Wi-Fi encryption KRACK-ed with re-keying injection

Wi-Fi encryption KRACK-ed with re-keying injection

On Monday, a coordinated disclosure announcement revealed that WiFi networks are at risk. The disclosure was found early with the discovery of the GitHub repository for the talking points on the issue. The teams investigating the matter named it KRACK. They documented their findings on www.krackattacks.com. Ars Technica was the first to publish an article (Severe Flaw in WPA2 Protocol leaves Wi-Fi traffic open to eavesdropping) on the vulnerability. It’s extensive reporting since even reached the UK’s not-so-tech-savvy Daily Mail. Their sensationalist headlines aren’t so far from the mark this time. (‘Almost all’ home routers are at risk of being HACKED: Massive flaw in Wi-fi protection is found that lets cyber criminals spy on your every move)

The attack works by injecting a known encryption key into the communication between the client and access point. The attacker can read the information in flight between the devices, meaning ALL data transferred is vulnerable. Indeed the researchers warn you not to rely solely on HTTPS to protect you, given that exploitations of HTTPS handshake at weak points have happened before.

The Key-Reinstallation attACK (which derives the name) occurs during the encryption key exchange. The attack abuses the four-way handshake between the two end-points agreeing a common short duration shared key protecting the traffic. This should be reset a while later with a new key, preventing a compromised key revealing all the data exchanged. This handshake process occurs in both WPA, WPA2, and encrypted personal and enterprise Wifi networks.

The video below shows both the WiFi attack in use to insert a malicious device into the middle of the data flow. Once there, even SSL data can be decrypted using other tools already available.

CERT is coordinating the responses from device manufacturers. Check the vendors you use (both of operating system and of device drivers). Install any updates that are available to remediate against the various attack vectors that exposes.And check for that lock symbol in the top left of this webpage (you are using HTTPS, right?)

And check for that lock symbol in the top left of this webpage (you are using HTTPS, right?)

Stay safe out there.

John Dixon

John Dixon is the Principal Consultant of thirteen-ten nanometre networks Ltd, based in Wiltshire, United Kingdom. He has a wide range of experience, (including, but not limited to) operating, designing and optimizing systems and networks for customers from global to domestic in scale. He has worked with many international brands to implement both data centres and wide-area networks across a range of industries. He is currently supporting a major SD-WAN vendor on the implementation of an environment supporting a major global fast-food chain.

Comments are closed.