This article originally appeared in TidBITS on 2017-10-17 at 2:38 p.m.
The permanent URL for this article is: http://tidbits.com/article/17572
Include images: Off

Wi-Fi Security Flaw Not As Bad As It’s KRACKed Up To Be

by Glenn Fleishman

Don’t panic about the new Wi-Fi security problem that you’ve likely seen trumpeted on news sites. Yes, the KRACK exploits reveal a fundamental flaw in the process by which a Wi-Fi device — like a Mac, iPhone, Windows computer, point-of-sale terminal, or smart fridge — connects securely to a Wi-Fi access point. You shouldn’t underestimate how significant that is (it’s huge), but also don’t overestimate how likely it is to affect you (very unlikely).

The KRACK exploits involve how Wi-Fi Protected Access version 2, known as WPA2, lets a client device negotiate encryption keys and cryptographic elements with a base station, while keeping those elements secret from any parties trying to intercept communications, masquerade as the client, or decipher data later.

Every operating system and every device that can initiate a Wi-Fi network connection and that supports WPA2 encryption is vulnerable to at least one of the lines of attack revealed, and the researcher who discovered them has already found more attacks that he hasn’t yet released. Wi-Fi access points aren’t directly affected.

However, just because every device in the world could have its traffic sniffed doesn’t mean that every device will. Remember that Wi-Fi is local area networking: attackers must be within range of their targets.

The KRACK vulnerabilities can be easily patched in hardware that can be updated. Apple told me that all four of its operating systems already have patches in place in the current beta releases, which will roll out in the near future for macOS, iOS, watchOS, and tvOS. Other operating systems and older Apple hardware will not be so lucky. Fortunately, many experts see ways for base stations to be updated too, but with the same proviso: many base stations lack an automatic update process, meaning they’ll remain unable to prevent unpatched clients from becoming targets.

A Quick Look at KRACK -- On 16 October 2017, security researcher Mathy Vanhoef presented proofs-of-concept of several different kinds of attacks in a paper he wrote months ago and only now released in advance of an upcoming presentation [1]. He dubbed the series of attacks “KRACKs” (Key Reinstallation AttaCKs), as all major vulnerabilities now need clever names. He disclosed the vulnerabilities carefully, and US-CERT [2] ultimately took over disseminating the information [3] so many companies would have patches ready or nearly so by the disclosure date. (Details were accidentally disclosed earlier than intended, as Ars Technica explained [4].)

The various WPA2 negotiations rely on what’s called a “four-way handshake” and take into account a client failing to receive the key (or failing to acknowledge receipt) during the stage in which the key is delivered. This might be due to interference or an operating system glitch or another anomaly — remember that WPA2 was developed in 2004, when everything, especially wireless devices, was slower and less reliable.

As a result, the Wi-Fi access point can retransmit the key when it believes the client hasn’t received it, and the client device then installs it and resets a counter that’s used to create a stream of encrypted information that only it and certain other parties like the access point can decipher.

That’s where the flaw lies: an attacker can record and replay the transmission of the key, and the client dutifully resets the counter. With that information in hand, a malicious party knowing the contents of certain data packets or guessing they contain plain text (even in an email or Web page) can then decrypt other packets without obtaining the encryption key. An attacker can’t join the Wi-Fi network, but can still extract information from it!

Not every operating system suffers from this problem for every kind of negotiation. Windows and iOS, for instance, weren’t vulnerable to several types of attack, but were to others. As long as one sort of handshake can have a KRACK used against it, data in transit is vulnerable. Forged data could also be inserted into a network, which could allow ransomware and other malware to be delivered to vulnerable devices.

More terrifying than the flaw itself is the fact that it has existed since WPA2 appeared in 2004, and that it was found by a single person — a graduate student, not a team of veteran security researchers at an anti-intrusion software company — following a slender thread of an idea of something to test after writing a paper on a related topic. (Vanhoef credits his research supervisor on the paper for his guidance.)

So far, there’s no evidence of KRACKs being used in the wild. However, the ease with which Vanhoef found it means that it’s likely that government intelligence agencies have already found and have exploited the flaw in targeted surveillance, because it’s exactly the kind of thing that they would be looking for.

Although all this sounds bad, Vanhoef’s disclosure of the KRACKs is actually good news: a researcher dedicated to a responsible disclosure ensured that companies had time to patch before cracking tools were updated. Plus, if bad actors have been exploiting these vulnerabilities, their windows of opportunity will be closing, as I explain next.

Everything That Can Be Patched Will Be -- Apple already has patches in its update stream to fix the various KRACKs in all its operating systems (see “Apple Has Already Patched the WPA2 KRACK Weakness in OS Betas [5],” 16 October 2017). (Apple said nothing about AirPort base stations, but we can always hope.) On 10 October 2017, Microsoft shipped updates [6] to Windows 7 and later and Server 2012 and later. Google has more vaguely promised Android updates in the coming weeks, according to the Verge, but individual Android hardware vendors will have their own schedules. Other operating system and hardware makers have updates shipping now or will release them soon. The Wi-Fi Alliance, which certifies gear that bears the Wi-Fi label, will also update its testing [7]. These responses will rapidly close the largest and most lucrative vectors of attack, those against people with recent hardware, especially mobile devices.

The biggest problem, as with many security attacks, come from three related areas: Google’s Android OS, Linux, and Internet of Things (IoT) devices, which are often powered by a form of Linux. In this case, it’s also because there’s a serious flaw in a commonly used software module that handles the WPA2 negotiation. That flaw is bad: the encryption key in hardware running this module resets to all zeroes when an attacker attempts to replay the captured encryption key — that’s right: all zeroes! Because the attacker now knows that key, they can immediately decrypt all data sent by the client. With other operating systems, an intruder has to work harder and capture a lot of data and run more KRACK attacks before deciphering some of the communication. This glaring bug isn’t old — it was introduced in a relatively recent update that’s incorporated into Android 6.0 and other newer hardware, and affects about 50 percent of all Android devices in use.

Android has long suffered from an update abandonment problem, with Google and its partners quickly dropping support for older releases. A lot of older Android hardware can’t be upgraded to even the next major release of the system — or to any incremental improvement. This abandonment problem affects hundreds of millions of older Android devices that can never receive security updates. Review MasterKey [8], Stagefright [9], and Broadpwn [10] for three examples. (Apple typically supports Macs for at least 7 years and sometimes releases very late-in-cycle security updates for even older Macs. With iOS, it’s closer to 5 years.)

Even worse are Internet of Things devices that use embedded operating systems with which you never interact directly, many of which can’t be updated at all. Even when products can be updated, dodgy manufacturers and cut-rate prices often result in the abandonment of support for a particular model months after it appears. Updates are often difficult to install and manufacturers don’t notify customers (or have any way to do so), making it unlikely that an average user will learn of a security fix or, discovering it, be able to install it. KRACK will become another tool in an attacker’s kit for recruiting devices like DVRs and nursery webcams into botnet armies.

Conversations with a few security experts made it clear that while the Wi-Fi access point side of the equation isn’t at fault for these negotiation flaws, even consumer-focused access points could be updated to block, resist, or report KRACKs. (There’s one exception: corporate-scale access points that support “fast handoff” act a little bit like a client in that mode, and routers with that feature have to be patched, too.)

At the enterprise level, vendors are already on top of the problem. In addition, corporate-scale intrusion-detection systems have long monitored for the unauthorized or fake access points that KRACKs require. Cisco, for instance, has provided a short primer to customers to make sure they have enabled the right options to detect KRACK-style intruders.

Public Wi-Fi networks are unlikely to be affected by the KRACK attacks. Most rely on a portal page to control access to an unsecured network, rather than WPA2. If they do employ WPA2 for access, it’s typically to restrict usage to customers, as it doesn’t provide real security from other users on the same network. In either case, you should always treat public hotspots as untrustworthy.

What You Can Do -- You can and should take steps to protect yourself against KRACKs. Here’s how:

KRACKs won’t disappear. Because hundreds of millions of unpatched devices will remain on the Internet, these attacks will surely be added to research-oriented hacking software and black-hat cracking tools, and will be used by governments and criminal organizations to target individuals who use an old Android phone or an outdated webcam.

But the odds are against KRACKs having a significant impact on overall Internet security.

[1]: https://www.krackattacks.com/
[2]: https://www.us-cert.gov/
[3]: https://www.kb.cert.org/vuls/id/228519/
[4]: https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
[5]: http://tidbits.com/article/17569
[6]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080
[7]: https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-security-update
[8]: https://www.theregister.co.uk/2013/07/22/master_key_doctored_apps_google_play/
[9]: https://en.wikipedia.org/wiki/Stagefright_(bug)
[10]: https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/
[11]: http://tidbits.com/resources/2017-10/KRACK-no-TKIP-WPA.png
[12]: https://www.eff.org/https-everywhere