Chatting with the discoverer of a serious WPA2 security flaw
After a talk that Mathy Vanhoef gave about the WPA2 vulnerability called KRACK, we sat together and spoke about about how WiFi security has improved in the time since the news broke. The fact of the matter is, as we stated in our blog article back then, that KRACK, while definitely being a problem, is not the end of the world. This did not keep doomsayers from predicting the end of the world as we know it, whereas others remained more or less indifferent.
Some said that KRACK might quickly make its way into the standard repertoire of attackers and that no network would be safe again, ever. In fact, this is not true. First of all a certain physical proximity is required to carry out the attack. Even if attackers can make use of things such as specialized long-range antennae or drones, the scenario does not scale well at all.“As of today, I am aware of at least one tool that reimplements the attack. That tool was likely used a number of times. I also know others that performed the attack against Android in a controlled lab setup”, said Mathy Vanhoef during his talk at the Ruhr University of Bochum. “I can’t give any estimates about how much application the attack sees in the field, since we are not measuring it. However, the fact that someone implemented the attack definitely shows there is an interest in it”. The attack remains complex, though - it does not work every time and with every device. According to Vanhoef, exploiting KRACK is not something you can pull off after a weekend of tinkering with a WiFi antenna and ten minutes of Google searches. It is also not possible to eavesdrop on a target for hours, let alone days on end. According to Mathy, “The attack doesn't lend itself to decrypting large volumes of information. Instead I would expect it to be used to target and recover very specific pieces of information, such as plaintext cookies”. This is true even considering the fact that you could repeat the process over and over again.
Ten months after the news broke, there are still plenty of vulnerable devices out there – mostly those which either do not receive system updates anymore or those where updates are associated with a lengthy development process, such as in medical applications. The flaw is still an issue across the board and as such still requires mitigation. If a client which has the required update contacts a vulnerable access point, you have not gained much in the way of security, and vice versa. In several respects, though, the industry got away with just a black eye. The issue can be fixed in WPA2 without replacing the entire system, as it happened when it was discovered that WEP was broken.
The result of the findings of Mathy Vanhoef have made it into the latest revision of the IEEE standard 802.11 (the somewhat unwieldy official name for what most people know as “WiFi”). Changes have been made to the way a device and an access point talk to each other when establishing a connection. First of all, for a client to be compliant with the new revision, even a key reinstallation (the “KR” in “KRACK”) must not change some of the parameters that are vital for an attack to work (nonce reuse). Some vendors of access points, though it is not specified in 802.11, have also made changes to the way they handle the 4-way handshake.
Like in most modern cryptographic protocols WPA2 does not use a static, pretermined key to encrypt packages, as this would be easily crackable and insecure. Instead, both client and access point negotiate a secure channel to exchange cryptographic keys. Here is where the Krack-vulerability comes into play. When a client wants to connect to the AP it uses one of a set of possible ways to do so. Most commonly used is the four-way handshake.
To establish a connection a user needs the Wifi-Password. After entering the correct password, the handshake begins. Here, both parties submit secret information to the other party as we all as a shared secret, usually a randomly chosen number. This information is transmitted in four steps that ultimately lead to the encryption key being installed on both devices for further secure communication. Vanhoef found a way to resend step three from a computer that has net been part to the comunication before. Therefore, an attacker is now able to decrypt a number of frames sent through this channel.
Those APs do not resend the third component of the handshake in order to prevent attacks against connected clients. It was at this point that an attacker would have been able to get his foot into the door. Furthermore, to prevent attackers from simply forcing the wireless network to use a different channel, changes are proposed to the way that “Channel Switch Announcements” (CSAs) are processed. According to an even more recent revision of 802.11, those CSAs must be verified by the AP as well as the client device before being able to switch a channel. Both clients and AP must also verify on which channel they operate when establishing a connection. This is referred to as “Operating Channel Validation” (OCV) and will make it a lot harder to attack the connection. Effectively, these measures make an attack too difficult and impractical for most use cases. If the AP and the client agree on the channel they want to communicate on, any attempts at forcing communications on a different channel – as attackers have to - would fail.
The only downside is that it will take a few more years for the changes to trickle down. So we’ll continue to see loads of vulnerable devices.
Now that the dust has settled a bit, some may wonder how Mathy even discovered the security flaw in the first place. After all, by the time KRACK was discovered, the WPA2 standard had seen a decade of use without any viable attacks on the encryption. There were even formal examinations that certified WPA2 to be safe. There were successful attacks against weak passwords, but that technically does not qualify as “breaking WPA2”. When asked the question, Mathy laughed and said
“I certainly did not wake up one morning thinking “I wonder if I can find a vulnerability in WPA2 today”. I guess it was just a combination of happy accidents, because at that time I was working on something completely unrelated. When I needed a break from that activity, I browsed some source code that was specifically dealing with the 4-way-handshake that would eventually prove critical for KRACK. Somehow it clicked in my head and I sensed that I might be on to something, although at the time I did not know exactly what it was. In the end I contacted several vendors with my findings and one after the other confirmed them. This was when I realized that this was going to be something a little bit bigger.”
The short cycles of modern online media require many news outlets to publish stories on extremely short notice. That way, the moment people got wind that something was “up”, a tweet like “T minus ~24 hours” ended up being interpreted as a sort of “Countdown to annihilation”. Interestingly enough, Mathy told us, the aforementioned tweet did not receive much of a response initially. That only happened after another cryptography expert, Kenn White, added some context to the tweet. In the case of KRACK, some stories appeared even before subject matter experts had formed an opinion on how bad KRACK really is – or before the full paper was even published. Whenever this happens, there is a great deal of uncertainty among the general public. Naturally, people want answers and they try to fill the knowledge gap using their own interpretation of available data. Mathy shared with us his side of the story: “While I was on the phone with one person, I heard phones ring all over the office. Jounalists and other people basically tried every extension in the office, hoping to get directly to me. I felt sorry for my colleagues, though, because they got pretty much nothing done that day. It was a really busy time”. For researchers at University institutes without a big PR-agency or department, the sudden attention can surely be overwhelming