What is the WPA2 KRACK?
By Rishley Coutinho
On October 16, 2017, the world became aware of the exploit using key reinstallation attacks or better known as KRACK, on the WPA2 protocol.
Before delving into the details of how the attack itself is performed, we must first understand the process which it targets, this being the “4-Way Handshake”. The 4-way handshake is the process in which an access point (such as your laptop, Ipad, phone) and your wireless router can prove to each other that they know their respective secret, without actually telling each other this secret. Once both the access point and your wireless router has established this trust, they can begin to communicate in a secure manner.
To provide an analogy, the process is a key ceremony, where both parties share information to uniquely identify each other without actually revealing the secret identifier or code. Kind of like making a noise to enter your best friend’s tree house, it’s not just the noise but your friend recognizing the tone of your voice and saying “come on up” as they drop the rope ladder!
Now that we have a general understanding of the 4-way handshake, we can delve into the details of how the key reinstallation attack occurs (the KRACK). From a technical perspective, the attacker tricks the victim into reinstalling an encryption key which is already been established and in use. Referring back to our tree house analogy, imagine a bully maliciously disguised and faking the passcode in your voice, your friend would now be under the assumption that it could be you outside; but in fact, this is the bully pretending to be you. It is very important to note and understand that at no point can this bully disguised as you ever assume your identity even though he sounds just like you. In the WPA context, one key point to recognize is that the attacker will not be able to use this vulnerability to retrieve your Wi-Fi credentials – those remain encrypted.
So what can this attacker do now that he has a clear view of all data which is being transmitted? While all unencrypted data will be easy to gather, encrypted data still is at risk. Attackers can re-use the same encryption key that was sent by the “the fake voice” and use that to decrypt data of known content. While this is more dependent on the specific protocols which your routers use, it is still possible.The video below gives a basic demonstration of the KRACK attack from both the attacker and the victim’s perspective.
KRACK Attacks: Bypassing WPA2 against Android and Linux from First Last on Vimeo.
What this means to your organization
A notification regarding the details of this vulnerability was sent to all vendors on August 28 2017, meaning that there was more than enough time to remediate this weakness within the affected vendor products. While you may or may not have had knowledge of this vulnerability prior to the public release, the need for an effective and tested Patch Management policy is critical. Ensuring that your Security Management team has a tested process to apply patches in an efficient and non-disruptive manner becomes increasingly important in these scenarios. From a more technical perspective, you can also disable client functionality within your Routers, Access Points and disabling 802.11r(All other channels are safe).
From a Security Management perspective, it becomes difficult to understand how the 4-way handshake, a mathematically proven to be secure process was exploited. The formal proof itself only assures that the negotiated key remains a secret, but it does not ensure that this key is only given once. This is why it is never safe to assume that your current security infrastructure, no matter how elaborate, is not impenetrable.
Your organization needs to have controls in place to be prepared of such vulnerabilities and have a process in place to triage these types of 0-day vulnerabilities. Some questions you need to ask your selves are “What are my Security Team’s procedures for handling vulnerabilities from time of disclosure to mitigation?”, “Is my Security Team aware of quickly identifying vulnerabilities which are pertinent to my critical assets and infrastructure?”, “Is my Security Team evaluating vulnerabilities based on the Common Vulnerability Scoring System (CVSS) and if not how does my team triage a security incident?”
While there an increasingly large amount of potential vulnerabilities identified on a regular basis, implementing a defense in depth approach and mitigating a single point of failure within your organization becomes imperative. In the scenario that your organization was affected by the KRACK attack, proper implementation of perimeter zoning through use of a Unified Threat Manager would be able to identify the injection of any malicious code. This ensures that all critical data is encrypted during transmission and greatly reduces the chance of any data leak.
How to protect your home
The KRACK attack is mainly supported in enterprise networks, thus there will be very unlikely that your home router is affected by this vulnerability. Although from a best practice perspective, you should contact your router/ISP vendor for any updates which may be available or a timeline for a release. While this vulnerability was exaggerated by mainstream media telling users to “Not use Wi-Fi”, our description of the KRACK attack shows that this type of attack is not easy to deploy and would require the knowledge of an experienced Security Professional.
Should I be worried about using Wi-Fi at Airports, Hotels, and Coffee shops?
You should be careful using public Wi-Fi in any location regardless of whether this vulnerability exists or not! If you value the data which you are transmitting through these wireless public access points, ideally it should be avoided, airports in general is a bee’s nest full of fake honeypot networks waiting for you to connect! Those networks which say “Free_GoGoWifi” are most likely not legitimate. If you do need to use a public access point, it would be much safer to transmit all of your data through a Virtual Private Network (VPN).
Rishley Coutinho, CISSP is a Security Consultant and Architect based out of Toronto. His passions include penetration testing and AI bot research. In his spare time he enjoys powerlifting and snowboarding.