Researcher Mathy Vanhoef has released details of a major flaw in the WPA2 protocol used to protect most Wi-Fi networks.
Every correct implementation of WPA2 is affected by the key reinstallation attack devised by Vanhoef, according to the researcher.
“Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted,” the researcher said.
“This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.”
The flaw potentially allows an attacker to decrypt and forge network packets ostensibly protected by encryption.
The main key reinstallation attack (KRACKs) outlined by Vanhoef targets the four-way handshake employed when a device seeks to join a WPA2-protected wireless network.
The four-way handshake confirms that both the client and an access point know the correct pre-shared password for a Wi-Fi network and then negotiates a key to encrypt subsequent traffic between the two. That key is installed by a client after receiving message three of the handshake.
“However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment,” Vanhoef’s paper (PDF) states.
“As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same session key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the data-confdentiality protocol.”
“We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3,” Vanhoef writes.
“By forcing nonce reuse in this manner, the data-confdentiality protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged.”
A proof of concept by Vanhoef demonstrates a man-in-the-middle attack targeting an Android device. The key reinstallation attack against is “exceptionally devastating” Linux and Android 6.0, he notes.
The KRACK vulnerability can be patched in a backwards-compatible manner, Vanhoef states on the website detailing the attack.
“This means a patched client can still communicate with an unpatched access point, and vice versa,” he explains
“In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks.”
“This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users,” a statement from Wi-Fi Alliance said.
The group said that there is no evidence the vulnerability has been exploited maliciously.
“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member,” the statement said.
Vanhoef said he began contacting vendors whose products he had tested on 14 July. After realising that he had unearthed a protocol-level vulnerability, he subsequently contacted CERT/CC, which sent out a notification to vendors on 28 August.