Cyber threats never seem to stop evolving. On October 16th, Network Researcher Mathy Vanhoef discovered something disturbing. He identified a protocol exploit in WPA2, which is the protocol that is used to secure most Wi-Fi networks. Vanhoef named the exploit KRACKS which stands for Key Reinstallation Attacks. KRACKS are able to read all information that was previously assumed to be encrypted that passes through a network. This includes things such as emails, passwords, credit card information, documents, and anything else that may be sensitive that you may pass through the web. All modern Wi-Fi networks are impacted as well as most Wi-Fi supported devices. Another worrying aspect of this exploit is that beyond just capturing information in-transit the exploit is able to inject and manipulate data as well. This opens up the possibility to develop false information, or even inject malware onto a website or device creating a watering hole in effect.
How WPA2 KRACKS Attacks Works
During a key installation attack, the hacker manipulates the victim into reinstalling another encryption key. This is accomplished by manipulating the four-way handshake messages to negotiate a new encryption key. Once an encryption key is reinstalled packet transit numbers and replay counters are reset. Once this happens, the attackers are able to intercept information transmitted over the network and also decrypt all encrypted packets of information. The attack is performed as follows:
As noted from the KRACK Attack web resource, there have been ten vulnerabilities associated with a key reinstallation attack. They are:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Potential Impacts of KRACKS
The implications and potential impacts of this style of attack are quite severe. If a hacker does this style of cyber attack on a network, they have the ability to gain credentials from business or to even watch an endpoint on a network for sensitive data that is transmitted over it. The hacker doesn’t necessarily have to be an outside actor. KRACKS adds to the arsenal of tools available to malicious insiders. Under the context of insider threats, KRACKS would allow an insider to inject malicious code into the network. If for example there’s a website that is only able to be accessed on the network and has poorly configured SSL certificates. It would not be difficult for a malicious insider to inject malware or ransomware into the internal website and treat the http variant of it as a watering hole and vector for spreading a vicious attack. The vulnerability has the potential to bring down an organization in the hands of a dangerous insider or external hacker.
How to Protect Your Network from KRACKS
Right now the options are limited for potential victims. One of the recommended steps to take is to contact the manufacturer of any Wi-Fi enabled devices you own and ask about an update or patch that addresses this vulnerability. The other recommendation is to use a virtual private network and triple check that websites you are visiting are using HTTPS properly. Businesses should disable client access and 802.11r. In the near future, endpoints (phones, laptops, and smart devices) will likely have an update pushed out soon.