KRACK warning: Severe WPA2 security vulnerability leaves millions of devices open to attack

A severe security warning has been issued after Belgium researchers managed to exploit a serious vulnerability in the WPA2 wireless protocol.

Known as KRACK (Key Reinstallation Attacks), the vulnerability makes it possible to eavesdrop on Wi-Fi traffic. Millions and millions of devices are at risk -- Windows, Linux, Android and more -- but it is not known whether there is an active exploit in the wild yet. Details about the vulnerability were due to be released at 8:00AM ET (1:00PM BST), but the research paper has now been published early after someone leaked a draft version.

Researcher Mathy Vanhoef describes KRACK: "The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."

US-CERT (United States Computer Emergency Readiness Team) had issued a warning ahead of the planned coordinated disclosure of the vulnerability:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

The impact is likely to be huge as the vulnerability is inherent in the Wi-Fi standard itself -- "therefore, any correct implementation of WPA2 is likely affected," warn the researchers. They summarize the vulnerability as follows:

When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.

The researchers also share a proof-of-concept video demonstrating the vulnerability in Linux and Android:

As mentioned above, the paper was due to be released later in the day, and Vanhoef is not impressed with whoever leaked it early:

More details about the vulnerability are available at krackattacks.com, including the detailed paper Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 which will be presented at the Computer and Communications Security (CCS) conference on Wednesday 1 November 2017.