Nearly all wi-fi networks protected with Wi-Fi Protected Access II (WPA2) have several vulnerabilities that could allow an attacker within range to decrypt anything transmitted from devices on the network.
The vulnerabilities can be exploited by “key reinstallation attacks”, or KRACKs, as it's called by Mathy Vanhoef, the researcher from Netherlands university KU Leuven who discovered the WPA2 flaws. Thanks in part to a Linux wi-fi daemon called "wpa_supplicant", the flaw affects smartphones, computers, and Internet of Things (IoT) devices.
KRACK is the most potent of several attacks Vanhoef found could be used against WPA2 and targets the 4-way cryptographic handshake of the WPA2 protocol, which occurs when a device attempts to join an access point on a protected wi-fi network. The 4-way handshake is used to confirm both ends have the correct password for the wi-fi network.
WPA2 encrypts data transmitted over a protected wi-fi network, however the flaws allow an attacker on the network to decrypt any encrypted data the victim transmits to a server, such as passwords or the contents of an email, and may also allow the attacker to decrypt data from the server to the device.
The flaws affect data transmitted between devices and WPA2 wi-fi access points, but not the encryption afforded by websites with HTTPS enabled, such as Gmail, banking sites, or payment pages. HTTPS provides additional protection, as does the use of a VPN, but HTTP content can easily be compromised on affected networks.
While the flaws affect networking equipment and components from different vendors on the server side, including Cisco, Intel, Juniper, and Toshiba, KRACK attacks on the end-user side are “especially catastrophic” for Android 6.0 and above, according to Vanhoef. This group of Android users accounts for 41 percent or 820 million of the two billion active Android devices in use today.
Intel has confirmed the KRACK flaws affect its Wind River Linux-based embedded systems used in IoT devices. Ubuntu maker Canonical has also released updates for Ubuntu 17.04, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS.
Fixing the flaws will require applying patches on the client and server side, which could pose a problem for Android given the difficulties of patching thousands of different models from hundreds of Android device makers.
Vanhoef explains, within the context of WPA2, a key should only be installed and used once on an access point and device, however he found a way to reinstall already used keys by manipulating and replaying handshake messages during the 4-way handshake.
“When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times.
“Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged.”
Interestingly, in Vanhoef’s paper “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”, he notes the impact on Windows and iOS isn’t as dire as on Android because Apple's and Microsoft's implementations violate the wi-fi 802.11 standard by rejecting retransmissions of message 3. This allows an attacker to decrypt some but not all packets as it would on Android and Linux systems.
Android and Linux on the other hand can be tricked into reinstalling an an “all-zero encryption key”, or a key consisting of all zeros, which is clearly predictable and therefore allows the attacker to decrypt all encrypted packets.
But the vulnerability in Android, which uses a modified version of the Linux kernel, stems from the kernel adhering to the wi-fi standard's recommendation of clearing the encryption key from memory after it’s been installed once.
The vulnerability in systems that use the Linux kernel has been traced back to version 2.6 and prior of the wi-fi daemon "wpa_supplicant".
“When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key. Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices,” explains Vanhoef.
The KRACK flaw was revealed as another, potentially more serious, flaw called ROCA, was also revealed.
ROCA or the "The Return of Coppersmith's Attack" affects Trusted Platform Module chips from German firm Infineon and through this affected products from Microsoft, Google, HP, Lenovo, Fujitsu.