Wifi KRACK vulnerability - what you should know about it
On last weekend, researcher Mathy Vanhoef from imec-DistriNet, KU Leuven has discovered a critical vulnerability on the WAP2 protocol. Due to a weakness on key exchange between the client and wifi access point, an attacker could decrypt or forge network packets, in some certain cases, the attacker could even install all-zero key on the client side, causing critical threat on the network security.
The attack surface of KRACK vulnerability is mainly on the client devices rather than routers. Also, such attacks will not cause password disclosure (and changing the wifi password will not mitigate it).
An Proof-of-Concept video can be found here:
The the vulnerability is triggered during the key negotiation when a vulnerable host joining a wifi network. The key exchange protocol is a 4-way handshake procedure, after which a symmetric key will be negotiated and used for traffic encryption.
The 4-way handshake
Because the messages may be lost of dropped, the wifi access point will retransmit the 3rd message if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. By maliciously replaying the message 3 retransmissions, the packets can be replayed, decrypted or forged.
The reinstallation attack against the 4-way handshake uncovered special behavior on Linux wpa_supplicant and Android 6.0+. By injecting a forged message 1, with the same ANonce as used in the original message 1 before forwarding the retransmitted message 3 to the victim, the victim could be tricked to install an all-zero key.
Softwares and keys affected
The following CVEs are related to this vulnerability:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.