Skip to main content

KRACK - What you need to know about Key Reinstallation AttaCKs

October 24, 2017

On Monday, October 16, researchers announced the discovery of several vulnerabilities within the wireless protocol WPA and WPA2. The details of these vulnerabilities—dubbed KRACK—have not been disclosed in full to the public, as researchers only released a whitepaper and a video outlining the vulnerabilities. In the days following the announcement, more and more information was released, but many questions still go unanswered.

The basic issue with this vulnerability is its impact on a commonly-used wireless security protocol used by enterprises and consumers—WPA2. This vulnerability not only affects WPA/WPA2 Personal but also WPA/WPA2 Enterprise implementations on access points as well as wireless client devices. In short, an attacker can conduct this attack by injecting packets that reinstall the encryption keys to a known value, allowing them to decrypt and replay traffic from clients. This can happen with a few specific configurations, including:

  • Android/Linux devices with a standard WPA configuration. 
  • Systems with fast transition (802.11r) enabled and the client supplicant vulnerable as well. 802.11r is used to help transitioning from one access point to another without re-authenticating. Many manufacturers do not enable this feature by default due to deployment complications. Some recommend its use and others do not for specific wireless applications. 
  • The use of GCMP (Galios/Counter Mode Protocol), which also is vulnerable to the same replay attack. 

The picture below outlines which vulnerabilities can be exploited on access points and client devices.

KRACK-figure1
Figure 1: Source – KRACK Attack Whitepaper, Written by Mathy Vanhoef

There are no new attack vectors or techniques associated with KRACK vulnerability, other than injecting encryption keys and causing clients to use these new encryption keys known to the attacker, allowing the attacker to replay, decrypt or forge wireless traffic. Replaying, traffic decryption and wireless packet forging attacks have been well-known, commonly used and documented prior to the release of this vulnerability. 

To help protect themselves against the KRACK vulnerability, consumers should update their wireless access points and clients as soon as patches become available. Most access point vendors and Linux distributions have released patches. The following matrix outlines the current list:

Vendor Patch Management

  Vendor    Patch Available    In Development    Not Directly Affected  

Arch LinuxX  

Arista  X

ArubaX  

Cisco X 

DD-WRTX  

DebianX  

 Extreme Networks  X 

FedoraX  

FreeBSD X 

Lenovo  X

LineageOS X 

LXDE X 

MerakiX  

MikroTikX  

Synology X 

Turris Omnia X 

UbiquitiX  

UbuntuX  

UniFiX  

VMware  X

 Watchgaurd Cloud X  

Watchguard X 

Windows 10X  

WPA SupplicantX  

Figure 2: Source – https://github.com/kristate/krackinfo

The picture below outlines which WPA implementations are vulnerable on specific devices.

KRACK-figure3
Figure 3: Source – KRACK Attack Whitepaper, Written by Mathy Vanhoef

So, what does this mean? WPA/WPA2 Enterprise and Personal authentication credentials are not compromised. Changing either user passwords or the PSK will not mitigate this vulnerability. This is an issue in how wireless devices or clients handle the key reinstall sent during the 4-way handshake. 

As of right now, Windows 7, 10 or iOS 10.3.1 and above are only vulnerable if using an unpatched GCMP configuration. At this time, Microsoft has released a set of patches to address this issue. While GCMP is rarely used, most wireless devices will utilize one of the currently vulnerable WPA implementations. A large amount of the vulnerable devices consists of unpatched versions of Linux and Android; however, some versions of Apple’s software are vulnerable. Apple has developed a set of patches across OSX, WatchOS and TVOS to address this vulnerability that will be available soon. CERT is maintaining a list of affected vendors that also links to each vendor’s current or planned remediation, if released. 

Until patched, approach WPA networks with the same caution as an open network at your local café. Since this vulnerability could potentially compromise the encryption of a wireless network, useful countermeasures until patches for specific devices are released include using HTTPS for all websites and/or using a VPN to encrypt all network traffic. 

Today, there are no proven signatures that can be used to detect the KRACK attack. However, there are signatures to detect man-in-the-middle or “Evil Twin AP” attacks. These alerts can be used to detect an outside threat but not whether a key reinstallation has occurred. The use of wireless intrusion detection systems and wireless intrusion protection systems (WIDS/WIPS) should be a part of a healthy wireless security practice.  

 


    Josh Wyatt

By: Josh Wyatt

Practice Manager, Attack and Penetration

See More

Related Blogs

April 03, 2018

Escape and Evasion Egressing Restricted Networks – Part 2

Attackers and security assessors alike are utilizing a technique called domain fronting, which masks malicious command and control (C2) traffic. This ...

See Details

March 15, 2018

Pass-the-Hash

Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from ...

See Details

January 05, 2016

How secure is your WPA2-Enterprise WLAN?

If you let your client’s control their supplicant, you have NO control. When you deploy your WLAN, with the advent of changes in standards for 802.11n...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

July 11, 2017

Endpoint Security Solutions

Learn how we help you identify your endpoint security gaps and find the right solutions.

See Details

March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.