Today’s most import new in the IT field could be the one related to the break of the WPA2 protocol for the Wi-Fi networks using the KRACK Attack. I’m pretty sure you already read about it on newspaper, social media or news website but I always thing is important to spread this kind of news to as many people as possible. Let’s check how it works and how to fix it!
The man of the day
Mathy Vanhoef discovered on July a way to crack the WPA2 and use a man-in-the-middle attack to decrypt all the data from the victim and the Wi-Fi network. He named KRACK Attack (Key Reinstallation Attacks). For those of you who doesn’t know about man-in-the-middle (MitM) attacks we can say that this kind of attack could be use to decrypt or inject packets during a side to side communciation:
The idea is that the attacked stays between the victim and the web server and he captures the communication between both sides. Using this technique for example e you can spoof the victim so he thinks he accessing to a web page using HTTPS protocol but the communication is completely insecure.
In the following video you can see how the exploit works:
Funny, right? It basically cracks the 4-way handshake of the WAP2 protocol used in all modern protected Wi-Fi networks. For doing this he created a new technique named Key Installation Attack (KRACK). This way he tricks the victim into reinstalling an already-in-use key so he can decrypt all the data that pass from the router/access point to the client. You can read about this in his webpage Krackattacks.com. I really recommend to read his webpage since the exploit, test, papers, etc. have a good quality and everything is really good explained.
After this there are a couple of things that needed to be clarify:
- WPA2 protocol has not been cracked. He just cracked the encryption used by WPA2 protocol.
- This means you cannot get the key for accessing the WPA2 network if you don’t know it. It only affects the encryption between the clients and the router/access point.
- This attack will only affect the clients connected to the Wi-Fi network.
- The KRACK attack doesn’t break the encryption of the webpages such as SSL encryption of the HTTPS protocol. In the example he tricks the client so when he access using HTTPS protocol the MitM attack changes it to HTTP but you will see in the web browser that the navigation is not secure.
- Linux and Android are the most affected devices. He actually states that ‘it is trivial to intercept and manipulate traffic sent by these Linux and Android devices’.
How to fix it
Mathy send the news to the vendors on 14 July 2017. After this the CERT/CC sent a broad notification to all the vendors on August 2017 so they will fix this issue as soon as possible. Right now some vendors are releasing fixes for this issue but the tasks to patch all the devices is sooooooo huge that some of them will be impossible to patch.
The good news is that the exploit and scripts are still not released by Mathy. The bad news is that some people say that this exploit was already knew time ago and it was used before Mathy discovered it. Anyway, here is a list of things you should do in the near future if you want to feel safe when using your home network:
- Patch your router/access point ASAP. If you router/access point is too old and the vendor didn’t release a patch for this issue consider buying a new router/access point.
- Patch your client devices such as mobile phones, netbooks, computers, etc. Check with the manufacturer of the Wi-Fi card if they released a patch for this issue. Again, if the device is too old maybe you won’t get a patch so it’s a good idea to change it for a new one.
I’ll keep you updated with new information as soon as I get it. It will be a couple of days/weeks for getting the scripts and try the scripts/1-click exploits but I’ll try to upload them so you can test them if you want.
It seems all the vendors are releasing patches for this issue:
- Linux: Ubuntu Xenial and Debian Stretch (not sure about this) have a new patch:
wpa (2.4-0ubuntu6.2) xenial-security; urgency=medium
* SECURITY UPDATE: Multiple issues in WPA protocol
- debian/patches/2017-1/*.patch: Add patches from Debian stretch
- CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
* SECURITY UPDATE: Denial of service issues
- debian/patches/2016-1/*.patch: Add patches from Debian stretch
* This package does _not_ contain the changes from 2.4-0ubuntu6.1 in
- Windows: Microsoft released a patch on October 10th.
- IOS, macOS, watchOS and tvOS: Apple said this issue was already patched. An explanation on Reddit about this topic:
iOS already doesn't accept re-transmitted message 3 of the handshake making it vulnerable only to the FT handshake attack when the device roams from one AP to another.
To fix this they only need to change when the PTK gets installed. It's kind of funny actually.
They mitigated the primary attack by violating the 802.11i standard, and now they have to adhere to the 802.11r in order to fix the other vulnerability.
- Google: They will release a patch on November 6th. Until then good luck if you are using an Android device…
You can see a full list of vendor patches in the following GitHub: krackinfo