Release the KRACKen patches: The good, the bad, and the ugly on this WPA2 Wi-Fi drama

library
crime | hacking | security

WPA2 Wi-Fi users – ie, almost all of us – have had a troubling Monday with the arrival of research demonstrating a critical design flaw in the technology used to secure our wireless networks. A flaw so bad, it can be exploited by nearby miscreants to potentially snoop on people’s internet connections over the air.

However, don’t stop using Wi-Fi or WPA2 completely, nor rage quit technology as a whole, no matter how simple this vulnerability is. It’s annoying, but there is light at the end of the tunnel.

The Key Reinstallation Attacks, aka KRACK, sounds scary – and it is an embarrassing oversight for the IEEE and its 802.11i protocol – but there are important caveats.

TL;DR on the KRACK WPA2 stuff – you can repeatedly resend the 3rd packet in a WPA2 handshake and it’ll reset the key state, which leads to nonce reuse, which leads to trivial decryption with known plaintext. Can be easily leveraged to dump TCP SYN traffic and hijack connections.

— Graham Spookyland 🎃 (@gsuberland) October 16, 2017

Firstly, there are some limitations. For a start, an eavesdropper has to be in wireless range of the target network, and have the time and specialized software to pull off the KRACK technique.

KRACK is only applicable in WiFi-range. If a shady hoodie is outside your house tapping on keyboard, encryption isn’t your top problem.

— Tarah M. Wheeler (@tarah) October 16, 2017

Secondly, if your network traffic is encrypted using HTTPS, a VPN, SSH, TLS, or similar, KRACK won’t get very far. All the miscreant will see, after deciphering the wireless network packets, is more encrypted data. At that point, the snooper is just like any other spy potentially sitting on the vast web of networks between you and the website or service you’re connected to – and that’s why we try to do HTTPS and other end-to-end encryption everywhere: to thwart naughty people lurking silently in the middle. Sadly, quite a lot of internet traffic is still using unencrypted and unprotected HTTP, or can be downgraded to HTTP in certain situations, which is why this KRACK issue is such a pain.

This attack does not reveal a Wi-Fi network’s password. But it can, if the base station uses WPA-TKIP or GCMP encryption, be used to inject data into your unencrypted traffic, such as malicious JavaScript and malware downloads into plain HTTP connections. That’s not great.

And while we’re on the subject of bad news, if you’re using Android 6.0 or Linux with wpa_supplicant 2.4 or later, it’s way easier to hijack the wireless connection. Due to a programming cockup, this software uses a zero key – ie, all zeroes – when under attack by the KRACK method, which makes it potentially trivial to intercept, decrypt and tamper with passing wireless packets to and from those devices.

That’s the bad news – here’s hopefully some good news

WPA2 KRACK attack smacks Wi-Fi security: Fundamental crypto crapto

Despite these caveats this is a serious issue, in the main because of the massive numbers of devices out there using WPA2 and the difficulty in patching them all: sure, computers and recent Android devices can grab software fixes, but wew shudder to think about all the unloved Internet-of-Things devices out there that will remain unpatched for a while or indefinitely.

On the good news front, Mathy Vanhoef and Frank Piessens of KU Leuven, the security researchers who discovered the flaw, alerted vendors in advance of going public on Monday. It appears developers and manufacturers may have got their first warning in July, around the time this unsigned paper [PDF] going over some of the KRACK techniques quietly emerged online.

Now that the news is out, some organizations have been better than others. Microsoft patched its code in its October batch of security updates, and Apple will have fixes out in public within a few days after release some updates to beta testers. Google’s still working on its stuff, however.

Cisco has some patches out, with more to come, along with more technical discussion of the issue. Intel, Netgear, Aruba, and Ubiquiti also have patches out, and the Wi-Fi Alliance is working with other vendors on the issue.

On the Unix-y front, OpenBSD has a fix available, as does Debian.

Of course, this is only half the battle: users and administrators have to obtain and install the patches, where available. Good luck telling already overstretched BOFHs and PFYs to drop everything and patch every Wi-Fi enabled bit of kit in the office, let alone expecting whoever’s handling the Wi-Fi firmware for your home security camera to get busy.

Despite many major manufacturers of Wi-Fi systems getting to work on patching, the US CERT list shows there’s a huge pool of white box builders and defunct companies that are never going to release patches. This is why it’s important to never trust the network.

KRACK is a reminder of the benefits of the BeyondCorp approach. The security perimeter should be identity, not the network border.

— SpookyTayOnSecurity (@SwiftOnSecurity) October 16, 2017

So, in summary, don’t panic, but get patching and be a lot more discerning about how you figure your network into your threat model. Assuming everything is lovely and friendly on your Wi-Fi will cause you to become unstuck at some point.

No doubt we’re going to see KRACK used in anger, but honestly it’ll take a while. There’s no easy-to-use exploit code out there, yet, but it will come, and even when it does the world isn’t ending because of today’s news.

A-IEEE-EEEE

Finally, don’t forget that the IEEE makes the whole process of evaluating and scrutinizing its standards rather difficult. You either have to pay to see the specifications, or wait months after they’ve been published and hardcoded into devices. And the specs aren’t massively clear, which is why Windows and iOS aren’t as badly affected as Linux: Microsoft and Apple’s engineers seemingly didn’t follow the specification correctly in their WPA2 implementations, thwarting part, but not all, of the KRACK technique.

“One of the problems with IEEE is that the standards are highly complex and get made via a closed-door process of private meetings,” said cryptographer and professor Matthew Green in a blog post we linked to at the top of this piece.

“More importantly, even after the fact, they’re hard for ordinary security researchers to access. Go ahead and google for the IETF TLS or IPSec specifications — you’ll find detailed protocol documentation at the top of your Google results. Now go try to Google for the 802.11i standards. I wish you luck.

“The IEEE has been making a few small steps to ease this problem, but they’re hyper-timid incrementalist bullshit. There’s an IEEE program called GET that allows researchers to access certain standards (including 802.11) for free, but only after they’ve been public for six months — coincidentally, about the same time it takes for vendors to bake them irrevocably into their hardware and software.

“This whole process is dumb and — in this specific case — probably just cost industry tens of millions of dollars. It should stop.”

What’s even more ugly is that WPA2’s four-way handshake at the heart of KRACK was mathematically proven as secure. Unfortunately, that verification process overlooked the fact that a secret session encryption key negotiated between the device and base station may be installed more than once. The KRACK method exploits this to reinstall the key over and over to attack the encryption protocol. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/17/kracken_patches/

Comments are closed.