It’s been a year since researchers from a Belgian university disclosed a set of serious weaknesses in the WPA2 protocol that could allow an attacker to steal supposedly private data sent over wireless networks. Now the team has released details of new techniques that expand the original KRACK attacks and also show that not all of the fixes for affected products and the official WiFi standard are fully effective.
The researchers from KU Leuven stressed that the new extensions of the key reinstallation attacks (KRACK) are not as serious as the original techniques published in October 2017, but said they show the difficulty of patching and that there is still plenty of work to do in defending WiFi networks. The main weakness the researchers exposed last year is an issue with the four-way handshake that takes place when a client is joining a wireless network. The researchers developed techniques for tricking a client into reinstalling an already used encryption key that’s part of that handshake.
“Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times,” the original attack description says.
“Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake.”
Using this technique, an attacker can force encrypted packets to be replayed and decrypted. The issue the KU Leuven team exposed was in the WiFi protocol, and so it affected virtually all WiFi devices. Vendors implemented fixes, and the WiFi protocol was amended to address the problem, as well. But the researchers disclosed today that not all of those fixes were fully effective, including the WiFi fix. They also found a way to improve the attack against the four-way handshake to make it more practical to exploit.
“Previously, device-specific and hard-to-win race conditions had to be used to exploit the 4-way handshake of Android, macOS, and OpenBSD. This was necessary, because otherwise these platforms would not accept the plaintext handshake message that triggers the key reinstallation,” Mathy Vanhoef of KU Leuven said in a post detailing the new attacks.
“We overcame these limitations by generating an encrypted (instead of plaintext) handshake message that triggers the key reinstallation. As a result, an adversary no longer has to rely on hard-to-win race conditions to exploit vulnerable implementations of the 4-way handshake.”
“Our results show that preventing key reinstallation attacks is harder than initially assumed."
The biggest issue may be the variety of implementation-specific problems that the researchers discovered. Each vendor needs to implement its own patch for the KRACK weaknesses, and some of the fixes turned out to be incomplete. Apple’s patches for macOS and iOS both had issues that still allowed the weakness to be exploited.
“For example, even after the patches that prevent the KRACK attack, macOS reused the SNonce during rekeys of the session key. As another example, iOS did not properly install the (integrity) group key. These vulnerabilities have a similar impact as the original KRACK attacks,” Vanhoef said.
Apple has implemented new fixes in macOS High Sierra 10.13.3 and iOS 12.
A number of routers that use the MediaTek MT7620 chip, including some made by Linksys and TP-Link, will accept replays of the final message of the four-way handshake, allowing an attacker to force a key reinstallation on the router.
“Our results show that preventing key reinstallation attacks is harder than initially assumed. We believe the main reason vulnerabilities are still present is because the 802.11 standard is large, is continually being extended with new features, and requires domain-specific knowledge to understand,” the new KRACK paper says.