WPA2 shown to be vulnerable to key reinstallation attacks

A key reinstallation attack vulnerability in the WPA2 wi-fi protocol has been made public today. Security researcher Mathy Vanhoef has identified what he dubs a “serious weakness” in the wireless protocol.

The tl;dr is that an attacker within range of a person logged onto a wireless network could use key reinstallation attacks to bypass WPA2 network security and read information that was previously assumed to be securely encrypted — thereby enabling them to steal sensitive data passing over the network, be it passwords, credit card numbers, chat messages, emails, photos, and so on.

“The attack works against all modern protected Wi-Fi networks,” according to Vanhoef.

Depending on network configuration, he says the vulnerability can also allow for an attacker to inject and manipulate data — such as by adding ransomware or malware to a website, for example.

Here’s the relevant para from the abstract of his research paper:

All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks, and is even proven secure. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use. Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them. Against WPATKIP and GCMP the impact is catastrophic: packets can be replayed, decrypted, and forged. Because GCMP uses the same authentication key in both communication directions, it is especially affected.

“The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected,” he further writes. “To prevent the attack, users must update affected products as soon as security updates become available.

“Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.”

In the research paper he describes the attack as “exceptionally devastating” against Android 6.0.

“Because Android uses wpa_supplicant, Android 6.0 and above also contains this vulnerability. This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices,” he writes on the Krackattacks site explaining the flaw. “Note that currently 41% of Android devices are vulnerable to this exceptionally devastating variant of our attack.”

He further writes that while some of the attacks detailed in the paper may seem hard to pull off, follow-up work has shown that attacks against — for example — macOS and OpenBSD are “significantly more general and easier to execute”, adding: “So although we agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallation attacks cannot be abused in practice.”

(Although OpenBSD has already released a patch, in July, after being informed of the vulnerability by Vanhoef before he made this public disclosure.)

Vanhoef further demonstrates how the attack can still work against websites and apps that are using HTTPS, showing how this added encryption layer can be bypassed in what he describes as “a worrying number of situations” (he flags multiple previous instances of HTTPS being bypassed “in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps“).

He’s also made the below video demo showing the man in the middle technique working on Android and Linux against a dummy user of Match.com as the sample target — to grab their username and password in plain text.

Vanhoef will be presenting the research at the Computer and Communications Security (CCS) conference on November 1.

His research paper is entitled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2.

In a statement regarding the attack, the Wi-Fi Alliance urged users of wireless devices to always install the latest software updates for all their devices, and noted that “major platform providers” have started deploying patches for the specific WPA2 vulnerability (patches need to ensure a key is only installed once — which prevents the attack).

It’s not clear how long it will take for all wi-fi devices to be patched and their users to update to get the security patch but it’s inevitable that some wireless devices and some wireless users will remain vulnerable to this attack for some time.

“[U]pdate all your devices once security updates are available,” is Vanhoef’s advice.

He also urges updating the firmware of your wi-fi router. And warns against switching to WEP temporarily to try to guard against the WPA2 attack — given that WEP’s myriad and well documented vulnerabilities still mean it’s way worse.

Here’s the full Wi-Fi Alliance statement:

Recently published research identified vulnerabilities in some Wi-Fi devices where those devices reinstall network encryption keys under certain conditions, disabling replay protection and significantly reducing the security of encryption. This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.

There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections. Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member. Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers.

As with any technology, robust security research that pre-emptively identifies potential vulnerabilities is critical to maintaining strong protections. Wi-Fi Alliance thanks Mathy Vanhoefand Frank Piessens of the imec-DistriNet research group of KU Leuven for discovering and responsibly reporting this issue, allowing industry to proactively prepare updates. Wi-Fi Alliance also thanks Mathy Vanhoef for his support during the coordinated response, especially his contributions to the vulnerability detection tool.

For more information, please refer to statements from ICASI and CERT.