(Thumbnail image credit: °Florian)
There is bad news and good news today for people and businesses who use wi-fi in their day-to-day lives, which is to say just about all of us. The bad news is that it looks like the WPA2 security protocol that keeps all your stuff private and functioning as it's meant to has been cracked. The good news (relatively speaking) is that the situation may not be as world-ending as was initially feared.
The sordid tale actually began a couple of months ago, as Gizmodo explained, when network security researcher Mathy Vanhoef teased a countdown to something on Twitter. Fast-forward to today, and you'll find the secret revealed as KRACK—that's Key Reinstallation Attack—which enables "breaking [of] WPA2 by forcing nonce reuse."
It's at this point that for our UK readers I should point out that nonce means something quite different when it comes to cryptography. Now on with the story...
"We discovered serious weaknesses in WPA2, a protocol that secures all modern protected wi-fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on," Vanhoef wrote at krackattacks.com.
"The attack works against all modern protected wi-fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
The attack exploits a vulnerability in the four-way handshake that's employed when a client joins a wireless network. To protect against lost or garbled data, the part of the handshjake that triggers the delivery of a fresh encryption key will be resent if a proper response isn't received—and each time that happens, "it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol," Vanhoef explained.
"We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message three of the four-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake."
Linux and Android are especially vulnerable to the hack because of a flaw that installs an "all-zero encryption key" rather than reinstalling a proper key, which "makes it trivial to intercept and manipulate traffic" sent by these devices. Improperly configured HTTPS websites will also leak data—if you don't happen to notice that the little "https" has suddenly gone missing from your URL bar, you could be in trouble.
"Adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies," Vanhoef wrote. "Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past. In turn, this causes all encryption protocols of WPA2 to reuse keystream when encrypting packets."
The full explanation digs into considerably greater technical detail, but the overarching theme is that this is potentially very bad. Fortunately, the wi-fi Alliance posted a security update notice today saying that "there is no evidence that the vulnerability has been exploited maliciously."
"Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on wi-fi to deliver strong security protections. Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member," it wrote. "Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches. As always, wi-fi users should ensure they have installed the latest recommended updates from device manufacturers."
Action to correct this vulnerability is already being taken behind the scenes: Microsoft actually released a fix for Windows on October 10 but "withheld disclosure until other vendors could develop and release updates," according to The Verge, and ZDNet has a good list of sources for updates that are either available or in the works. The real problem is that people who don't update will remain vulnerable, and while Windows may more or less take care of itself with automatic updates, the wi-fi coffee maker that's sitting on your kitchen counter like a tiny, sleeping Cylon is going to need a little more attention.
Vanhoef has a full paper on Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 in .PDF format that you can grab here, if you really want to dive into the nuts and bolts of it all. For everyone else, my advice is this: Don't panic—but do update your stuff.