KRACK—Key Reinstallation Attack

KRACK!… You have no idea of what I’m talking about? If what you have in mind is some white powder or rocks let me you show you the way.

KRACK is the short name for an attack to the WPA (Wi-Fi Protected Access) security protocol, both WPA1 and WPA2. The vulnerability allows Wi-Fi traffic to be decrypted withouth knowledge of any keys even when using “secure” encryption like WPA2 (personal or enterprise).

Which brands and models are affected?

One important detail is that the vulnerability is in the actual protocol and not in some manufacturers implementation of the protocol. What this means is that for manufacturers that followed the protocols as they should there is a very high chance that they were affected.

An analogy

Lets imagine Wi-Fi is a vehicle. Any failure in production of a specific manufacturer or model, like the Ferrari F60 America would impact only those people that bought that car. The solution would be to change the car of fix it somehow…. quite simple.

Now lets imaging that the principles which all manufacturers follow to produce combustion engines is wrong from the start. In that case, all cars with engines built on top of that principle would be affected. Thats exactly what’s happening with KRACK and WPA1/2.

OK, but what do I do?

If you use Wi-Fi in your network especially for sensitive traffic, the solution is to keep your eyes open for any updates made available by your device’s manufacturer (clients or access points).

Security vulnerabilities are usually given a CVE Common Vulnerabilities and Exposures code. The KRACK vulnerability has been given 10 of these:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the four-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the four-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.

The easiest way to know if there is information available is to search for you AP brand, model and the keywords “KRACK” or “CVE-2017-13077” (try to google “ubiquity krack“)

Cisco!

Cisco has a public webpage where security advisories affecting its products are published (also known as PSIRTs). For this vulnerability the advisory was already published and should be the single reference to have up to date information if your cisco device is affected or not and what actions to take to reduce or eliminate exposure.

Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II

Cisco KRACK

Cisco’s security blog is also an important resource.

If you have other brands equipment, research a bit and subscribe to similar lists.

 

KRACK Attacks: Página oficial
https://www.krackattacks.com/

KRACK Demo: Critical Key Reinstallation Attack Against Widely-Used WPA2 Wi-Fi Protocol
https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html?m=1

Vendor Information for VU#228519
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

What You Should Know About the ‘KRACK’ WiFi Security Weakness
https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/

Perspective About the Recent WPA Vulnerabilities (KRACK Attacks)
https://blogs.cisco.com/security/wpa-vulns

Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Leave a Reply

Your email address will not be published.