Advisory from Carolina Advanced Digital on new Wi-Fi KRACK attack

Ref: CERT advisory Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse

Contents

• Executive summary
• Technical highlights
• Recommended actions
• Anatomy of the attacks
• Additional vendor-specific notes
• Resources
• About Carolina Advanced Digital

Executive Summary

Today, a wireless vulnerability named KRACK (Key Reinstallation AttaCK) was publicly announced. The public announcement follows an extensive (multi-month) responsible disclosure process by the researcher, during which tine manufacturers have had the opportunity to work in patches and updates for products to address this vulnerability. There are variations of the attack, and they affect clients and network devices to varying degrees, depending on the attack variant used, the manufacturers implementation of 802.11 standards, and the cipher suites used in wireless encryption.

Below is a summary issued by our technical teams at Carolina Advanced Digital with an overview of the vulnerability, recommendations for mitigation, and additional resources.

Note that some of the attacks are theoretical, and require additional advanced cryptanalysis. The demonstration shown in the YouTube video demonstrates a vulnerable Android device, which is susceptive to the all-zero key attack, which is why the plaintext is visible. This attack would not work on other platforms. For more information please contact your Account Manager or technical team at Carolina Advanced Digital for a briefing.

 

Scope of attacks

• Affects all WPA and WPA2 wireless implementations including WPA2 Enterprise using 802.1X
• Affects all OS-based wireless clients, to varying degrees (Windows, Apple, Linux, Android, etc)
• Affects all known/tested wireless infrastructure devices (controllers/APs)
• All of the attacks require physical proximity to the target/victim networks/clients

Impact of attacks

The impact as described by CERT: An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.

 

Technical Highlights

1. The attacks affect all WPA2-secured networks including PSK (pre-shared key) and Enterprise (802.1X), to varying degrees
2. Manufacturers were alerted to this vulnerability prior to public disclosure and most have had patches issues for weeks
3. The attack affects all cipher suites within WPA2 including TKIP, AES-CCMP, CGMP. AES is vulnerable to some attacks, and TKIP and GCMP are vulnerable to a further extent
4. The attack variants target both endpoints and wireless infrastructure devices (meaning packets to/from each are possible in various combinations)
5. The attack requires attacker to be in physical proximity to the endpoint device and wireless network and uses a Man-in-the-middle attack through a forged channel change command to the client
6.  Fix is to apply vendor-supplied security updates/patches to all endpoints and infrastructure devices
7. Devices patched are compatible with non-patched devices (e.g. a patched endpoint will still work with an unpatched AP, and vice versa
8.  Linux and Android 6.0 or higher are additionally vulnerable to all-zero encryption keys, and therefore to packet interception and manipulation due to their use of version 2.4 and later of wpa_supplicant; 30-40% of current Android devices are vulnerable to this attack
9.  Interestingly, the proper implementation of the 802.11 standard is what makes some devices vulnerable in one variation of the attack, and not following proper implementation makes devices vulnerable in another variation
10. There are further risks and vulnerabilities opened by this attack including vulnerability of manipulating other network-connected devices the client has access to
11. The Wi-Fi Alliance will be adding specific security tests to address this attack for future product certifications
12. Since the attack exploits allowances in Wi-Fi networks to allow for resending lost packets, the key re-installation and all related attacks in this paper will not appear as an anomaly; they can happen any time without the presence of an attacker through the normal course of wireless operation and are not therefore easily detectable as malicious attacks
13. Many of the attack scenarios described are still theoretical and require additional cryptanalysis

Recommended actions

What to do to address this vulnerability

• Update/patch all endpoint devices (smart phones, laptops, printers, everything)
• Update/patch all wireless infrastructure devices (AP, controllers)

Other best practices which also mitigate risk:

• Disable Wi-Fi on endpoints where it’s not needed
• Disable legacy cipher suites (e.g. TKIP) where AES is supported
• Follow proper best practices for network segmentation to avoid risks of injections through affected clients to other network-connected devices

Anatomy of the attacks

There are several variations of the attack, depending on the target (client or AP) and the manufacturer’s specific implementation of the 802.11 standards in their products. Here’s a high level overview of the primary attacks affecting most networks.

1. The attack on clients using 4-way handshake key re-installation

Impact: Gives an attacker access to decrypt and read packets being sent from the victim wireless client, some clients not vulnerable to this attack.

• Attacker spoofs an enterprise AP using software, and forces the victim client to attach by issuing a channel change command to the client
• Attacker is now man-in-the-middle, and can control/hold the client’s confirmation of a handshake after the client has opened the 802.1X port, forcing a valid resend by the AP which resets the counters and fields used in message integrity
• With this now the attacker can decrypt (and replay or forge) packets sent by the client (unidirectional) in most clients
• Exceptions include Linux and Android 6.0 or higher because they use versions of wpa_supplicant that reset to an all-zero encryption key, giving the attacker access to bidirectional traffic
• The attacker can further extend the attack by exploiting poorly implemented HTTPS on websites, effectively stripping the added layer of browser encryption and also exposing that data being sent by the client
• NOTE: Windows 7, Windows 10, and Apple IOS 10.3.1 do not follow the 802.11 standard exactly and are therefore NOT VULNERABLE to this specific attack variant

2. Attacking the group key handshake

Impact: Allows an attacker to replay broadcast and multicast frames, impacts all known wireless clients. Not as impactful as decrypting client traffic as shown above, however presents extensive security risks because of network-based protocols like NTP that can be used to break certificates, Kerberos authentication, and DNSSEC.

•  Similar man-in-the-middle process as described above
• Attacker can then replay broadcast and multicast packet

3. Attacking the 802.11R Fast BSS Transition (FT) handshake

Impact: Attacker can decrypt packets from AP to the client, and replay packets to the AP, or force packets from the AP to the client.

• The FT handshake has a similar structure to the 4-way authentication handshake described above, but without the replay protection counters and message integrity checks
• The 802.11 standard as written would not be vulnerable because of a specific timing requirement of key installation, however most clients tested implemented off-standard, installing keys prematurely which introduces this vulnerability
• A specific variant attack targets the AP vs the client
• For the AP attack, a Man-in-the-middle position is not required, but physical proximity to eavesdrop and inject is
• NOTE: Management frame protection (MFP) does not protect against this attack

Additional vendor-specific notes

Wireless infrastructure vendor partners affected

• HPE Aruba
  http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt
• Cisco
  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
• Hewlett-Packard (legacy)
  No data provided yet
• Fortinet
  https://fortiguard.com/psirt/FG-IR-17-196
• Juniper Networks
  http://www.kb.cert.org/vuls/id/CHEU-AQNN3B

Resources

• CERT: Vulnerability Note VU#228519
  https://www.kb.cert.org/vuls/id/228519
• Vendor information Vulnerability Note VU#228519
  http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
• Video from researcher demonstrating an attack variant on clients * (Android which is vulnerable to a zero-key attack)
  https://www.youtube.com/watch?v=Oh4WURZoR98&feature=youtu.be
• KRACKattack website
  https://www.krackattacks.com/

About Carolina Advanced Digital

Whether you’re leading IT for a government agency, education organization, or commercial enterprise, your users depend on you each and every day to deliver exceptional results. We help you build trusted infrastructures that accomplish your strategic mission – and deliver superb operational performance from day one. We’ve been delivering trusted advice and the best enterprise networking, wireless, security, and data center solutions for more than 30 years.

Corporate Headquarters: 133 Triangle Trade Drive, Cary, NC 27513
Government Sales Office: 130 Village Lake Road, Siler City, NC 27344

Local: 919-460-1313
Toll-free: 800-435-2212

www.cadinc.com

Facebook: http://facebook.com/CADincorporated
Twitter: http://twitter.com/cadinc
LinkedIn: https://linkedin.com/company/carolina-advanced-digital