# WPA2 Vulnerability Found



## Yukikaze (Oct 16, 2017)

US-CERT statement:
_US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017._

Here is the intro from the disclosure page:
_We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. *The attack works against all modern protected Wi-Fi networks*. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that *if your device supports Wi-Fi, it is most likely affected*. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded._

This is the researcher's disclosure page:
https://www.krackattacks.com/


----------



## the54thvoid (Oct 16, 2017)

Did I not read, the attack is required to have the password in the first instance, i.e. it's not a case of password cracking to gain access, rather, someone already in the wi-fi 'domain' subsequently performing the encryption side stepping hack?


----------



## Yukikaze (Oct 16, 2017)

This attack does not gain access to the network, nor does it require the attacker to be "connected" to the network. If it works, it lets you decrypt some (or in some cases, all) traffic sent between a client and the access point.


----------



## the54thvoid (Oct 16, 2017)

Yukikaze said:


> This attack does not gain access to the network, nor does it require the attacker to be "connected" to the network. If it works, it lets you decrypt some (or in some cases, all) traffic sent between a client and the access point.



Yeah, I misread but it does require physical proximity. So really, public WiFi is more susceptible. HTTPS sites are still secure as well.


----------



## Yukikaze (Oct 16, 2017)

Yeah, since it requires you to intercept/disrupt/inject traffic, this means that you need to be within WiFi radio range of the targets. I think the main worry here is for small business owners (no real IT department, but might still be using sensitive data). For most people on a computer at home this is not an issue because they are not a worthwhile target and the likely clients (Desktop/Laptop OSes) will be patched sooner rather than later. I wonder how long it is going to take to patch Android phones, though. IoT, as always, is screwed.


----------



## natr0n (Oct 16, 2017)

When you see kids in the neighborhood start walking around with laptops you'll know WPA2 has been compromised.


----------



## MrGenius (Oct 16, 2017)

Yukikaze said:


> the likely clients (Desktop/Laptop OSes) will be patched sooner rather than later.


It's your WiFi device that needs a firmware update(not your OS patched). If it's affected.

https://www.windowscentral.com/vendors-who-have-patched-krack-wpa2-wi-fi-vulnerability


----------



## Yukikaze (Oct 16, 2017)

That is correct. However updates of the sort tend to be pushed via driver updates (there are no standalone utilities for FW updates for most Wifi devices), and driver updates get pushed via OS updates (on windows, at least, but that's what most people use at home).

EDIT: It might not be correct (and it might be in the OS implementation of the protocol, and not the FW), after all. Seeing as Microsoft states the following.


----------



## MrGenius (Oct 16, 2017)

Well that's good to know. But I would assume since WiFi device vendors are releasing firmware updates that specifically address the issue it can probably be handled on both ends. It might not be necessary to do both. I just updated my router's firmware just in case. Actually...before I knew about the Windows patch. It didn't mention the fixes specifically. Just "fixes security issues" and it's dated from 9-21-17. Which is after the vendor was notified. So hopefully they did something about it. If not, whatever, I always keep my OS up to date anyway.

Here's an example of a patched firmware that specifically addresses the issue.
https://kb.netgear.com/000049349/WNAP320-Firmware-Version-3-7-7-0


----------



## Solaris17 (Oct 16, 2017)

Yukikaze said:


> That is correct. However updates of the sort tend to be pushed via driver updates (there are no standalone utilities for FW updates for most Wifi devices), and driver updates get pushed via OS updates (on windows, at least, but that's what most people use at home).
> 
> EDIT: It might not be correct (and it might be in the OS implementation of the protocol, and not the FW), after all. Seeing as Microsoft states the following.



meh its just MS protecting it on their side. You need to patch the actual device to protect the entire network (not just windows machines)


----------



## Yukikaze (Oct 16, 2017)

From the disclosure page:
*What if there are no security updates for my router?*
_Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
_
This attack is not on the router, it is on the client. So unless your router is a client to something else, it is not in the attack vector. There is no "protecting the whole network" in this case, as the compromised data is the one between a specific (unpatched) client and the router. Having this patch available for Windows systems means that most home users are already patched (unless they disabled windows updates on the OSes where that is possible).


----------



## Solaris17 (Oct 16, 2017)

Yukikaze said:


> In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.



you literally stated the hardware attack vectors. This is big for business. You seem to be focusing on 



> For ordinary home users, your priority should be updating clients such as laptops and smartphones.


----------



## Yukikaze (Oct 16, 2017)

Yes, it is huge for businesses, but they also have devices that tend to have good support...at least the ones that have actual IT departments. Small businesses might be screwed, or not even aware of this at all. I was indeed talking about the usual home use case of a single WiFi router and people's devices connecting to it. In that case roaming doesn't exist and the router is not a client as a repeater, Windows is the most common OS, and that is patched.

Overall, this is still a huge issue.


----------



## Solaris17 (Oct 16, 2017)

Yukikaze said:


> Yes, it is huge for businesses, but they also have devices that tend to have good support...at least the ones that have actual IT departments



having physical devices that have support and are getting patched is not the same as 



Yukikaze said:


> This attack is not on the router, it is on the client.






Yukikaze said:


> Overall, this is still a huge issue.



Completely agree but its important to understand the full scope not the 80% affected. Thats all. I encourage everyone to to patch up before this makes it into a tool kit for 16yr/o to play with.


----------



## JebusPrime (Oct 17, 2017)

General user here, so what can I do to protect my data other than HTTPS? My router has been depreciated, and none of my mobile devices have received updates yet.


----------



## OneMoar (Oct 17, 2017)

#patched
people blew this way out of proportion


----------



## Solaris17 (Oct 17, 2017)

JebusPrime said:


> General user here, so what can I do to protect my data other than HTTPS? My router has been depreciated, and none of my mobile devices have received updates yet.


just keep checking for updates, they wont come all at once,


----------



## StefanM (Oct 17, 2017)

> Intel Corporation was notified by the Industry Consortium for Advancement of Security on the Internet (ICASI) and CERT CC of the identified Wi-Fi Protected Access II (WPA2) standard protocol vulnerability. Intel is an ICASI Charter member and part of the coordinated disclosure of this issue. Intel is working with its customers and system manufacturers to implement and validate firmware and software updates that address the vulnerability. For more details, please refer to Intel’s security advisory on this vulnerability - INTEL-SA-00101
> 
> Updated WiFi Drivers are available.


----------



## R-T-B (Oct 17, 2017)

OneMoar said:


> #patched



Yeah, not on the "world's most popular operating system" 

Hint: not Windows.


----------



## OneMoar (Oct 17, 2017)

R-T-B said:


> Yeah, not on the "world's most popular operating system"
> 
> Hint: not Windows.


check again it was patched before this was posted on Reddit e.g last week on the 10th

https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability\

its stdop for this kind of disclosure to be made though back-channels to vendors before going public 

ddwrt had a patch in-source next day 

same for openwrt 

asus and tplink are rolling firmware updates for supported models


----------



## Yukikaze (Oct 18, 2017)

A small update with regards to the Microsoft fix. The fix itself is sufficient to solve the issue on Windows, even if your WiFi device has no driver update, with one caveat:

*Does this security update fully address these vulnerabilities on Microsoft Platforms, or do I need to perform any additional steps to be fully protected?*
_The provided security updates address the reported vulnerabilities; however, when affected Windows based systems enter a connected standby mode in low power situations, the vulnerable functionality may be offloaded to installed Wi-Fi hardware. To fully address potential vulnerabilities, you are also encouraged to contact your Wi-Fi hardware vendor to obtain updated device drivers.  For a listing of affected vendors with links to their documentation, review the ICASI Multi-Vendor Vulnerability Disclosure statement here: http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities_
_
Source: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080_


----------



## FordGT90Concept (Oct 19, 2017)

Guys, guys, guys!  The vulnerability is in TKIP/GCMP, not AES!  If you're using WPA2/TKIP...


----------



## Yukikaze (Oct 19, 2017)

From the disclosure page:
*I'm using WPA2 with only AES. That's also vulnerable?*
_Yes, that network configuration is also vulnerable. The attack works against both WPA1 and WPA2, against personal and enterprise networks, and against any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP). So everyone should update their devices to prevent the attack!_


----------



## FordGT90Concept (Oct 19, 2017)

Original white paper:
https://papers.mathyvanhoef.com/ccs2017.pdf


> Simplified, against AES-CCMP an adversary can replay and decrypt (but not forge) packets. This makes it possible to hijack TCP streams and inject malicious data into them.


Decryption is potentially a problem but trying to hijack a TCP stream is very difficult.  First you have to figure out what type of data is, then you have to add code that the receiving program will execute.  That's a complicated attack.

AES-SIV is resistant.

http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities/
https://www.kb.cert.org/vuls/id/228519


----------



## MrGenius (Oct 19, 2017)

Also don't use your router in bridge mode, or mobile hotspot with WiFi data offloading enabled, without patched firmware.


> NETGEAR is aware of WPA-2 security vulnerabilities that affect NETGEAR products that connect to WiFi networks as clients. These vulnerabilities are potentially exploitable under the following conditions:
> 
> 
> Your devices are only vulnerable if an attacker is in physical proximity to and within wireless range of your network.
> ...


https://kb.netgear.com/000049498/Se...ies-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837


----------



## FordGT90Concept (Oct 20, 2017)

Asus
Amped Wireless
D-Link


----------



## R-T-B (Oct 20, 2017)

OneMoar said:


> check again it was patched before this was posted on Reddit e.g last week on the 10th
> 
> https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability\
> 
> ...



I was specifically refering to Android at that point in time.


----------

