The KRACK WiFi vulnerability
Written on October 17, 2017 by Vojtěch Hejsek
What is it?
KRACK (Key Reinstallation Attack) is a severe replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2017 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, and Linux. Vanhoef’s research group published details of the attack in October 2017.
How does it work?
By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable. The widely used open-source implementation wpa_supplicant, utilized by Linux, Android, and OpenBSD, is especially susceptible as it can be manipulated to install an all-zeros encryption key effectively nullifying WPA2 protection in a man-in-the-middle attack. The attack targets the four-way handshake used to establish a nonce (a kind of “shared secret”) in the WPA2 protocol. The standard for WPA2 anticipates occasional WiFi disconnections and allows reconnection using the same value for the third handshake (for quick reconnection and continuity). Because the standard does not require a different key to be used in this type of reconnection, which could be needed at any time, a replay attack is possible. An attacker can re-send the third handshake of another device’s communication, over and over again, to manipulate or reset the WPA2 encryption key repeatedly. Each reset causes data to be encrypted using the same values, so blocks with the same content can be seen and matched, working backwards to identify part of the keychain which was used to encrypt that block of data. Repeated resets gradually expose more of the keychain until eventually the whole keychain is known and the attacker can read the target’s entire traffic on that connection. The risk is especially severe because WPA2 is typically used for the majority of connections by any mobile device to a fixed access point or home router (although some of the traffic itself may in some cases be encrypted, such as SSL/TLS).
According to US-CERT:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.
Video demonstration
