Man the harpoons: The KRACK-en reawakens in updated WPA2 attack
The Belgian researcher who last year gave the world the KRACK attack has returned with what he says is a refined version of the vulnerability.
KRACK was first disclosed roughly 12 months ago by Mathy Vanhoef of Flanders university KU Leuven.
It was a protocol attack, meaning any implementations that followed the standard inherited the issue. An attacker could fool WPA2’s four-way handshake, causing the victim to reuse nonces – of the cryptographic kind – meant for a single use.
WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug
That sent vendors on a patching scramble, but further work on Vanhoef’s part led him to suspect KRACK still works. He went public with his follow-up here, ahead of presenting a paper (PDF) to the Association of Computing Machinery’s SIGSAC conference later this month.
The tl;dr version is in the abstract of the paper by Vanhoef and his co-researcher Frank Piessens:
Apple’s macOS and iOS operating systems both had buggy patches that have since been fixed, Vanhoef wrote.
And there’s more – the 802.11v Wireless Network Management (WNM) protocol has provided a path around official patches, via deep-sleep power-saving features.
Vanhoef and Piessens believed an attacker can exploit WNM-Sleep
frames to get around Wi-Fi’s protocol fixes.
Vanhoef wrote: “The official defence states that a device shouldn’t reinstall an already in-use key. However, this defence can by bypassed by first letting the victim install a new key, to then let it (re)install an old key.”
He said the attack exploits the interaction between EAPOL-Key
frames and WNM-Sleep
frames, and it only allows the attacker to reinstall the group key. That made it a low-impact vulnerability.
There’s a proof-of-concept key reinstallation attack script at GitHub. ®
Bootnote
* FILS, or Fast Initial Link Setup, was only signed off in June 2017 and isn’t in widespread deployment yet. TPK, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key, is a handshake designed for direct client-client connectivity, such as connecting from a TV to a tablet without going through the access point.
Sponsored: Following Bottomline’s journey to the Hybrid Cloud
READ MORE HERE