This article is more than 1 year old
Release the KRACKen patches: The good, the bad, and the ugly on this WPA2 Wi-Fi drama
Don't panic... whoa, not so fast, Android, Linux users
WPA2 Wi-Fi users – ie, almost all of us – have had a troubling Monday with the arrival of research demonstrating a critical design flaw in the technology used to secure our wireless networks. A flaw so bad, it can be exploited by nearby miscreants to potentially snoop on people's internet connections over the air.
However, don't stop using Wi-Fi or WPA2 completely, nor rage quit technology as a whole, no matter how simple this vulnerability is. It's annoying, but there is light at the end of the tunnel, and your PC may already be patched.
The Key Reinstallation Attacks, aka KRACK, sounds scary – and it is an embarrassing oversight for the IEEE and its 802.11i protocol – but there are important caveats.
TL;DR on the KRACK WPA2 stuff - you can repeatedly resend the 3rd packet in a WPA2 handshake and it'll reset the key state, which leads to nonce reuse, which leads to trivial decryption with known plaintext. Can be easily leveraged to dump TCP SYN traffic and hijack connections.— Graham Spookyland 🎃 (@gsuberland) October 16, 2017
Firstly, there are some limitations. For a start, an eavesdropper has to be in wireless range of the target network, and have the time and specialized software to pull off the KRACK technique. There is no, to the best of our knowledge, working exploit code available yet – and practical attacks may only be possible against Linux and Android.
KRACK is only applicable in WiFi-range. If a shady hoodie is outside your house tapping on keyboard, encryption isn’t your top problem.— Tarah M. Wheeler (@tarah) October 16, 2017
Secondly, if your network traffic is encrypted using HTTPS, a VPN, SSH, TLS, or similar, KRACK won't get very far. All the miscreant will see, after deciphering the wireless network packets, is more encrypted data. At that point, the snooper is just like any other spy potentially sitting on the vast web of networks between you and the website or service you're connected to – and that's why we try to do HTTPS and other end-to-end encryption everywhere: to thwart naughty people lurking silently in the middle. Sadly, quite a lot of internet traffic is still using unencrypted and unprotected HTTP, or can be downgraded to HTTP in certain situations, which is why this KRACK issue is a potential pain.
And while we're on the subject of bad news, if you're using Android 6.0 or Linux with wpa_supplicant 2.4 or later, it's super easy to hijack the wireless connection. Due to a programming cockup, this software uses a zero key – ie, an encryption key that's all zeroes – when under attack by KRACK, which makes it potentially trivial to intercept, decrypt and tamper with passing wireless packets to and from computers, phones and other devices using the affected wpa_supplicant tool.
That's the bad news – here's hopefully some good news
WPA2 KRACK attack smacks Wi-Fi security: Fundamental crypto craptoREAD MORE
In the main, this is all bad stuff due to the massive number of vulnerable gizmos out there using WPA2 and the difficulty in patching them all: sure, computers and recent Android handhelds can grab software fixes, but we shudder to think about all the Linux-based unloved Internet-of-Things devices out there that will remain unpatched for a while or indefinitely.
On the good news front, Mathy Vanhoef and Frank Piessens of KU Leuven, the security researchers who discovered the flaw, alerted vendors in advance of going public on Monday. It appears developers and manufacturers got their first warning in July, around the time this unsigned paper [PDF] going over some of the KRACK techniques quietly emerged online.
Microsoft patched its Windows wireless code in its October batch of security updates, so if you have installed those, you'll be safe. Apple will have security fixes for iOS and macOS out to the public within a few days after releasing some updates to beta testers. Google is still working on its Android and ChromeOS stuff, however.
Judging from the academics' paper, Windows and iOS are largely unaffected by KRACK in that it is rather difficult to exploit the protocol flaws due to Microsoft and Apple's implementations of WPA2 – and, in any case, patches are either available or incoming. Linux, Android 6.0 and above, OpenBSD 6.1, and macOS 10.12 and 10.9 are most at risk from KRACK's eavesdropping techniques due to the way they handle encryption key reuse in WPA2. If you want to know more, see section 3.2 of the paper.
Cisco has some patches out for its equipment, with more to come, along with more technical discussion of the issue. Intel, Netgear, Aruba, and Ubiquiti also have fixes available, and the Wi-Fi Alliance is working with other vendors to address the WPA2 design flaw.
On the Unix-y front, OpenBSD has a fix ready, as do Linux distros including Debian.
Of course, this is only half the battle: users and administrators have to obtain and install the patches, where available. Good luck telling already overstretched BOFHs and PFYs to drop everything and patch every Wi-Fi enabled bit of kit in the office, let alone expecting whoever's handling the Wi-Fi firmware for your home security camera to get busy.
The US-CERT list of vulnerable gizmos shows there's a huge pool of generic manufacturers and defunct companies that are never going to release patches. This is why it's important to never trust the network.
KRACK is a reminder of the benefits of the BeyondCorp approach. The security perimeter should be identity, not the network border.— SpookyTayOnSecurity (@SwiftOnSecurity) October 16, 2017
So, in summary, don’t panic, but get patching, or get ready to patch, and be a lot more discerning about how you figure your network into your threat model. Assuming everything is lovely and friendly on your Wi-Fi will cause you to come unstuck at some point.
No doubt we're going to see KRACK used in anger, but honestly it'll take a while. There's no easy-to-use exploit code out there, yet – in fact, there's no practical exploit code at all – but it will come, and even when it does the world won't end.
Finally, don't forget that the IEEE makes the whole process of evaluating and scrutinizing its standards for things like the WPA2 design blunder relatively difficult. You either have to pay to see the specifications, or wait months after they've been published and hardcoded into devices. And the specs aren't massively clear, which is why Windows and iOS aren't as badly affected as Linux: Microsoft and Apple's engineers seemingly didn't follow the specification correctly in their WPA2 implementations, thwarting the majority of the KRACK technique.
"One of the problems with IEEE is that the standards are highly complex and get made via a closed-door process of private meetings," said cryptographer and professor Matthew Green in a blog post we linked to at the top of this piece.
"More importantly, even after the fact, they’re hard for ordinary security researchers to access. Go ahead and google for the IETF TLS or IPSec specifications — you’ll find detailed protocol documentation at the top of your Google results. Now go try to Google for the 802.11i standards. I wish you luck.
"The IEEE has been making a few small steps to ease this problem, but they’re hyper-timid incrementalist bullshit. There’s an IEEE program called GET that allows researchers to access certain standards (including 802.11) for free, but only after they’ve been public for six months — coincidentally, about the same time it takes for vendors to bake them irrevocably into their hardware and software.
"This whole process is dumb and — in this specific case — probably just cost industry tens of millions of dollars. It should stop."
What's even more ugly is that WPA2's four-way handshake at the heart of KRACK was mathematically proven as secure. Unfortunately, that verification process overlooked the fact that a secret session encryption key negotiated between the device and Wi-Fi base station may be installed more than once. The KRACK method exploits this to reinstall the key over and over to attack the encryption protocol until full decryption is possible. ®