October 16th, 2017, two researchers from a Belgian university released information on an exploit that they found in Wi-Fi Protected Access II, also known WPA2. WPA2 is the most common type of encryption used to secure Wi-Fi networks around the globe. The vulnerability that was discovered has been named Key Reinstallation Attack or KRACK for short. The name was derived from the actor vector utilized by actors when exploiting the vulnerability. KRACK is the largest exploit to effect Wi-Fi in the last decade. Although KRACK is a very serious security vulnerability there are steps that can be taken to mitigate the exposure of a possible security breach.
In June 2004, the IEEE 802.11i standard was finalized. The Wi-Fi Alliance applies the term WPA2 to its implementation of the standard’s mandatory requirements. Since spring 2006, the Wi-Fi alliance has required that a product support WPA2 in order to be labeled “Wi-Fi certified.” WPA2 uses the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) protocol, based on the Advanced Encryption Standard (AES) algorithm for authentication and data encryption. TKIP greatly increases the difficulty of intercepting wireless traffic over WEP, which was the predecessor to WPA2, but CCMP is more secure than the combination of RC4 and TKIP.
WPA2 supports both personal and enterprise modes. In both cases, personal and enterprise, a group temporal key (GTK) is created during the exchange between the client and access point (or AP) called a four-way handshake. The GTK is used to decrypt broadcast and multi-cast messages. WPA2 also adds methods to speed the handoff as a client moves from AP to AP. WPA2 specifies ways in which a client can pre-authorize with neighboring APs. APs and clients can also retain keys so that a client returning to an AP can quickly resume communication.
In addition, a KRACK Attack takes place when an actor sits in between a client and an AP. The actor will use the attack vector, which is found during the retransmission of the third message of a four-way handshake. The third message in the four-way handshake is where the encryption key is installed on the device to encrypt everything that is communicated during that connection. When the client receives the third message, the device thinks it has the proper key to move forward with secure connections. The issue is that if the AP doesn’t think that the message was received, it will resend the third message to make sure the user has in fact received it at which time the key can be intercepted by the actor. When a Krack Attack is performed, it restores the key and in doing so resets all other cryptographic variables it had been working with, which is a real problem. This exploit allows actors to perform acts that range from listen into what you are communicating to broadcasting out fake packets while in turn injecting malware into the sites you are visiting. These are the only some of the most common methods that an actor would exploit the vulnerability. KRACK is then in essence a method in which an actor can turn any Wi-Fi connection into an unsecured method of data transmission that users are normally exposed to at places such as a coffee shop.
Even though KRACK is the largest exploit that has been discovered in Wi-Fi communications within the last decade, there are ways to reduce the possibility of a security breach. Here at Thornton Technology we feel that it is vital for users to stay up-to-date with patches on all of your devices. Users will need to patch every device that uses Wi-Fi along with any APs or routers. One of the main issues with KRACK is if you use Wi-Fi then you are susceptible to this type of attack. The vulnerability effects the type of encryption used on WPA2, so the vulnerability is not limited by devices running certain types of operating systems.
The main issue in protecting one’s self from this exploit is that even if your devices have been patched, you are still susceptible to a breach when using networks that have yet to be patched. On a side note, KRACK does not affect your wireless password, so users do not need to change the passwords on APs or routers. In the end, we advised to patch all devices that have released patches for the exploit. If a user would like to go a step further, they could also utilize a Virtual Private Network or VPN for short. Utilizing a VPN does incur a cost to users, but this will provide a much more secure connection without or without the presence of an exploit such as KRACK. A VPN will encrypt all of your communicates and will not allow the exposure of your communications in plaintext.
Image courtesy of Make Use Of.