KRACK Attack: Breaking WPA2

Posted by on October 17, 2017 0 Comment

The Krack Attack affects most wireless networks and clients across the world. Wireless networks play a crucial role in the digital world and most internet users use WiFi networks on a daily basis. Having encryption on wireless networks has become the benchmark and over the years we’ve had many encryption algorithms for WiFi communication – First WEP, followed by WPA and now WPA2.

That being said – In line with Murphy’s law and assisted by growing computational capabilities thanks to Moore’s Law – Each one of them has eventually succumbed to a vulnerability that renders it irrelevant.

WPA2 has been so far considered as the most trusted and secure protocol for wireless communication till date.

A security researcher from the Belgian University KU Leuven named Mathy Vanhoef released details about an attack called KRACK – Key Re-installation Attack for WPA2 protocol on his website.

Vanhoef writes about this attack on his website:

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available.

Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK). 

Here’s How the KRACK WPA2 Attack Works:

What is the impact ?

According to the researcher the impact of this vulnerability depends on the handshake being attacked, and the data-confidentiality protocol in use since against AES-CCMP an attacker can only replay and decrypt packets but can’t forge it.

“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others,” the US-CERT warned. “Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”

To simply a bit, the communication over HTTPS is secure (but may not be 100 percent secure) and cannot be decrypted using the KRACK attack. That being said, you are advised to use a secure VPN service – which encrypts all your Internet traffic whether it’s HTTPS or HTTP.

How to protect your networks from Krack Attack?

As of now the only efficient mechanism is to apply patches / updates for clients and deploy the latest firmware being released. Changing the password of your Wi-Fi network does not prevent (or mitigate) the attack.

Below are some firmware and driver updates available for KRACK WPA2 vulnerability for the major vendors :

The complete list is available at Bleeping computer where they are tracking the progress of each specific vendor’s patch release.

Krack Attack - WPA2 Patch Story

Image Source : CommitStrip

Is there anyway to mitigate this attack?

Until a patch and firmware update are released by your vendor, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Assigned CVE Identifiers

The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key re-installation attack:

  • CVE-2017-13077: Re-installation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a re-transmitted Fast BSS Transition (FT) Re-association Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Re-installation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: re-installation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: Re-installation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Note that each CVE identifier represents a specific instantiation of a key re-installation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.

How does it work?

The attack occurs due to a vulnerability in the 4-way handshake or against cipher suites defined in the WPA2 protocol and hence all products using the correct implementation of the protocol are vulnerable. The attacks targets the 4-way handshake, and does not exploit access points, but instead targets the clients.

The idea behind this attack is to abuse the keys being used in phase 3 of 4 way handshake where key is generated after 2 way handshake between AP and client.

This authenticated key can be captured with MITM and can be replayed to exploit the vulnerability since the keys are already used and fully authenticated and verified for handshake between AP and client.

Earlier the reuse of generated and used keys was not possible for further implementation since the router used to get restarted for multiple use of same key. Even if the same problem occurs in current scenario, the attackers are able misuse this since keys are stored in non-volatile memory on boot during restart

Wireless Security: How to Disable SSID Broadcast

Posted by on May 27, 2011 2 Comments

Note: This post is part of our series on “How to Secure Your Home Wireless Network“. The series contains a 10 step guide to securing your home wireless network.

The wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where wireless clients may roam in and out of range. For the home user, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most wireless access points allow the SSID broadcast feature to be disabled by the network administrator. Your SSID name can be manually inputted into your devices to prevent the need for SSID Broadcasts to be enabled.

Although most routers have different methods to change the SSID details, the general steps are as follows. Incase of difficulty, consult your Wireless Router manual or customer support.

1. Find your LAN IP Address
You can identify the LAN IP Address of your machine by going to Start -> Run and execute the command “cmd”. Inside this command prompt you can execute the command “ipconfig /all”

ipconfig /all

2. Access Your Router
Once you have the IP Address for your router, we can use this to access the router and change settings. We need to open the router’s settings page via the browser by visiting http://192.168.0.1/ (Use the IP you found in step 1 ). This will prompt you for a username and password which is usually “admin/admin”, “admin/password” (or the Password set by you in: Wireless Security: How to Change Default Administrator Usernames and Passwords). Sometimes these fields are left blank, but the best way to know is the user manual.

Router Login

3. Disable SSID Broadcast
Once you have logged into the router control panel, you need to look for a section such as “Wireless” or “Security” etc. Depending on the make of your router, you will find the settings for “Wireless SSID Broadcast”. By default these settings are enabled, however by simply selecting “Disable”, you can disable this functionality.

Changing the SSID Settings

4. You’re Done!
Thats it, you’re router will no longer broadcast its SSID to all users and discourage any SSID based attacks and confusion.

Now you need to reconnect all of your wireless devices to the SSID name and when prompted for a password, enter the password set by you in Wireless Security: How to Enable WEP/WPA Encryption.

Now we recommend that you go back to our series on “How to Secure Your Home Wireless Network” and implement all the remaining recommendations into your router.

Wireless Security: How to Enable MAC Address Filtering

Posted by on May 27, 2011 0 Comment

Note: This post is part of our series on “How to Secure Your Home Wireless Network“. The series contains a 10 step guide to securing your home wireless network.

Each wireless device possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses for all devices that connect to them. Wireless routers offer the option to key in the MAC addresses of your home equipment so as to restrict the network to only allow connections from those devices. It ensures that rogue users cannot connect to the wireless router without using advanced MAC spoofing techniques.

Although most routers have different methods to change the MAC address filtering settings, the general steps are as follows. Incase of difficulty, consult your Wireless Router manual or customer support.

1. Find your LAN IP Address

You can identify the LAN IP Address of your machine by going to Start -> Run and execute the command “cmd”. Inside this command prompt you can execute the command “ipconfig /all”

ipconfig /all

2. Access Your Router

Once you have the IP Address for your router, we can use this to access the router and change settings. We need to open the router’s settings page via the browser by visiting http://192.168.0.1/ (Use the IP you found in step 1 ). This will prompt you for a username and password which is usually “admin/admin”, “admin/password” (or the Password set by you in: Wireless Security: How to Change Default Administrator Usernames and Passwords). Sometimes these fields are left blank, but the best way to know is the user manual.

Router Login

3. Enable MAC Address Filtering

Once you have logged into the router control panel, you need to look for a section such as “Wireless” or “Security” or “Wireless MAC Filter” etc. Depending on the make of your router, you will find the settings for MAC address filtering under one of these sections.

Here you will first enable MAC address filtering. You can then set the router to “Permit Only”, which only allows the listed MAC addresses to access the network.

Wireless MAC Filter Settings

4. Find the MAC Addresses of Your Devices

Now you need to find the MAC address of your computers / devices so that we can allow them to connect to the network. You can find your computer’s MAC address by issuing the command “ipconfig /all” like in Step 1 (It will be named Physical Address). The method to find your MAC address will differ for each device you have and the best way to find the MAC address would be to refer to the User Manual.

5. Add Your Devices to the Whitelist

Now that you have enabled MAC address filtering and found the MAC addresses of your devices, its time to add these addresses in your router so that they are whitelisted. Click on Edit Mac Filter List or a simmilar option in your router. Here you may add all your MAC addresses one by one and save the page.

MAC Address Filter List

6. You’re Done!

Thats it, you’re router is now configured to only allow those specific MAC addresses to connect to your wireless network. Any other devices would be ignored!

Now we recommend that you go back to our series on “How to Secure Your Home Wireless Network” and implement all the remaining recommendations into your router.

Wireless Security: How to Change the Default SSID

Posted by on May 26, 2011 1 Comment

Note: This post is part of our series on “How to Secure Your Home Wireless Network“. The series contains a 10 step guide to securing your home wireless network.

Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set for all routers. For example, the SSID for Netgear devices is normally “NETGEAR”. The Default SSID can be changed from the administrative panel and should be set to something unique.

Although most routers have different methods to change the SSID details, the general steps are as follows. Incase of difficulty, consult your Wireless Router manual or customer support.

1. Find your LAN IP Address
You can identify the LAN IP Address of your machine by going to Start -> Run and execute the command “cmd”. Inside this command prompt you can execute the command “ipconfig /all”

ipconfig /all

2. Access Your Router
Once you have the IP Address for your router, we can use this to access the router and change settings. We need to open the router’s settings page via the browser by visiting http://192.168.0.1/ (Use the IP you found in step 1 ). This will prompt you for a username and password which is usually “admin/admin”, “admin/password” (or the Password set by you in: Wireless Security: How to Change Default Administrator Usernames and Passwords). Sometimes these fields are left blank, but the best way to know is the user manual.

Router Login

3. Set an SSID Of Your Choice
Once you have logged into the router control panel, you need to look for a section such as “Wireless” or “Security” etc. Depending on the make of your router, you will find the settings for wireless network name under one of these sections.

Here you will enter a Network Name or SSID for your router. This should be something unique and identifiable by you, without giving away too many details about your physical location or personal self.

Changing the SSID Settings

4. You’re Done!
Thats it, you’re router now has a unique SSID setup to discourage any SSID based attacks and confusion.

Now you need to reconnect all of your wireless devices to the new SSID name and when prompted for a password, enter the password set by you in Wireless Security: How to Enable WEP/WPA Encryption.

Now we recommend that you go back to our series on “How to Secure Your Home Wireless Network” and implement all the remaining recommendations into your router.

How to Secure Home Wireless Network

Posted by on May 26, 2011 3 Comments

As most of us in India have noticed, Wireless Networks have been in the news these days for all the wrong reasons. These open networks have always been used by tech-savvy users however lately they have been utilized by malicious organizations to carry out their nefarious purposes (e.g. the recent bomb blasts).

The home user, small businesses that often cannot implement complex security solutions are the ones who primarily suffer the consequences which range from large broadband bills to authorities knocking on your door at 3 AM.

I’ve put down a quick article with 10 Steps for Securing Your Home Wireless Network:

1. Change Default Administrator Usernames and Passwords
Most routers or access points come enabled with a default set of username/password combinations. These combinations are well documented and available online for hackers to use. If a hacker can access your device’s administrative pages they can modify the configuration and control all aspects of your device. These username/password combinations can be changed from the administrative panel and should be set to something difficult to guess.

You can find step by step instructions in our post: Wireless Security: How to Change Default Administrator Usernames and Passwords.

2. Turn on WPA / WEP Encryption
All Wireless devices support some form of encryption. Encryption technology scrambles messages sent over the air and ensures that they cannot be intercepted by hackers. Several encryption technologies exist for Wireless communication today. WPA is the strongest commonly available encryption technology for home devices however WEP can also be used.

You can find step by step instructions in our post: Wireless Security: How to Enable WEP/WPA Encryption.

3. Change the Default SSID
Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set for all routers. For example, the SSID for Netgear devices is normally “NETGEAR”. The Default SSID can be changed from the administrative panel and should be set to something unique.

You can find step by step instructions in our post: Wireless Security: How to Change the Default SSID.

4. Enable MAC Address Filtering
Each wireless device possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses for all devices that connect to them. Wireless routers offer the option to key in the MAC addresses of your home equipment so as to restrict the network to only allow connections from those devices. It ensures that rogue users cannot connect to the wireless router without using advanced MAC spoofing techniques.

You can find step by step instructions in our post: Wireless Security: How to Enable MAC Address Filtering.

5. Disable SSID Broadcast
The wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where wireless clients may roam in and out of range. For the home user, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most wireless access points allow the SSID broadcast feature to be disabled by the network administrator. Your SSID name can be manually inputted into your devices to prevent the need for SSID Broadcasts to be enabled.

You can find step by step instructions in our post: Wireless Security: How to Disable SSID Broadcast.

6. Do Not Auto-Connect to Open Wireless Networks
Connecting to an open wireless network such as a free wireless hotspot or your neighbor’s router exposes your computer to security risks and attacks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying the user. This setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices
Most home wireless devices use dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network’s DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead and then configure each connected device to match. Using a private IP address range (like 10.0.0.x) prevents computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and Router
Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router’s firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely
Wireless signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wireless signals often reach through neighboring houses and into streets. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage. Many routers allow you to reduce the range of your router from the administrative panel to prevent the signal leakage.

10. Turn Off Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods of downtime.

Wireless Security: How to Enable WEP/WPA Encryption

Posted by on May 26, 2011 1 Comment

Note: This post is part of our series on “How to Secure Your Home Wireless Network“. The series contains a 10 step guide to securing your home wireless network.

All Wireless devices support some form of encryption. Encryption technology scrambles messages sent over the air and ensures that they cannot be intercepted by hackers. Several encryption technologies exist for Wireless communication today. WPA is the strongest commonly available encryption technology for home devices however WEP can also be used.

Although most routers have different methods to change the encryption settings, the general steps are as follows. Incase of difficulty, consult your Wireless Router manual or customer support.

1. Find your LAN IP Address
You can identify the LAN IP Address of your machine by going to Start -> Run and execute the command “cmd”. Inside this command prompt you can execute the command “ipconfig /all”

ipconfig /all

2. Access Your Router
Once you have the IP Address for your router, we can use this to access the router and change settings. We need to open the router’s settings page via the browser by visiting http://192.168.0.1/ (Use the IP you found in step 1 ). This will prompt you for a username and password which is usually “admin/admin”, “admin/password” (or the Password set by you in: Wireless Security: How to Change Default Administrator Usernames and Passwords). Sometimes these fields are left blank, but the best way to know is the user manual.

Router Login

3. Enable Encryption and Set a Password
Once you have logged into the router control panel, you need to look for a section such as “Wireless” or “Security” etc. Depending on the make of your router, you will find the settings for wireless encryption under one of these sections.

Here you will select a few settings to enable encryption on your router.

Selecting WPA2 Encryption

Security Mode: There are many different security modes that are available and each one provides a different level of comaptibility or security. Ideally you should chose the highest level of encryption / security that will work with all of your devices. Our first preference is WPA2 then WPA and finally WEP.

Shared Key / Passphrase / Key: This is the password that will be used by you while connecting any device to your network. Select something strong.

4. You’re Done!
Thats it, you’re router now has a encrpytion enabled to prevent any unauthorized user from being able to see your communication via sniffing or injection methods.

Now you need to reconnect all of your wireless devices to the new encrypted network and when prompted for a password, enter the password selected in Step 3.

Now we recommend that you go back to our series on “How to Secure Your Home Wireless Network” and implement all the remaining recommendations into your router.

Wireless Security: How to Change Default Administrator Usernames and Passwords

Posted by on May 26, 2011 0 Comment

Note: This post is part of our series on “How to Secure Your Home Wireless Network“. The series contains a 10 step guide to securing your home wireless network.

Most routers or access points come enabled with a default set of username/password combinations. These combinations are well documented and available online for hackers to use. If a hacker can access your device’s administrative pages they can modify the configuration and control all aspects of your device.

These username/password combinations can be changed from the admin panel and should be set to something difficult to guess.

Although most routers have different methods to change the username and password details, the general steps are as follows. Incase of difficulty, consult your Wireless Router manual or customer support.

1. Find your LAN IP Address
You can identify the LAN IP Address of your machine by going to Start -> Run and execute the command “cmd”. Inside this command prompt you can execute the command “ipconfig /all”

ipconfig /all

2. Access Your Router
Once you have the IP Address for your router, we can use this to access the router and change settings. We need to open the router’s settings page via the browser by visiting http://192.168.0.1/ (Use the IP you found in step 1 ). This will prompt you for a username and password which is usually “admin/admin”, “admin/password”. Sometimes these fields are left blank, but the best way to know is the user manual.

Router Login

3. Set a Password
Once you have logged into the router control panel, you need to look for a section such as “Administration” or “Maintainence”, “Security” etc. Depending on the make of your router, you will find the setting to change the password under one of these sections.

Here you will enter your existing password from Step 2 and select a strong password that will be used for future administration of the router.

Changing the Password

4. You’re Done!
Thats it, you’re router now has a strong password to prevent any unauthorized user from accessing your router control panel and accessing or changing its settings.

Now we recommend that you go back to our series on “How to Secure Your Home Wireless Network” and implement all the remaining recommendations into your router.