WPA2, the most widely used Wi-Fi security standard, has a number of flaws that could allow hackers to snoop on users’ internet traffic or, worse, to inject malware into it.
The vulnerabilities are in the protocol itself, more precisely in the four-way handshake between clients and access points. It allows attackers to mount an evil twin attack by setting up a rogue access point that masquerades as a legitimate one and forces clients to reuse an existing encryption key with the same nonce—in cryptography a nonce represents a value that should only be used once.
From a cryptographic point of view, the nonce reuse is a serious weakness that allows attackers to recover the keystream and decrypt all or a significant number of data packets. Mathy Vanhoef, a researcher at the University of Leuven in Belgium, named this new WPA2 issue a key reinstallation attack, or KRACK, and found several variations.
“During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks,” he said on a website with detailed information about the flaws. “If your device supports Wi-Fi, it is most likely affected.”
Both WPA2-Personal and WPA2-Enterprise are affected, with all types of encryption. However, WPA2 with AES-CCMP is less vulnerable than WPA-TKIP or GCMP and only allows for traffic snooping. The other two encryption options also allow for packet injection.
The impact and exploitability can also differ based on operating system. Due to an additional implementation issue, the attack is trivial on Linux and Android versions 6.0 and higher. Meanwhile, Windows and iOS are not vulnerable to the basic handshake-based key reinstallation attack, but are affected by other versions of the attack or their traffic can be compromised through a vulnerable access point.
The flaws affect all Wi-Fi enabled devices regardless of whether they run as access points or as clients, but the attacks are more likely to be directed at clients.
“High-end access-points that contain ‘WIPS’ (WiFi Intrusion Prevention Systems) features should be able to detect this and block vulnerable clients from connecting to the network (once the vendor upgrades the systems, of course),” cybersecurity expert Robert Graham, said in a blog post. “At some point, you’ll need to run the attack against yourself, to make sure all your devices are secure. Since you’ll be constantly allowing random phones to connect to your network, you’ll need to check their vulnerability status before connecting them. You’ll need to continue doing this for several years.”
The Wi-Fi Alliance, the industry organization that certifies Wi-Fi devices, now tests for this vulnerability as part of its certification process. Moreover, the fixes from vendors are not expected to break compatibility between patched and unpatched devices, the organization said in a statement on its website.
The KRACK attacks can only compromise the encryption of the Wi-Fi connections, but cannot be used to decrypt traffic secured with TLS or a VPN. This is a good example why companies should be implementing HTTPS for their internal applications as well and should try to use TLS-based protocols as much as possible.
“Organizations should also ensure they are using the most verbose debug logging for their Wi-Fi networks and configuring their monitoring systems to look for this attack,” said Bob Rudis, chief data scientist at Rapid7. “It is a very noisy, active attack and should be detectable by the vast majority of enterprise cybersecurity monitoring systems.”
The attack could also be an argument for considering Google’s BeyondCorp enterprise security model. This zero-trust model does away with the concept of network perimeter as a security barrier and treats all devices the same, regardless of whether they’re connecting from inside the corporate network or from an untrusted network.
The CERT Coordination Center at Carnegie Mellon University has published an advisory and a list of affected vendors and operating systems.
Vulnerability in Embedded Crypto Library Weakened Millions of RSA Keys
A flaw in a cryptographic library used in smartcards, security tokens, TPMs and other secure hardware chips manufactured by Infineon Technologies has resulted in potentially millions of users using weak RSA keys for encryption, authentication and digital signing operations.
Some details about the vulnerability emerged last Tuesday when Microsoft published a security advisory warning that trusted platform modules (TPMs) with Infineon chips might have generated weak keys. TPMs are used in computers and other devices for secure key storage and cryptographic operations. In Windows they are used for BitLocker disk encryption.
However, it turns out the flaw has a much wider impact because it affects all RSA keys generated since at least 2015 with the vulnerable Infineon on-chip software library.
“The algorithmic vulnerability is characterized by a specific structure of the generated RSA primes, which makes factorization of commonly used key lengths including 1024 and 2048 bits practically possible,” the security researchers who found the issue said in a blog post. “Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required.”
In other words, due to the flaw attackers could take a public key generated by Infineon devices and could determine its corresponding private key—something that should normally be unfeasible with current hardware for sufficiently long RSA keys.
“The worst-case price of the factorization on an Amazon AWS c4 computation instance is $76 for the 1024-bit key and about $40,000 for the 2048-bit key,” said the team of Czech and Slovak researchers from the Centre for Research on Cryptography and Security at Masaryk University in the Czech Republic.
Attackers don’t need to actually spend computing power to determine if a key is vulnerable, because there’s a simple method that can determine if a key is vulnerable. The vulnerable keys might be used in a lot of places. For example, the researchers determined that the keys used in electronic ID cards from Estonia and Slovakia are vulnerable, but they also found vulnerable keys used for submitting code to GitHub repositories or for PGP email encryption, Ars Technica reported.
The researchers built offline and online testing tools that allow users to test their keys. If found vulnerable, those keys should be retired from use and new ones should be generated. Of course, the new keys should not be generated on the same smartcards or devices with the vulnerable Infineon crypto library if patches have not been applied first.
In their blog post the researchers recommend the following actions:
- Apply the software update if available.
- Replace the device with one without the vulnerable library.
- Generate a secure RSA keypair outside the device (e.g., via the OpenSSL library) and import it to the device. We are not aware of any vulnerability in connection with the actual use of the key, only the generation phase has a confirmed vulnerability.
- Use other cryptographic algorithms (e.g., ECC) instead of RSA on affected devices.
- Apply additional risk management within your environment, if the RSA key in use is detected as vulnerable.
- Use key lengths that are not currently impacted (e.g., 3936 bits) by our factorization method. Be aware: use this specific mitigation only as a last resort, as the attack may be improved.