Monday, October 16, 2017

KRACK: Breaking WPA2 by Forcing Nonce Reuse

Key Reinstallation Attacks (Hacker News):

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.

Dan Goodin (Hacker News):

The site went on to warn that visiting only HTTPS-protected Web pages wasn’t automatically a remedy against the attack, since many improperly configured sites can be forced into dropping encrypted HTTPS traffic and instead transmitting unencrypted HTTP data.

[…]

KRACK works by targeting the four-way handshake that’s executed when a client joins a WPA2-protected Wi-Fi network. Among other things, the handshake helps to confirm that both the client and access points have the correct credentials. KRACK tricks the vulnerable client into reinstalling an already-in-use key. The reinstallation forces the client to reset packet numbers containing a cryptographic nonce and other parameters to their initial values. KRACK forces the nonce reuse in a way that allows the encryption to be bypassed. Ars Technica IT editor Sean Gallagher has much more about KRACK here.

Graham Sutherland:

The beahaviour of accepting a retransmitted packet comes from the WPA2 standard, which makes the fix situation a little awkward. KRACK abuses the feature of allowing retransmission of lost packets, which is important in 802.11 protocols. “It’s a feature, not a bug”.

Matthew Green (Hacker News):

I don’t want to spend much time talking about KRACK itself, because the vulnerability is pretty straightforward. Instead, I want to talk about why this vulnerability continues to exist so many years after WPA was standardized. And separately, to answer a question: how did this attack slip through, despite the fact that the 802.11i handshake was formally proven secure?

[…]

One of the problems with IEEE is that the standards are highly complex and get made via a closed-door process of private meetings. More importantly, even after the fact, they’re hard for ordinary security researchers to access. Go ahead and google for the IETF TLS or IPSec specifications — you’ll find detailed protocol documentation at the top of your Google results. Now go try to Google for the 802.11i standards. I wish you luck.

[…]

The second problem is that the IEEE standards are poorly specified. As the KRACK paper points out, there is no formal description of the 802.11i handshake state machine. This means that implementers have to implement their code using scraps of pseudocode scattered around the standards document. It happens that this pseudocode leads to the broken implementation that enables KRACK. So that’s bad too.

[…]

The critical problem is that while people looked closely at the two components — handshake and encryption protocol — in isolation, apparently nobody looked closely at the two components as they were connected together.

sequence7:

As an Android user is there any mitigation for this other than ditching my handset and switching to an iPhone or waiting (hopelessly) for a patch from my vendor.

This really does highlight the absolute disaster zone that the Android handset market has become as far as updates are concerned. I’m sure the Pixels will get a fix relatively quickly but almost every other Android user is going to be left in security limbo.

Juli Clover:

Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore’s Rene Ritchie this morning.

Rene Ritchie:

Apple’s AirPorts, including Express, Extreme, and Time Capsule don’t seem be affected, even if using one as a bridge.

Update (2017-10-17): Nick Heer:

I get why security researchers are dialling up the campaigns behind major vulnerabilities. CVE numbers aren’t interesting or explanatory, and the explanations that are attached are esoteric and precise, but not very helpful for less-technical readers. A catchy name gives a vulnerability — or, in this case, a set of vulnerabilities — an identity, helps educate consumers about the risks of having unpatched software, and gives researchers an opportunity to take public credit for their work. But, I think the histrionics that increasingly come with these vulnerabilities somewhat cheapens their effect, and potentially allows other very serious exploits to escape public attention.

Update (2017-10-18): Glenn Fleishman:

However, just because every device in the world could have its traffic sniffed doesn’t mean that every device will. Remember that Wi-Fi is local area networking: attackers must be within range of their targets.

[…]

Even worse are Internet of Things devices that use embedded operating systems with which you never interact directly, many of which can’t be updated at all. Even when products can be updated, dodgy manufacturers and cut-rate prices often result in the abandonment of support for a particular model months after it appears. Updates are often difficult to install and manufacturers don’t notify customers (or have any way to do so), making it unlikely that an average user will learn of a security fix or, discovering it, be able to install it. KRACK will become another tool in an attacker’s kit for recruiting devices like DVRs and nursery webcams into botnet armies.

[…]

Public Wi-Fi networks are unlikely to be affected by the KRACK attacks. Most rely on a portal page to control access to an unsecured network, rather than WPA2. If they do employ WPA2 for access, it’s typically to restrict usage to customers, as it doesn’t provide real security from other users on the same network. In either case, you should always treat public hotspots as untrustworthy.

Update (2017-11-01): It’s fixed in macOS 10.13.1.

Update (2017-12-13): Tory Foulk:

Earlier today Apple officially made firmware updates 7.7.9 and 7.6.9 available for its AirPort Wi-Fi base stations, including the AirPort Express, AirPort Extreme, and AirPort Time Capsule. The 7.7.9 update is meant for 802.11ac routers, while the 7.6.9 update is meant for for 802.11n routers. To install the updates to your firmware, you can use either iOS or macOS AirPort Utility app.

According to Apple support documents posted for both the 7.7.9 and 7.6.9 versions of the update, it addresses multiple issues, including the KRACK vulnerabilities that affected many Wi-Fi enabled devices earlier this year.

It’s not clear why, two months ago, Apple told us that the base stations were not vulnerable to KRACK.

Rui Carmo:

My AirPort Express was just bricked by this upgrade (can’t even factory reset it) which is a tremendous pain given that it was the tiny, neat device that provided coverage in my living room, and I have nothing to replace it with a similar form factor (nor planned budget for doing so).

Update (2020-11-27): Joey Dodds:

At Galois, we believe strongly in the value of formal verification, so we think it’s worth examining each of these points. In doing so, we gain some insights into real-world cryptography verification.

14 Comments RSS · Twitter


OK so someone reports that Apple has non officially stated that the problem has already been addressed in betas. And the problem goes away.

But:

- the solution is still not available to more than a billion of devices since it's only fixed in betas (be they private or public).
- nobody knows whether the problem will also be fixed for devices running older versions of the OSes. Based on Apple's past history regarding security updates, things do not look promising.

So, basically, the problem is still there but it's OK, because it's fixed in the media.

I tend to believe that what is expected is not Apple to unofficially contact a media pundit to claim the problem will be fixed, but Apple to release the security update ASAP (yesterday would be fine).


someone,
Yeah, I agree. This is strange. Patting yourself on the back for not actually releasing a patch yet. I've also read Airports are affected, but Rene says otherwise. Microsoft apparently already patched Windows 10 last week and that's what I would expect from Apple. Patches ASAP.

Even still, it could be much worse than what Apple is doing...practically my whole life is Linux and even on a rolling Arch based release (Antergos directly uses Arch repos), I'm not seeing the patch yet. Not on my Ubuntu based server either. I need to check if my routers running Gargoyle (based on OpenWrt), my Asus flashed with DD-WRT, and my Android phones get their patches as well. Roku boxers, laser printers, etc. These are all Linux based and have WiFi. Sheesh!

I also have misc. devices that may or may not ever receive patches for the problem, like a PS3, 3DS XL, etc. Here's to hoping all the access points get patched to mitigate the problem on faulty clients. This is a freaking disaster frankly.


Okay, on the Android side, this could be very bad or just mostly bad. My mom's $60 Amazon Blu phone has received security patches every few months (yes, monthly is ideal, but let's not get crazy here) and my cheap $45 clearance LG G Stylo has likewise receives security updates every few months, so fingers crossed this continues a little while longer.

This seems to confuse the tech press, but Android is not iOS. I haven't received any OS updates in several months, maybe longer, but I do receive updates to Google Play services (underpins a lot of functionality on Android) and security patches as well. Android decouples such patches, for good reason given their plethora of device sellers, whereas iOS still seems to require OS updates for security fixes.

Don't get me wrong, Apple does a pretty good job getting patches out there for iOS devices, but I would actually prefer security updates to be decoupled from OS updates on every platform. Android has that part right, but execution of said patches still leaves much to be desired. Apple is better at actually shipping updates, but could do better with security updates as separate patches. Honestly, there's been times on iOS (sometimes Mac OS as well) I don't actually want the newest OS update, but I had to update in order to get security fixes.


Wait, spoke too soon. I have updates!!!!

Thus far:
1. Arch patch went in on October 16, I simply missed it with all my senseless hand wringing. Well, that and Pamac (a GUI for Pacman, the package manager on Arch) just stopped providing updates at some point. Thankfully I bothered to run Pacman directly from the terminal. Either way, all better on my laptops.

2. My NUC server running Ubuntu based distro is likewise patched. I believe it was also an October 16 release, I simply missed it, no excuses here. Yes, yes, should be on Ethernet anyway, but this is a Thunderbolt only model and I gave my Thunderbolt Ethernet adapter away after acquiring a Thunderbolt dock, only to downsize later by kicking the Thunderbolt dock to the curb....if only I had my Thunderbolt Ethernet adapter still. Oops. Grumble, grumble. :)

3. Asus RT-AC68U (actually a T-Mobile CellSpot I flashed to make stock model, before loading up on alternative open source firmware of course) had a patch from DD-WRT on October 17. Testing the patch now. Fingers crossed there's no other show stopping bugs with this firmware, given the severity of the problems being patched. I don't want to a. lose access to this router while I roll back the firmware update and b. lose such important patches. Will report back after giving the firmware a spin.

4. Odds and ends. Not sure about the 3DS XL. Mildly concerning since it could connect to random WiFi networks that are unpatched, then again....it's a 3DS XL. Similarly not sure if the PS3 will ever get patched, but if I only run it on a home network that's been patched???? Still up in the air on which Android devices (I'm including Fire OS devices here too) will get patched....yeah, I hear you, I hear you, that's going to be a pain. Not sure what the Echo runs, but a patch would be nice. Same with E Ink Kindles (not sure what this runs, Linux based something or the other) and Nooks (yeah, should go in the Android section). Then there's the Rokus, the laser printers, etc. Man, this really is a mess.

In the mean time, I know only to use trusted patched WiFi networks or stick to cellular networks for such equipped devices. At least until patches roll out. Sure, not every device is an obvious attack vector and most will be on my patched network, but have I mentioned what a mess this will be???? My clients have a plethora of random devices, this will be fun times. Fun times....


Update, Brainslayer's DD-WRT October 17 build for my Asus RT-AC68U failed....After some back and forth with trying to restore the firmware to a working state, I noticed another patch dated October 20 just hit! Guess the bug preventing proper flashing was addressed as I am now KRACK free on my router. Thank goodness!

Slowly but surely....the patching continues.


A friend who runs Gargoyle told me that there is a patch in the unstable branch with intention to get a stable release asap.

No official patch for the RT-AC66W yet.

As for Apple's response, this reminds me of 2014 when they waited to patch 'gotofail' on the Mac until it lined up with an upcoming point release. Except now instead of just macOS, and just waiting over the weekend, it's all of Apple's devices and it seems like they'll be waiting at least a week?


Yeah, I thought the Gargoyle forums had mention of a patched version available somewhere, but both the official downloads for 1.9 experimental and 1.8 stable have yet to see the firmware patch pushed through. I have three Gargoyle routers to patch for clients.

Similar experience with the Asus RT-AC68U, don't think the official firmware was patched for KRACK yet. There was firmware released October 19, but it doesn't mention anything about fixing the vulnerability:

ASUS RT-AC68U Firmware version 3.0.0.4.380.4164 (Facebook Wi-Fi special version)
Facebook Wi-Fi special version, turn your business into a Wi-Fi hotspot, read more: https://www.facebook.com/business/facebook-wifi

* Please note this service is provided by Facebook, please check the facebook Wi-Fi website to make sure the support list and status.
* This service will not work at regions without Facebook services.

Release note:
- Stability improve

Don't even get me started on the ridiculousness that is the T-Mobile branded model, the CellSpot. I have one model on the T-Mobile track (last update December 2016 perhaps?) and one as already mentioned that was reflashed to Asus stock then later DD-WRT. While the stock Asus firmware has a chance of getting the KRACK fix, T-Mobile is still looking into the possibility of patching. Honestly, I'm not holding my breath here given the lack of regular patches. https://support.t-mobile.com/thread/142080


Gargoyle's got an update out: https://www.gargoyle-router.com/phpbb/viewtopic.php?f=3&t=11271

Seems like Apple gave us an iOS 11.2 beta on Monday, without having shipped 11.1 yet?


Thanks remmah! Excellent news, this is very exciting! I have three, no four, routers to update with these Gargoyle patches. I'm very excited here, no joke.


I read on the T-Mobile Asus router thread where Asus is claiming they don't need to patch their devices....but I'm not 100% sure if that's true, given the caveats in their statement about disabling a feature and not using client mode. Since I sometimes have a use for client mode a patch would have been appreciated.

The good news is generally I just convert these models to stock and then flash third party firmware that is patched.


So....is Rene Ritchie going to offer an explanation why he claimed there was no vulnerability? What was the basis of his prior understanding?


@Nathan I asked him about that, and he replied privately. It sounds like Apple gave him information that turned out to be incorrect, but the details are not clear.


Thanks for the follow up Michael. I wonder if the issue derives from the alleged disbanding of the Airport team. Perhaps there was simply no one with knowledge of the software side to respond? Prior to the KRACK patches, the last update for Airport, may have been a full year ago....


[…] Apple Comments on AirPort’s Future, KRACK: Breaking WPA2 by Forcing Nonce Reuse, Apple Abandons Development of Wireless […]

Leave a Comment