New Mobile Risk: Cracking Wi-Fi Encryption with Key Reinstallation Attacks (KRACK)
Posted by NowSecure MarketingA serious hole in the WPA2 (Wi-Fi Protected Access) encryption protocol revealed over the weekend can allow an attacker to intercept and decrypt data (including usernames and passwords) transmitted by a device over Wi-Fi — affecting nearly every device that supports Wi-Fi. The “Key-Reinstallation AttaCK,” dubbed “KRACK” by its discoverer Mathy Vanhoef, means unpatched implementations of WPA2 can’t be trusted to maintain the confidentiality and integrity of data sent over Wi-Fi. KRACK is particularly dire for Android devices, but any mobile device that uses Wi-Fi is thought to be vulnerable. The NowSecure mission is to educate customers about the latest mobile security threats and help them maximize the security of the mobile apps they use and develop. Here we explain this new attack vector and what financial services organizations, government agencies, and other enterprises need to do to protect themselves.
What is a key reinstallation attack (KRACK) on mobile?
Essentially, a malicious actor can use KRACK to intercept and read sensitive data transmitted from a mobile device to a wireless access point (WAP). That data might include usernames, passwords, credit card data, etc. In some scenarios, an attacker could also inject malware into a website visited by a mobile user. At this time, there’s no evidence that the vulnerability has been exploited in the wild.
KRACK affects wireless networks secured with WPA2 — the current encryption standard for Wi-Fi — signified by a lock icon next to the WAP names listed in a device’s Wi-Fi settings. Users should generally be wary of unknown Wi-Fi networks, but as vendors and enterprises scramble to patch the KRACK vulnerabilities, users also can’t trust WPA2 (or a lock icon) to keep their mobile data transmissions secure for the time being.
KRACK involves intercepting and replaying the third message in a four-way handshake between a client (e.g., a mobile device) and a wireless access point as they negotiate an encrypted connection. This allows an attacker to hijack connections and, depending on the encryption algorithm used:
- Decrypt and inject malicious data into packets (but not forge packets) if the AES-CCMP algorithm is in use, or
- Decrypt and forge packets if the WPA-TKIP or GCMP algorithm/protocols are used
For more than a decade, the world has relied on WPA2 to encrypt Wi-Fi communications. The KRACK revelation, however, demonstrates that attackers can decrypt communications over unpatched implementations of WPA2 without need for a Wi-Fi password for an affected WAF. Vanhoef identified 10 separate instances of the vulnerability (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088).
What is the impact of key reinstallation attacks on mobile apps and devices?
The WPA2 protocol itself is vulnerable, putting any implementation of it at risk. Both wireless access points and the devices that connect to them are affected. For an attacker to successfully intercept and manipulate data, both a mobile device and the wireless access point it connects to would need to be vulnerable. Patching either the router or the device connecting to the router should protect against the interception/manipulation of data transmitted over Wi-Fi.
A large number of products from numerous vendors are affected by each CVE — which is what makes the threat so widespread. The US Computer Emergency Readiness Team (US-CERT) has published a non-exhaustive list of potentially affected vendors on their website including whether patches are available. ZDNET and CNET have also collected lists of affected vendors and more detail about their responses. Many Wi-Fi router vendors have issued updates, but the patches do no good unless administrators and users implement them. And unfortunately, evidenced by WannaCry and the Equifax debacle, patches are not always promptly installed.
An attacker employing the KRACK method needs to be within range of a victim using a vulnerable device and clone a vulnerable wireless access point in order to carry-out the attack. As far as we can tell, websites that properly implement TLS and mobile apps that properly implement certificate-pinning should protect against decryption via KRACK. However, a large number of websites still do not use TLS or HTTP Strict Transport Security (HSTS). Many mobile apps also do not properly implement TLS or use certificate pinning. The attack requires a certain level of skill on the part of the attacker but tools could soon be made available that make it easier for unskilled attackers to exploit the vulnerability. US-CERT has classified the KRACK vulnerabilities with a base CVSS score of 5.4 or “medium” risk.
It appears that iOS devices are vulnerable to KRACK in certain scenarios. Apple told CNET that fixes for the vulnerabilities are in beta and will be published in the coming weeks. Android devices, however, are especially at risk.
KRACK impact on Android
The paper that describes the attack in detail, entitled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2,” emphasizes that Android versions 6.0 and higher are vulnerable and that KRACK is more fatal for Android devices. According to Google, 50% of Android devices use Android 6.0 (Marshmallow), 7.0 (Nougat), or 8.0 (Oreo) as of October 2, 2017. On the KRACK website, the researcher states that KRACK can do more damage to vulnerable Android devices because “…the client will install an all-zero encryption key instead of reinstalling the real key…This makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.”
The Android Central website suggests that Google has implemented a fix for Android that will be included in the November security update, and The Verge reports that Pixel devices will receive patches first with a security patch level of November 6, 2017.
What can I do to protect myself and my organization against KRACK?
The NowSecure mobile threat research team believes mobile apps that take the following security precautions will foil an attacker’s attempt to decrypt or manipulate data transmitted and received by a mobile app over a compromised connection via KRACK:
- Implement TLS and/or HTTPS with HTTP Strict Transport Security (HSTS)
- Implement certificate validation and certificate pinning
This speaks to the importance of not counting on any one single security measure to keep mobile apps and users secure.
As Wi-Fi router vendors, Apple, Google, and device manufacturers race to patch vulnerable technology, you can take steps to help mitigate the risk of KRACK on your organization.
- Avoid using unknown Wi-Fi access points, and potentially Wi-Fi altogether for the time being, as vendors work to patch their implementation of the WPA2 protocol
- Patch any Wi-Fi routers you have control over once updates are available
- Patch all mobile devices you control and encourage employees to patch their mobile devices once updates become available
- Institute secure mobile development best practices — and specifically proper implementation of HTTPS — in your mobile app SDLC
- Perform mobile app security testing on apps you develop and any third-party apps used by employees to ensure they follow mobile app security best practices.
NowSecure and the NowSecure Platform can help you ensure that the mobile apps you develop or the third-party Apple® App Store® and the Google Play™ store apps that your employees use implement holistic, defense-in-depth security to protect against threats such as KRACK. To find out more, e-mail us at [email protected] or fill out our contact form.