WPA2 Vulnerability Found

[Yukikaze]

US-CERT statement:
US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

Here is the intro from the disclosure page:
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded.

This is the researcher's disclosure page:
https://www.krackattacks.com/

 

[the54thvoid]

Did I not read, the attack is required to have the password in the first instance, i.e. it's not a case of password cracking to gain access, rather, someone already in the wi-fi 'domain' subsequently performing the encryption side stepping hack?

 

[Yukikaze]

This attack does not gain access to the network, nor does it require the attacker to be "connected" to the network. If it works, it lets you decrypt some (or in some cases, all) traffic sent between a client and the access point.

 

[the54thvoid]

This attack does not gain access to the network, nor does it require the attacker to be "connected" to the network. If it works, it lets you decrypt some (or in some cases, all) traffic sent between a client and the access point.

Yeah, I misread but it does require physical proximity. So really, public WiFi is more susceptible. HTTPS sites are still secure as well.

 

[Yukikaze]

Yeah, since it requires you to intercept/disrupt/inject traffic, this means that you need to be within WiFi radio range of the targets. I think the main worry here is for small business owners (no real IT department, but might still be using sensitive data). For most people on a computer at home this is not an issue because they are not a worthwhile target and the likely clients (Desktop/Laptop OSes) will be patched sooner rather than later. I wonder how long it is going to take to patch Android phones, though. IoT, as always, is screwed.

 

[natr0n]

When you see kids in the neighborhood start walking around with laptops you'll know WPA2 has been compromised.

 

[MrGenius]

the likely clients (Desktop/Laptop OSes) will be patched sooner rather than later.

It's your WiFi device that needs a firmware update(not your OS patched). If it's affected.

https://www.windowscentral.com/vendors-who-have-patched-krack-wpa2-wi-fi-vulnerability

 

[Yukikaze]

That is correct. However updates of the sort tend to be pushed via driver updates (there are no standalone utilities for FW updates for most Wifi devices), and driver updates get pushed via OS updates (on windows, at least, but that's what most people use at home).

EDIT: It might not be correct (and it might be in the OS implementation of the protocol, and not the FW), after all. Seeing as Microsoft states the following.

 

[MrGenius]

Well that's good to know. But I would assume since WiFi device vendors are releasing firmware updates that specifically address the issue it can probably be handled on both ends. It might not be necessary to do both. I just updated my router's firmware just in case. Actually...before I knew about the Windows patch. It didn't mention the fixes specifically. Just "fixes security issues" and it's dated from 9-21-17. Which is after the vendor was notified. So hopefully they did something about it. If not, whatever, I always keep my OS up to date anyway.

Here's an example of a patched firmware that specifically addresses the issue.
https://kb.netgear.com/000049349/WNAP320-Firmware-Version-3-7-7-0

 

[Solaris17]

That is correct. However updates of the sort tend to be pushed via driver updates (there are no standalone utilities for FW updates for most Wifi devices), and driver updates get pushed via OS updates (on windows, at least, but that's what most people use at home).

EDIT: It might not be correct (and it might be in the OS implementation of the protocol, and not the FW), after all. Seeing as Microsoft states the following.

meh its just MS protecting it on their side. You need to patch the actual device to protect the entire network (not just windows machines)

 

[Yukikaze]

From the disclosure page:
What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

This attack is not on the router, it is on the client. So unless your router is a client to something else, it is not in the attack vector. There is no "protecting the whole network" in this case, as the compromised data is the one between a specific (unpatched) client and the router. Having this patch available for Windows systems means that most home users are already patched (unless they disabled windows updates on the OSes where that is possible).

 

[Solaris17]

In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

you literally stated the hardware attack vectors. This is big for business. You seem to be focusing on

For ordinary home users, your priority should be updating clients such as laptops and smartphones.

 

[Yukikaze]

Yes, it is huge for businesses, but they also have devices that tend to have good support...at least the ones that have actual IT departments. Small businesses might be screwed, or not even aware of this at all. I was indeed talking about the usual home use case of a single WiFi router and people's devices connecting to it. In that case roaming doesn't exist and the router is not a client as a repeater, Windows is the most common OS, and that is patched.

Overall, this is still a huge issue.

 

[Solaris17]

Yes, it is huge for businesses, but they also have devices that tend to have good support...at least the ones that have actual IT departments

having physical devices that have support and are getting patched is not the same as

This attack is not on the router, it is on the client.

Overall, this is still a huge issue.

Completely agree but its important to understand the full scope not the 80% affected. Thats all. I encourage everyone to to patch up before this makes it into a tool kit for 16yr/o to play with.

 

[JebusPrime]

General user here, so what can I do to protect my data other than HTTPS? My router has been depreciated, and none of my mobile devices have received updates yet.

 

[OneMoar]

#patched
people blew this way out of proportion

 

[Solaris17]

General user here, so what can I do to protect my data other than HTTPS? My router has been depreciated, and none of my mobile devices have received updates yet.

just keep checking for updates, they wont come all at once,

 

[StefanM]

Intel Corporation was notified by the Industry Consortium for Advancement of Security on the Internet (ICASI) and CERT CC of the identified Wi-Fi Protected Access II (WPA2) standard protocol vulnerability. Intel is an ICASI Charter member and part of the coordinated disclosure of this issue. Intel is working with its customers and system manufacturers to implement and validate firmware and software updates that address the vulnerability. For more details, please refer to Intel’s security advisory on this vulnerability - INTEL-SA-00101

Updated WiFi Drivers are available.

 

[R-T-B]

#patched

Yeah, not on the "world's most popular operating system"

Hint: not Windows.

 

[OneMoar]

Yeah, not on the "world's most popular operating system"

Hint: not Windows.

check again it was patched before this was posted on Reddit e.g last week on the 10th

https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability\

its stdop for this kind of disclosure to be made though back-channels to vendors before going public

ddwrt had a patch in-source next day

same for openwrt

asus and tplink are rolling firmware updates for supported models

 

[Yukikaze]

A small update with regards to the Microsoft fix. The fix itself is sufficient to solve the issue on Windows, even if your WiFi device has no driver update, with one caveat:

Does this security update fully address these vulnerabilities on Microsoft Platforms, or do I need to perform any additional steps to be fully protected?
The provided security updates address the reported vulnerabilities; however, when affected Windows based systems enter a connected standby mode in low power situations, the vulnerable functionality may be offloaded to installed Wi-Fi hardware. To fully address potential vulnerabilities, you are also encouraged to contact your Wi-Fi hardware vendor to obtain updated device drivers. For a listing of affected vendors with links to their documentation, review the ICASI Multi-Vendor Vulnerability Disclosure statement here: http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities

Source: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080

 

[FordGT90Concept]

Guys, guys, guys! The vulnerability is in TKIP/GCMP, not AES! If you're using WPA2/TKIP...

 

[Yukikaze]

From the disclosure page:
I'm using WPA2 with only AES. That's also vulnerable?
Yes, that network configuration is also vulnerable. The attack works against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP). So everyone should update their devices to prevent the attack!

 

[FordGT90Concept]

Original white paper:
https://papers.mathyvanhoef.com/ccs2017.pdf

Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them.

Decryption is potentially a problem but trying to hijack a TCP stream is very difficult. First you have to figure out what type of data is, then you have to add code that the receiving program will execute. That's a complicated attack.

AES-SIV is resistant.

http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities/
https://www.kb.cert.org/vuls/id/228519

 

[MrGenius]

Also don't use your router in bridge mode, or mobile hotspot with WiFi data offloading enabled, without patched firmware.

NETGEAR is aware of WPA-2 security vulnerabilities that affect NETGEAR products that connect to WiFi networks as clients. These vulnerabilities are potentially exploitable under the following conditions:

• Your devices are only vulnerable if an attacker is in physical proximity to and within wireless range of your network.
• Routers and gateways are only affected when in bridge mode (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router.
• Extenders, Arlo cameras, and satellites are affected during a WPA-2 handshake that is initiated only when connecting or reconnecting to a router.
• Mobile hotspots are only affected while using WiFi data offloading, which is not enabled by default.

If these vulnerabilities are exploited, an attacker could potentially perform the following types of attacks, among others:

• Eavesdrop on communication between the affected product and the router to which it connects.
• Hijack unencrypted web sessions (sessions not using HTTPS). Encrypted traffic, such as banking website sessions and Arlo camera feeds, remains protected.

______________________


Until a firmware fix is available for your product, NETGEAR recommends that you follow these workaround procedures:

• For Wireless Routers in Bridge Mode: disable Bridge Mode or power off the bridge router. For more information, see your product’s user manual or one of the following knowledge base articles:
  • What is bridge mode and how do I set it up on my NETGEAR router?
  • How to set your Nighthawk router to Router mode
• For Mobile Hotspots using the WiFi Offload feature: disable WiFi Offload. For more information, see your product’s user manual.

https://kb.netgear.com/000049498/Se...ies-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837