Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:10 PM
Connect Directly

Secure Wifi Hijacked by KRACK Vulns in WPA2

All modern WiFi access points and devices that have implemented the protocol vulnerable to attacks that allow decryption, traffic hijacking other attacks. Second, unrelated crypto vulnerability also found in RSA code library in TPM chips.

Researchers at Belgium's University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure WiFi networks.

The vulnerabilities are present on both client and access point implementations of the protocol and give attackers a way to decrypt data packets, inject malware into a data stream and hijack secure connections via so-called key reinstallation attacks (KRACKs).

(The disclosure of the WPA2 flaws is the second one in recent days involving a crypto standard.  Last week, Google, Microsoft and others warned about a bug in several Infineon trusted platform module (TPM) firmware versions that gives attackers a way to recover the private part of RSA keys generated by the TPM using only the corresponding public key. Nearly all Chrome OS devices that include an Infineon TPM chip are affected, and although large-scale attacks are not possible, a practical exploit already exists for targeted attacks.)  

The KRACK attacks work on all modern wireless networks using the WPA2 protocol and any device that supports WiFi is most likely impacted, the researchers said in a technical paper that they will present at the upcoming Black Hat Europe security conference. However the flaws are not easy to exploit and require attackers to be in close proximity to a victim, thereby making the flaws somewhat less severe of a threat despite their ubiquity.

"Vulnerabilities that focus on issues with network protocols across many devices makes the threat landscape of this vulnerability very large," says Richard Rushing, CISO of Motorola Mobility and a speaker at Dark Reading's upcoming INsecurity security conference in November.

[Discuss "Writing an Effective Mobile Security Policy" with Richard Rushing, CISO of Motorola Mobility, at the INsecurity Conference, for the defenders of enterprise security, Nov. 29 - 30.]

But as with all Wifi threats, physical proximity is required for the vulnerabilities to be exploitable, he says. "Most wireless IDS and IPS should be able to see this attack, and take preventative actions," Rushing said. "In many cases there are other Wifi man-in-the-middle attacks that can be just as successful given a user WiFi configuration." 

Meanwhile, US-CERT described the KRACK vulnerabilities as existing in the WPA2 standard itself thereby putting all correct implementations of the protocol at risk of attack. An attacker within range of a modern access point and client can use the vulnerabilities to carry out a range of malicious actions. Depending on the encryption protocols being used by the WiFi network, the "attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames," US-CERT said. The advisory listed close to 150 vendors whose products are impacted by the vulnerabilities.

In the technical paper and a blog, researchers Mathy Vanhoef and Frank Piessens from the University of Leuven demonstrated a proof-of-concept key reinstallation attack that takes advantage of the WPA2 vulnerabilities to decrypt encrypted data.

The attack is targeted at the four-way handshake that takes place when a client device wants to join a protected WiFi network. The handshake is designed to ensure that both the client and the access point have the correct credentials to communicate with each other.  The manner in which the third handshake takes place essentially gives attackers an opportunity to force resets of a cryptographic nonce counter used by the encryption protocol so data packets can be decrypted, replayed or forged, according to the two researchers.

The key reinstallation attack against the 4-way handshake is the most widespread and practically impactful attack currently possible against the WPA2 vulnerabilities, Vanhoef and Piessens said in the paper. "First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies." The manner in which WPA-2 has been implemented on devices running Linux and Android 6.0 and above make them particularly vulnerable to key reinstallation attacks, they said.

Organizations – corporate enterprises, businesses, schools and universities, retail shops and restaurants, government agencies – that have deployed Wi-Fi networks using WPA2 encryption are affected. When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected.

Hemant Chaskar, CISO and vice president of technology, at Mojo Networks says corporate enterprises, businesses, schools and universities, retail shops restaurants, government agencies and any organization that has deployed Wi-Fi networks using WPA2 encryption are affected.  "When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected," he says.

Nine of the 10 vulnerabilities require attackers to be relatively sophisticated, he says. In order to exploit these flaws an attacker would need to use a MAC spoofing access point as a Man-in-the-Middle to manipulate data flowing between the client device and the real access point. "For the remaining, a practical exploit can be launched using a sniffer that can listen to and replay the frames over the wireless medium. So, it requires less attacker sophistication. "The main risk from all of them is replay of packets into the client or access point," Choskar says. "Another potential arising out of these exploits is the presence of packets in the air that are decryption-prone."

Gaurav Banga, founder and CEO of Balbix, said the newly found vulnerabilities, while present in a lot of products, should not be a cause of widespread panic. For one thing, it requires a sophisticated attacker and physical proximity in order to exploit. There has also been no sign of any exploit code in the wild so far and patches are available or will soon be available. "With iOS and Windows, the attack is quite difficult to pull off. Many of the security questions are around Android, since it is rarely patched," he says.

Users and organizations can mitigate the risk by using VPN over WiFi, avoiding websites that do not use HTTPS and updating their devices as soon as patches are released, he says.

Related content:


Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Agent Aix les Bains
Agent Aix les Bains,
User Rank: Apprentice
8/6/2018 | 9:16:41 AM
Re: WiFi routers
This has still not changed in terms of Wifi security, indeed most logins are never modified by users... That's scary! 
User Rank: Ninja
10/22/2017 | 8:26:12 PM
AP Proximity
Physical proximity of the wireless AP is not always required to exploit a client's system. Have you ever observed over Airodump or by other means that when an SSID is stored in their system, it constantly broadcasts all of their recently connected networks? This information can be useful in coordinating an attack utilizing a rogue access point and even the user's whereabouts. Maybe WPA2 TKIP PSK AES is proven to be weak in nature as is since there are also well constructed rainbow tables available though massive in size. Key requirements are only between 8 and 63 characters. But have WAP venders really even bothered to address the issue and severely flawed WPS (Wifi Protected Setup) which in most cases is unknowingly enabled by default? No they haven't. Some firmware's WPS can be exploited even when disabled. I haven't even mentioned covert wireless channels... WPA2 needs to me scratched completely. 


User Rank: Ninja
10/17/2017 | 1:53:36 PM
WiFi routers
I wonder how many routers in small homes and businesses have the admin password set to something unique other than default values --- which can be found on the web very easily.  I used to drive around my town with Netstumbler and years ago most of them were WIDE OPEN anyway.  
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-16
IBM Workload Scheduler Distributed 9.2, 9.3, 9.4, and 9.5 contains a vulnerability that could allow a local user to write files as root in the file system, which could allow the attacker to gain root privileges. IBM X-Force ID: 155997.
PUBLISHED: 2019-10-16
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
PUBLISHED: 2019-10-16
The Yale Bluetooth Key application for mobile devices allows unauthorized unlock actions by sniffing Bluetooth Low Energy (BLE) traffic during one authorized unlock action, and then calculating the authentication key via simple computations on the hex digits of a valid authentication request. This a...
PUBLISHED: 2019-10-16
There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such...
PUBLISHED: 2019-10-16
In X.Org X Server 1.20.4, there is a stack-based buffer overflow in the function XQueryKeymap. For example, by sending ct.c_char 1000 times, an attacker can cause a denial of service (application crash) or possibly have unspecified other impact.