The Belgian researcher who last year gave the world the KRACK attack has returned with what he says is a refined version of the vulnerability.
KRACK was first disclosed roughly 12 months ago by Mathy Vanhoef of Flanders university KU Leuven.
It was a protocol attack, meaning any implementations that followed the standard inherited the issue. An attacker could fool WPA2's four-way handshake, causing the victim to reuse nonces – of the cryptographic kind – meant for a single use.
WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bugREAD MORE
That sent vendors on a patching scramble, but further work on Vanhoef's part led him to suspect KRACK still works. He went public with his follow-up here, ahead of presenting a paper (PDF) to the Association of Computing Machinery's SIGSAC conference later this month.
The tl;dr version is in the abstract of the paper by Vanhoef and his co-researcher Frank Piessens:
- We show how to attack the 4-way handshake without relying on hard-to-win race conditions, and use a method to more easily obtain the required multi-channel MiTM [man in the middle].
- We systematically analyse all 802.11 features that negotiate or manage keys, and discover that the FILS and TPK* handshake are also vulnerable to key reinstallations.
- We show that the updated 802.11 standard is still vulnerable to reinstallations of the group key, and present implementation flaws that affect the security of group-addressed frames.
- We analyse security patches of vendors, and discover several implementation-specific key (re)installation vulnerabilities.
Apple's macOS and iOS operating systems both had buggy patches that have since been fixed, Vanhoef wrote.
And there's more – the 802.11v Wireless Network Management (WNM) protocol has provided a path around official patches, via deep-sleep power-saving features.
Vanhoef and Piessens believed an attacker can exploit
WNM-Sleep frames to get around Wi-Fi's protocol fixes.
Vanhoef wrote: "The official defence states that a device shouldn't reinstall an already in-use key. However, this defence can by bypassed by first letting the victim install a new key, to then let it (re)install an old key."
He said the attack exploits the interaction between
EAPOL-Key frames and
WNM-Sleep frames, and it only allows the attacker to reinstall the group key. That made it a low-impact vulnerability.
There's a proof-of-concept key reinstallation attack script at GitHub. ®
* FILS, or Fast Initial Link Setup, was only signed off in June 2017 and isn't in widespread deployment yet. TPK, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key, is a handshake designed for direct client-client connectivity, such as connecting from a TV to a tablet without going through the access point.