Attacks/Breaches

10/16/2017
07:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Secure Wifi Hijacked by KRACK Vulns in WPA2

All modern WiFi access points and devices that have implemented the protocol vulnerable to attacks that allow decryption, traffic hijacking other attacks. Second, unrelated crypto vulnerability also found in RSA code library in TPM chips.

Researchers at Belgium's University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure WiFi networks.

The vulnerabilities are present on both client and access point implementations of the protocol and give attackers a way to decrypt data packets, inject malware into a data stream and hijack secure connections via so-called key reinstallation attacks (KRACKs).

(The disclosure of the WPA2 flaws is the second one in recent days involving a crypto standard.  Last week, Google, Microsoft and others warned about a bug in several Infineon trusted platform module (TPM) firmware versions that gives attackers a way to recover the private part of RSA keys generated by the TPM using only the corresponding public key. Nearly all Chrome OS devices that include an Infineon TPM chip are affected, and although large-scale attacks are not possible, a practical exploit already exists for targeted attacks.)  

The KRACK attacks work on all modern wireless networks using the WPA2 protocol and any device that supports WiFi is most likely impacted, the researchers said in a technical paper that they will present at the upcoming Black Hat Europe security conference. However the flaws are not easy to exploit and require attackers to be in close proximity to a victim, thereby making the flaws somewhat less severe of a threat despite their ubiquity.

"Vulnerabilities that focus on issues with network protocols across many devices makes the threat landscape of this vulnerability very large," says Richard Rushing, CISO of Motorola Mobility and a speaker at Dark Reading's upcoming INsecurity security conference in November.

[Discuss "Writing an Effective Mobile Security Policy" with Richard Rushing, CISO of Motorola Mobility, at the INsecurity Conference, for the defenders of enterprise security, Nov. 29 - 30.]

But as with all Wifi threats, physical proximity is required for the vulnerabilities to be exploitable, he says. "Most wireless IDS and IPS should be able to see this attack, and take preventative actions," Rushing said. "In many cases there are other Wifi man-in-the-middle attacks that can be just as successful given a user WiFi configuration." 

Meanwhile, US-CERT described the KRACK vulnerabilities as existing in the WPA2 standard itself thereby putting all correct implementations of the protocol at risk of attack. An attacker within range of a modern access point and client can use the vulnerabilities to carry out a range of malicious actions. Depending on the encryption protocols being used by the WiFi network, the "attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames," US-CERT said. The advisory listed close to 150 vendors whose products are impacted by the vulnerabilities.

In the technical paper and a blog, researchers Mathy Vanhoef and Frank Piessens from the University of Leuven demonstrated a proof-of-concept key reinstallation attack that takes advantage of the WPA2 vulnerabilities to decrypt encrypted data.

The attack is targeted at the four-way handshake that takes place when a client device wants to join a protected WiFi network. The handshake is designed to ensure that both the client and the access point have the correct credentials to communicate with each other.  The manner in which the third handshake takes place essentially gives attackers an opportunity to force resets of a cryptographic nonce counter used by the encryption protocol so data packets can be decrypted, replayed or forged, according to the two researchers.

The key reinstallation attack against the 4-way handshake is the most widespread and practically impactful attack currently possible against the WPA2 vulnerabilities, Vanhoef and Piessens said in the paper. "First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies." The manner in which WPA-2 has been implemented on devices running Linux and Android 6.0 and above make them particularly vulnerable to key reinstallation attacks, they said.

Organizations – corporate enterprises, businesses, schools and universities, retail shops and restaurants, government agencies – that have deployed Wi-Fi networks using WPA2 encryption are affected. When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected.

Hemant Chaskar, CISO and vice president of technology, at Mojo Networks says corporate enterprises, businesses, schools and universities, retail shops restaurants, government agencies and any organization that has deployed Wi-Fi networks using WPA2 encryption are affected.  "When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected," he says.

Nine of the 10 vulnerabilities require attackers to be relatively sophisticated, he says. In order to exploit these flaws an attacker would need to use a MAC spoofing access point as a Man-in-the-Middle to manipulate data flowing between the client device and the real access point. "For the remaining, a practical exploit can be launched using a sniffer that can listen to and replay the frames over the wireless medium. So, it requires less attacker sophistication. "The main risk from all of them is replay of packets into the client or access point," Choskar says. "Another potential arising out of these exploits is the presence of packets in the air that are decryption-prone."

Gaurav Banga, founder and CEO of Balbix, said the newly found vulnerabilities, while present in a lot of products, should not be a cause of widespread panic. For one thing, it requires a sophisticated attacker and physical proximity in order to exploit. There has also been no sign of any exploit code in the wild so far and patches are available or will soon be available. "With iOS and Windows, the attack is quite difficult to pull off. Many of the security questions are around Android, since it is rarely patched," he says.

Users and organizations can mitigate the risk by using VPN over WiFi, avoiding websites that do not use HTTPS and updating their devices as soon as patches are released, he says.

Related content:

  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
10/22/2017 | 8:26:12 PM
AP Proximity
Physical proximity of the wireless AP is not always required to exploit a client's system. Have you ever observed over Airodump or by other means that when an SSID is stored in their system, it constantly broadcasts all of their recently connected networks? This information can be useful in coordinating an attack utilizing a rogue access point and even the user's whereabouts. Maybe WPA2 TKIP PSK AES is proven to be weak in nature as is since there are also well constructed rainbow tables available though massive in size. Key requirements are only between 8 and 63 characters. But have WAP venders really even bothered to address the issue and severely flawed WPS (Wifi Protected Setup) which in most cases is unknowingly enabled by default? No they haven't. Some firmware's WPS can be exploited even when disabled. I haven't even mentioned covert wireless channels... WPA2 needs to me scratched completely. 

 

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/17/2017 | 1:53:36 PM
WiFi routers
I wonder how many routers in small homes and businesses have the admin password set to something unique other than default values --- which can be found on the web very easily.  I used to drive around my town with Netstumbler and years ago most of them were WIDE OPEN anyway.  
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.