KRACK: WPA2 Flaw Means Attackers Can Intercept Your Password

KRACK

Hackers can use KRACK to inject computers with malware

Researchers have found a new attacked called KRACK which comes bearing bad news for Linux and Android users.

This means that this is the first time that researchers have managed to find a significant weakness in the industry-standard WPA2 protocol.

What does this weakness do?

It enables hackers to intercept passwords.

Of course, hackers have to get in range of the vulnerable device.

Hackers can also go through access points to steal sensitive information.

Moreover, they can compromise the user’s email addresses along with other sensitive data.

Using the new exploit they can get their way even with encrypted data.

Then hackers can move forward to inject their ransomware code and other types of malicious content directly into a given website that a user or a client may visit.

The KRACK Attack

Researchers are calling the new proof-of-concept WPA2 exploit as KRACK.

KRACK is short for the term Key Reinstallation Attacks.

Researchers have guarded the work on the exploit with close secrecy for many weeks before they finally disclosed their coordinated findings as scheduled on Monday 8 am East Coast time.

They also put up a website that disclosed the vulnerability with a bit more detail.

The website explained that the newly found exploit affected the very core of WPA2 protocol.

Moreover, researchers also revealed that the exploit proved effective against computer machines and devices that run operating systems such as,

  • Linux
  • Android
  • OpenBSD

But that’s not all.

The exploit also worked on other more-known operating systems but with less efficiency such as,

  • Windows
  • macOS

Theoretically speaking, hackers could use the new exploit for MediaTek Linksys as well.

The exploit could also affect other types of online/offline devices.

The website explaining the exploit also had a stiff warning for readers.

It explained that attackers could potentially exploit the security flaw in order to decrypt a ton of sensitive information and data.

Researchers also said that normally the near ubiquitous but flawed Wi-Fi encryption protocol encrypted this kind of data.

But the KRACK attack could decrypt such data and sensitive information.

Mathy Vanhoef, a researcher at Katholieke Universiteit Leuven in the region of Belgium said that hackers could abuse such flaws to steal sensitive information.

He said that they could make off with information like,

  • Credit card numbers
  • Chat messages
  • Passwords
  • Photos
  • Email
  • And a lot of other stuff.

Mathy also wrote that the attacked worked against all types of modem password-protected Wi-Fi networks.

Moreover, he said, depending on the given network configuration, hackers could also possibly manipulate and inject data.

Just to take an example, a hacker might just inject some ransomware into websites.

Hackers could also inject malware into the same websites.

Vanhoef also provided a video which showed the newly discovered attack.

The videos showed a device that ran on Google’s Android, the most popular mobile operating system in the world and how the new exploit compromised the device.

 

The Video On KRACK Vulnerability

Vanhoef’s video showed a hacker actually decrypting all types of data that the phone sent to some access point.

How Does The KRACK attack work?

The video showed that the new attack worked by coercing the smartphone into reinstalling, what the researchers are calling, an all-zero encryption key.

This new encryption key would take the place of the real encryption key.

This is the actual exploit.

And such abilities made the attack very effective on operating systems and platforms such as,

  • Linux
  • Android

The researcher’s website also warned readers that HTTPS-protected websites and web pages didn’t automatically protect them against such attacks.

In other words, HTTPS didn’t provide the necessary remedy against such attacks.

Why?

Because hackers can force improperly configured websites to drop encrypted HTTPS traffic.

Then hackers can transmit all the encrypted HTTP data for their own means.

The video demonstration clearly showed an attacker who used a SSLstrip script to coerce a website, match.com in this case, in order to downgrade the given connection to HTTP.

After this initial step, the attacker then moved forward to steal a given account’s password the moment the given Android device logged in.

HTTPS isn’t Going To Help Against KRACK

KRACK_and_malware

KRACK affects all modern Wi-Fi networks and vulnerable clients.

Researchers have also explained that even though websites or other apps may work hard and use HTTPS in order to use it as an additional layer of online protection, they wanted to warn these websites that hackers could bypass such extra protection with ease and in a large number of given situations.

Moreover, researchers said, to take an example, hackers could previously bypass HTTPS in non-browser software and in,

The problem doesn’t just stop there.

Researchers also revealed that such weaknesses allowed attackers to not only target vulnerable access points but also vulnerable,

  • Smartphones
  • Computers
  • Other various types of online connecting clients

Though the difficulty and effectiveness of hacking each of these targets probably varied.

As far as the most severe attacks went, researchers said, iOS and Windows didn’t show any vulnerability.

In other words, Android along with Linux had the most susceptible code.

Why?

Because hackers could force techniques such as network decryption on the given clients in a matter of seconds.

And most of all, they didn’t even need to exert too much effort to do so on these two operating systems.

Is There A Solution To These Problems And The KRACK Vulnerability?

According to Vanhoef, security personnel could patch their systems in order to prevent such attacks even if the machines themselves have a connection to a given vulnerable access point.

Developers have already built Linux patches, but the problem of distributing those patches remains.

As of yet, no one is clear on when developers will release these patches for all the various Linux distributions and for the billions of Android users.

Developers have also come up with patches that work with some but not all of the various Wi-Fi access points.

The FAQ section on KRACK Vulnerability.

Researchers also responded to some FAQ questions.

One question asked them if such vulnerabilities indicated that everybody needed to demand a new WPA3 standard.

To this question Vanhoef said:

No.

Why?

According to Vanhoef developers could patch WPA2 implementations in a manner that was backward-compatible.

What does that mean exactly?

THis means that a given patched client could easily communicate with an access point that did not have the latest patch.

The same would also hold true if it was the other way around.

To put it in another way, a patched access point or client could actually send the same handshake messages as it did before.

And such clients or access points could do so at the same moment in time.

So what will the security updates do then?

Well, these updated will make sure that the encryption key can only be installed once.

That will effectively prevent such KRACK attacks.

In other words, Vanhoef wants everybody to update their devices once developers roll out the required security updates.

KRACK Can Cause Harm In Many More Ways

KRACK_to_steal_data

Researchers have shown that attackers can use KRACK to infect users with ransomware.

KRACK is a different kind of exploit.

It carries out its work by exploiting the well-known and well-used four-way handshake.

Whenever a client tries to join a Wi-Fi network that is WPA2  protected, the four-way handshake is executed.

What does the four-way handshake actually do?

It does a lot of things, the most important of which is that it helps communication by confirming that both the access point and the client have the proper and correct credentials.

This is where KRACK tries to interfere.

It can trick all vulnerable clients to reinstall their encryption key which is already in use.

This reinstallation action basically forces the vulnerable client to reset packet numbers.

These packet numbers contain a cryptographic nonce.

The packets also contain other important parameters.

And the KRACK exploit forces the client to reset all of these to their initial values.

So we already know that KRACK can force nonce reuse.

What some of us may not know is that hackers can use this KRACK action to bypass any encryption on the vulnerable client and/or access point.

If you want to read more about how KRACK works then you can go here and read about it.

Researchers made the disclosure this past Monday.

That disclosure also followed the US-CERT advisory that US-CERT distributed just recently to around 100 different organizations.

The US-CERT advisory described the new researcher in its own way.

It said that US CERt had become aware of many key management vulnerabilities in the existing four-way handshake of the widely used WPA2 (Wi-Fi Protected Access II) security protocol.

It also said that the impact of taking advantage of these vulnerabilities included,

  • Packet Replay
  • HTTP content injection
  • Decryption
  • TCP connection hijacking
  • And many more.

US-CERT also mentioned that most if not all proper implementations of the given standard have the chance of being affected.

US-CERT also said that researcher KU Leuven along with CERT/CC would publicly disclose the new vulnerabilities on 16th of October 2017.

How Does KRACK Work According To Another researcher

According to another researcher who had received a briefing on how the vulnerability worked, KRACK worked by exploiting the four-way handshake method.

The four-way handshake method is generally used in order to establish a key (an encryption key) for the purposes of encrypting online traffic.

During the process, specifically the third step, the encryption key can be easily resent several times.

Hackers can change the way this encryption key is resent in particular ways.

This allows the cryptographic nonce to be reused in such a way that can completely compromise the whole encryption process.

As mentioned before, researchers knew about the exploit for many weeks before the announcement.

But the KRACK vulnerability only came to light this past Sunday when online users discovered a random Github page that belonged to one of the researchers.

As pointed out earlier, there is also a separate website by the name of krackattacks.com that discloses the newly found vulnerability in more detail.

The website uses a lot of tags as well, some of which are as follows,

  • WPA2
  • Packet number
  • KRACK
  • Security protocols
  • Key reinstallation

Researchers who had received briefings on the vulnerabilities also revealed that the vulnerabilities had been indexed.

One of the researchers told Ars Technica that companies that sell devices related to wireless access points to clients such as government organizations and large corporations such as Aruba and Ubituite had already come up with updates that clients could use to mitigate the newly-found vulnerabilities.

Official Presentation On KRACK Vulnerability

hackers_can_use_KRACK_to_inject_malware

Researchers will present their talk on KRACK at an upcoming conference on November 1.

Researchers are scheduled to talk about these vulnerabilities in a formal presentation on November 1 2017.

They have titled the talk as Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2.

Researchers will present their talk in Dallas at an ACM conference.

Media reports believe that researchers will use the site krackattack.com to further demonstrate Monday’s disclosures.

Who Will Present the Talks On KRACK Vulnerability?

Right now, we know that Mathy Vanhoef along with Frank Piessens of KY Levun would present the talk.

Researchers have already presented a related research in Las Vegas at a Black Hat Security COnference back in August.

Who Are The Most Affected Entities Against The KRACK Vulnerability?

The KRACK vulnerability will present the biggest problems to government and large corporate Wi-FI networks.

Organizations that use Android and Linux devices will probably suffer the most from this vulnerability.

But readers should keep in mind that attackers have to come within the Wi-Fi range of a given vulnerable access point.

The same holds true for any client as well.

This is the only way attackers can pull off such attacks.

That doesn’t mean home users with Wi-Fi connections are safe.

Because researchers have revealed that they are vulnerable as well.

And if these home users connect to the internet with Android or Linux devices, then they are especially at risk.

Of course, hackers have less time and effort consuming ways of attacking home users.

If you want to read some more helpful information on the matter you can go here to read what Rob Graham, the CEO of Errata Security, has to say.

Microsoft’s Contribution Against The KRACK Vulnerability.

This past Monday, Microsoft came forward with its own advisory.

The document explained the conditions that hackers required in order to exploit the security flaw on vulnerable Windows computer machines.

Microsoft also issued an official update.

The company did that last Tuesday and media reports say that it fixes the vulnerability.

Of course, Windows users who still have not installed the patch should update their Windows as soon as possible.

But there is more.

Microsoft’s advisory revealed that the patch didn’t make Windows Machine vulnerable.

In other words, affected Windows machines may actually offload the newly found WPA2 vulnerability to the user’s installed Wi-Fi hardware.

This could particularly happen then the user’s device entered a low-power or standby mode.

To guard against that and protect themselves users should make sure they have the latest Wifi drivers.

If they don’t have the latest Wifi drivers then they should update their drivers as soon as possible.

Needless to say, users should update their Wi-Fi device drivers in addition to applying the Windows fix.

KRACK Vulnerability Conclusion

People who suspect they may have vulnerable clients and/or access points should, for the time, avoid connecting to Wi-Fi networks until developers roll out further matches.

What can they do instead?

Well, they can go back to using wired connections for a change.

What if a user only has Wi-Fi connection option?

Then people should make sure that they use Secure Shell, HTTPs, STARTTLS and other types of reliable protocols.

These protocols can sufficiently encrypt email and web traffic as it transmits between access points and computers.

The final option is to use a virtual private network.

Or a VPN service.

Why?

Because VPN services add that extra safety net.

But users have to make sure that they sign up for a good VPN service provider.

Make sure you know how to spot a reliable VPN service provider.

Our researcher shows that IPVanish is the best VPN service provider for this purpose.

To sign up for IPVanish you can go to the official website by clicking here.

 

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

COMMENTS

WORDPRESS: 0