0x00 Vulnerability Overview


















Vulnerability attack demo video:
https://www.youtube.com/watch?v=BtdN1SM5Z5o
0x01 WPA2 Protocol Description



802.11 I
Data encryption



0x02 Key Reinstallation Attacks Key reinstallation attacks

Figure 1 EAPOL frame simplified message format








If the AP does not receive the response from the CLIENT, it resends the third packet. Therefore, the client may receive the third packet several times. Each time the client receives this message, it reinstalls the same encryption key and resets the Nonce value and replay count used for protocol encryption.



By sniffing and replaying the third message packet in the four-way handshake, an attacker forcibly resets the Nonce value and replay count used for protocol encryption, and reinstalls the encryption key. In this way, the encryption mechanism of the protocol can be attacked. Data packets can be replayed, decrypted, and tampered with.



The attack method can also be used to attack the encryption key, group Key, PeerKey, TDLS and fast BSS switching handshake.


Figure 3 Four-way handshake in Group Key scenario



0x03 Vulnerability Root Cause Analysis and Impact

The 802.11 protocol standard provides only coarse-grained pseudo-codes to describe the state machine of the four-way handshake, but does not clearly describe when a particular handshake message should be processed.


The key reinstallation vulnerability abuses the message 3 retransmission process. The MitM manin-the-middle attack point is determined between the Client and the AP, and the modified message 3 is continuously retransmitted before the AP receives message 4. As a result, the Client reinstalls the used encryption key and resets the Nonce value.



In fact, not all Wi-Fi clients correctly implement the state machine when this attack is implemented. Windows and iOS do not receive the retransmission of processing message 3, which violates 802.11 standard, so the key reinstallation vulnerability attack does not take effect and the vulnerability is generated. However, there are still security vulnerabilities in the group key handshake and indirect attacks in the FT handshake.


For Android 6.0 the impact is even greater, in the case of this attack, a predictable all-zero encryption key is forced.


The actual impact of key reinstallation vulnerability attack is shown in Figure 4. The first column represents different types of Client clients, the second column represents whether different Client types accept message 3, the third column represents whether plaintext EAPOL message is received if PTK is configured, and the fourth column represents whether plaintext EAPOL message is received after the first message 3 message is sent quickly. The last two columns indicate whether they are affected by this vulnerability attack.



In particular, the researchers did not currently crack the wi-fi network’s password, nor did they crack the newly generated encryption key through the four-way handshake negotiation process.

Figure 4 Actual vulnerability effects for different Clients


0x04 Vulnerability Impact Scope

This vulnerability is a protocol standard design flaw that affects all clients that support WPA2.

The attacks are mainly directed at WPA2 client devices.

 

0x05 Security Hardening Suggestions for Vulnerability

1. Vulnerability attacks need to implement MitM man-in-the middle attack. Conditional licensing suggests reasonable deployment of wireless intrusion prevention system or VPN encryption, timely monitoring of phishing WiFi, prohibition of private AP, etc.

2. Timely upgrade the security patch of this vulnerability (if any) and update the WPA2 client to the latest version;

3. Only connect to trusted wifi. Use cellular mobile network in public places as far as possible.

 

Note:

Linux hostAPd and WPA_supplicant patches have been released. See W1.fi/Security /20… .

Microsoft released patch KB4041676 for Windows 10.

Apple has fixed wireless security vulnerabilities in the latest beta version of iOS, among others.

 

Reference Documents:

[1] papers.mathyvanhoef.com/ccs2017.pdf

[2] techcrunch.com/2017/10/16/…

 

——————————-

For more security hot information and knowledge sharing, please pay attention to the official blog of Aliju Security