KRACK - What you need to know about Key Reinstallation AttaCKs
October 24, 2017
On Monday, October 16, researchers announced the discovery of several vulnerabilities within the wireless protocol WPA and WPA2. The details of these vulnerabilities—dubbed KRACK—have not been disclosed in full to the public, as researchers only released a whitepaper and a video outlining the vulnerabilities. In the days following the announcement, more and more information was released, but many questions still go unanswered.
The basic issue with this vulnerability is its impact on a commonly-used wireless security protocol used by enterprises and consumers—WPA2. This vulnerability not only affects WPA/WPA2 Personal but also WPA/WPA2 Enterprise implementations on access points as well as wireless client devices. In short, an attacker can conduct this attack by injecting packets that reinstall the encryption keys to a known value, allowing them to decrypt and replay traffic from clients. This can happen with a few specific configurations, including:
- Android/Linux devices with a standard WPA configuration.
- Systems with fast transition (802.11r) enabled and the client supplicant vulnerable as well. 802.11r is used to help transitioning from one access point to another without re-authenticating. Many manufacturers do not enable this feature by default due to deployment complications. Some recommend its use and others do not for specific wireless applications.
- The use of GCMP (Galios/Counter Mode Protocol), which also is vulnerable to the same replay attack.
The picture below outlines which vulnerabilities can be exploited on access points and client devices.
Figure 1: Source – KRACK Attack Whitepaper, Written by Mathy Vanhoef
There are no new attack vectors or techniques associated with KRACK vulnerability, other than injecting encryption keys and causing clients to use these new encryption keys known to the attacker, allowing the attacker to replay, decrypt or forge wireless traffic. Replaying, traffic decryption and wireless packet forging attacks have been well-known, commonly used and documented prior to the release of this vulnerability.
To help protect themselves against the KRACK vulnerability, consumers should update their wireless access points and clients as soon as patches become available. Most access point vendors and Linux distributions have released patches. The following matrix outlines the current list:
Vendor Patch Management
Vendor Patch Available In Development Not Directly Affected
Extreme Networks X
Turris Omnia X
Watchgaurd Cloud X
Figure 2: Source – https://github.com/kristate/krackinfo
The picture below outlines which WPA implementations are vulnerable on specific devices.
Figure 3: Source – KRACK Attack Whitepaper, Written by Mathy Vanhoef
So, what does this mean? WPA/WPA2 Enterprise and Personal authentication credentials are not compromised. Changing either user passwords or the PSK will not mitigate this vulnerability. This is an issue in how wireless devices or clients handle the key reinstall sent during the 4-way handshake.
As of right now, Windows 7, 10 or iOS 10.3.1 and above are only vulnerable if using an unpatched GCMP configuration. At this time, Microsoft has released a set of patches to address this issue. While GCMP is rarely used, most wireless devices will utilize one of the currently vulnerable WPA implementations. A large amount of the vulnerable devices consists of unpatched versions of Linux and Android; however, some versions of Apple’s software are vulnerable. Apple has developed a set of patches across OSX, WatchOS and TVOS to address this vulnerability that will be available soon. CERT is maintaining a list of affected vendors that also links to each vendor’s current or planned remediation, if released.
Until patched, approach WPA networks with the same caution as an open network at your local café. Since this vulnerability could potentially compromise the encryption of a wireless network, useful countermeasures until patches for specific devices are released include using HTTPS for all websites and/or using a VPN to encrypt all network traffic.
Today, there are no proven signatures that can be used to detect the KRACK attack. However, there are signatures to detect man-in-the-middle or “Evil Twin AP” attacks. These alerts can be used to detect an outside threat but not whether a key reinstallation has occurred. The use of wireless intrusion detection systems and wireless intrusion protection systems (WIDS/WIPS) should be a part of a healthy wireless security practice.