn the sequence number, and hijack the TCP stream to inject arbitrary data [37]"
This implies that a "read only" (decrypt only) attack allows attacker to hijack the TCP stream. Can someone with better understanding of the issue explain this point? How can TCP connection be hijacked/modified if attacker has no ability to insert