Uncategorized

KrackAttacks – A Large Vulnerability in WPA2 security protocol

Just over a month ago, researchers at KU Leuven discovered a serious weakness in WPA2, a protocol that secures all modern private networks. It’s been proven to work mathematically, so it should be safe, right? Nope.

When WPA2 encrypts your information, it works between your computer and an access point. Basically, four messages are sent in between your computer, each with random information. In the middle of these transcriptions, another computer can try to access that information, which is generally pretty hard, and there are no big holes or easy ways to get this information. So in layman’s terms, it blocks the third message (just before the key installation) and sends a different message itself as message four. This message tricks a victim into reinstalling an already-in-use key (Key Reinstallation AttaCK), so that parameters once stored are set to their initial value. Reusing keys is a big no-no. Since this message was never received back by the access point, it will try resending to the computer, which will reset the transmit packet number (nonce), so they can be replayed, decrypted, or forged. This is easy to decrypt because now the attacker has some known content that they can work with, and this can easily make your password and other information vulnerable, all without actually recovering your WiFi password.

So what can you do to prevent this? Well, shortly after, updates were being sent out by companies to patch this vulnerability. So update all your devices and firmwares if possible. Patch everything. You don’t really need to change your WiFi password but it doesn’t hurt to do it. Keep your computer and other devices up to date, no matter how annoying it is to wait for it to fully update.

I’d like to thank krackattacks.com as well as ComputerPhile’s video on the subject to help me write this article. In fact, I found this quote pretty great, as this author found a large issue while procrastinating. “When working on the final (i.e. camera-ready) version of another paper, I was double-checking some claims we made regarding OpenBSD’s implementation of the 4-way handshake. In a sense I was slacking off, because I was supposed to be just finishing the paper, instead of staring at code. But there I was, inspecting some code I already read a hundred times, to avoid having to work on the next paragraph. It was at that time that a particular call to ic_set_key caught my attention. This function is called when processing message 3 of the 4-way handshake, and it installs the pairwise key to the driver. While staring at that line of code I thought ‘Ha. I wonder what happens if that function is called twice’. At the time I (correctly) guessed that calling it twice might reset the nonces associated to the key. And since message 3 can be retransmitted by the Access Point, in practice it might indeed be called twice. ‘Better make a note of that. Other vendors might also call such a function twice. But let’s first finish this paper…’. A few weeks later, after finishing the paper and completing some other work, I investigated this new idea in more detail. And the rest is history.” Perhaps some of your computer scientists out there can explain it better to your friends (or even me, since I still don’t get it).

Leave a Reply