Posted on by barnesa

KRACK – WPA2 WiFi Security Compromise

In what has been a tightly guarded message to manufacturers of WiFi Access Points, it has now been revealed that the long-trusted WPA2 security protocol has been compromised.

Proof of Concept Compromise

The Proof of Concept (PoC) exploit has been nick-named “KRACK” – short for “Key Reinstallation AttaCKs” by the security researches who discovered this compromise.  The United States Computer Emergency Readiness Team (CERT) has raised multiple CVE references:

  • CVE-2017-13077
  • CVE-2017-13078
  • CVE-2017-13079
  • CVE-2017-13080
  • CVE-2017-13081
  • CVE-2017-13082
  • CVE-2017-13084
  • CVE-2017-13086
  • CVE-2017-13087
  • CVE-2017-13088

The vulnerability exploits a flaw by re-sending and re-using an encryption key that is only supposed to be used once.

Different devices are at higher risk than others – for example Apple’s mobile iOS-based devices are at less risk an its fully-fledged MacOS operating system

CERT Advisory

US-CERT has advised:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol.  The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

Patch Availability

While many vendors are as-yet still to provide fixes, Ubiquiti and Aruba have already provided updates.  Apple has advised that the patch for KRACK is available in the latest betas of its operating systems, soon to be rolled out for general use.

On a personal note, I was extremely impressed how quickly Ubiquiti responded to this.  For those with Beta access to their forums, you can download AP and Switch version 3.9.3.7537 here.

It’s not clear how many vendors will provide fixes, nor how quickly.  What is clear is that there will likely be many older devices that will remain unpatched.