Saturday, November 16, 2024
Latest:
The Register 

Man the harpoons: The KRACK-en reawakens in updated WPA2 attack

TH Author

The Belgian researcher who last year gave the world the KRACK attack has returned with what he says is a refined version of the vulnerability.

KRACK was first disclosed roughly 12 months ago by Mathy Vanhoef of Flanders university KU Leuven.

It was a protocol attack, meaning any implementations that followed the standard inherited the issue. An attacker could fool WPA2’s four-way handshake, causing the victim to reuse nonces – of the cryptographic kind – meant for a single use.

Smart oven

WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug

READ MORE

That sent vendors on a patching scramble, but further work on Vanhoef’s part led him to suspect KRACK still works. He went public with his follow-up here, ahead of presenting a paper (PDF) to the Association of Computing Machinery’s SIGSAC conference later this month.

The tl;dr version is in the abstract of the paper by Vanhoef and his co-researcher Frank Piessens:

Apple’s macOS and iOS operating systems both had buggy patches that have since been fixed, Vanhoef wrote.

And there’s more – the 802.11v Wireless Network Management (WNM) protocol has provided a path around official patches, via deep-sleep power-saving features.

Vanhoef and Piessens believed an attacker can exploit WNM-Sleep frames to get around Wi-Fi’s protocol fixes.

Vanhoef wrote: “The official defence states that a device shouldn’t reinstall an already in-use key. However, this defence can by bypassed by first letting the victim install a new key, to then let it (re)install an old key.”

He said the attack exploits the interaction between EAPOL-Key frames and WNM-Sleep frames, and it only allows the attacker to reinstall the group key. That made it a low-impact vulnerability.

There’s a proof-of-concept key reinstallation attack script at GitHub. ®

Bootnote

* FILS, or Fast Initial Link Setup, was only signed off in June 2017 and isn’t in widespread deployment yet. TPK, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key, is a handshake designed for direct client-client connectivity, such as connecting from a TV to a tablet without going through the access point.

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE