Vulnerability discovered in WPA2

A vulnerability discovered in the WPA2 protocol, dubbed KRACKs, was revealed to the general public yesterday by security researcher Mathy Vanhoef. A detailed description of the vulnerability and a proof-of-concept video may be found at his website (address noted at the end of this post).

To exploit this vulnerability an attacker manipulates security handshake traffic forcing a nonce counter reset and resulting in session key reuse. If successful the attacker becomes a “man-in-the-middle” and is able to carry out additional attacks; e.g. capture private chat conversations, keylog, install malware, etc.

It is important to note that KRACKs does not affect HTTPS traffic. HTTPS is end-to-end browser encryption and thus should not be affected. As discussed in my post from last week, HTTPS is practically a requirement anymore. The KRACKs vulnerability is yet another reason why you would want to add an SSL certificate to your website today.

It is also important to note that because MAC addresses can be spoofed, MAC address filtering does not provide for mitigation. (I know. MAC address filtering was my first thought, too.)

How widely-used is WPA2?

WPA2 has been a standard since 2006. Buy a Wi-Fi device in the U.S., it implements WPA2. Buy a Wi-Fi device in China, it implements WPA2. Buy a Wi-Fi device in Germany, it implements WPA2. Buy a Wi-Fi device in …well…you get the picture. WPA2 is used a lot.

How vulnerable are You?

Right now your personal level of vulnerability depends on:

How your device implements the WPA2 protocol. The more strict the implementation of WPA2, the more likely the device is going to be vulnerable. We’ll talk more about which devices are ‘more’ and ‘less’ vulnerable in a moment, and

If a practical attack ever becomes a reality. So far we’re only seeing proof-of-concept attacks coming out of the labs of researchers. It’s real. It’s repeatable. The vulnerability most definitely exists. But will anybody actually take advantage of it in a practical way? I’ll also cover that in a moment

 

The good news, as you will see at the end of this post, is that fixing your device should be something that anybody can do. That is, once a fix is made available.

Who is vulnerable and, how likely is an attack?

Early reports put Android devices as extremely vulnerable. Linux, Windows & Apple iOS devices are ‘less vulnerable’, but vulnerable nonetheless.

In short:

  • A lot of people/devices are vulnerable, and,
  • We probably won’t see any attacks in-the-wild tomorrow. We might have to wait for the black hats to develop their attack toolkits. I have no doubt that blackhats are actively developing toolkits.
  • You’re Wi-Fi router is likely vulnerable. Pay close attention to your router manufacturer website and apply security patches as they are made available.

We’ll have more insight as more eyes look deeper into the flaw and as hardware manufacturers make their own product security update announcements.

How practical is an attack?

If somebody is intent and absolutely wants in to your network, the key mitigating factors do not present an especially strong argument against the practicality of a KRACK attack.

An attacker must be close enough to be able to tap into your Wi-Fi signal. The average indoor router range is about 150ft. Outdoor routers and routers augmented with range extenders can significantly boost a Wi-Fi signal’s range.

This means you’re safe from attackers from a far-off foreign land, but high-density areas such as apartment buildings – where each tenant owns and maintains their own set of Internet devices – most definitely presents a target rich environment.

The second mitigating factor is hidden within the first. Your Wi-Fi capable device also has to be Wi-Fi-enabled. If Wi-Fi is disabled, there is no active vulnerability.

Public access points. Tons of them. None are secure. Totally practical, IMO.

How long before wireless is secure again?

Nobody knows. We know the problem can be fixed and that the fix will be backward compatible. There is no need to run out and buy a new router quite yet. We know that manufacturers are working on patches. What I can’t say is how those patches are going to be applied, especially to products past end-of-support life.

Can you imagine how many consumer and non-consumer Wi-Fi devices there are in-the-wild that implement WPA2? Most are managed. Some however are not. For those that are not, they exist and serve a purpose — whatever that purpose may be — but are long forgotten by the administrator.

What about out-of-the-way access points that aren’t ever going to be upgraded, maintained, or managed by a human being. There are likely devices hidden inside closed walls (it happens), and locked closets, on rooftops, in apartment building lobbies and coffee shops. You name it!

As far as getting these devices updated, location and accessibility are only one part of the problem. Another element that may cause delays in completely eradicating this vulnerability is the age of the Wi-Fi device. Is the device still supported by the manufacturer? Is the manufacturer still around? Will manufacturers provide updates for devices that are no longer officially supported?

Devices like the onboard NIC in your PC or Mac are an easy update. Some Wi-Fi devices require a firmware update to fix the problem. Applying a firmware update isn’t as straightforward. If a firmware update fails, you may wind up with a bricked device. It can be a daunting task and may result in some devices never being updated.

I’m not clear on how much this will affect an Internet Service Provider. I have calls out to two different ISPs, but so far no reply. If I hear anything I’ll update this post.

This is a critical vulnerability but there are no known In-the-Wild attacks. Attacks at this point are only proof-of-concept. With that said, this is a verified vulnerability. For somebody with intent, it is a practical attack. Expect to hear cases of it happening.

Suggestions if you are an everyday home-user:

  • If you use a router and the router is vulnerable it will be your responsibility to update it. Keep a close eye on manufacturer’s websites for security updates. If it is a managed router (e.g. managed by your ISP), it will be the manager’s responsibility to update.
  • If you own and manage your own Wi-Fi devices, applying updates (if there are any) will be your responsibility. Keep a close eye on manufacturer’s websites for security updates.
  • Android, etc. Wi-Fi phones – will most likely will come in the form of a push update from your telephone carrier.
  • Computer desktops, laptops, all makes and models that have Wi-Fi capability – absolutely update the network Wi-Fi driver if & when one is made available
  • Other types of Wi-Fi devices: It’s very early on. We’re sure there is a fundamental flaw in WPA2, but we’re not sure how many devices can be affected. The best course of action is to pay close attention to manufacturer websites for ALL of your Wi-Fi capable devices. Be on the lookout for security updates. Apply as directed. (Even if you have the Wi-Fi option disabled on a device, be sure to update it as soon as possible!)

Summary

Yet another vulnerability. KRACKs isn’t In-the-wild, but it has the potential to be very bad. I think the breadth of potentially-vulnerable devices is what makes this vulnerability the most notable.

It’s still early on and an update for your device may not yet be available. This vulnerability was just revealed yesterday morning. Wi-Fi device manufacturers are (no doubt) creating patches, so be sure to keep an eye on manufacturer websites for updates. Always apply security updates ASAP.

It would it be nice if this all just turned out to be a minor problem. I think it will ultimately be minor (unless you are an IT admin and in charge of a large # of Wi-Fi devices), but in the meantime, things like KRACKs makes for great blogging material! (As I sit here looking suspiciously at my Wi-Fi enabled printer…)

All credit for the discovery of this vulnerability goes to Mathy Vanhoef. I am merely reporting what I know to get the word out.

For additional information, visit:

https://www.krackattacks.com/
https://www.kb.cert.org/vuls/id/228519/

Click to access 2009_nonce_isc.pdf