WiFi WPA2 SNAFU - On Key Re-installation Attacks
Recently a new attack against WiFi networks has been published. Is it the end of the world? Probably not. It's just another case of SNAFU.
Researcher Mathy Vahoef has published (following responsible disclosure) the first significant attack (other than brute-forcing a dictionary) against the WPA2 protocol. It's called a Key Re-installation Attack, and there's a very good (i.e. readable and not sensationalist) write-up by Mathy Vahoef explaining the details and implications of the attack.
The TL;DR version is as follows: by injecting a replayed packet into a WPA2 network, an attacker can cause a client to re-use an encryption nonce (send two messages encrypted with an identical key) when communicating with the wireless access point. This makes it possible with relatively simple cryptanalysis to read messages sent by the client to the access point. For example, in the unlikely event the user was accessing a website over http with basic authentication, the attacker would be able to determine the user's username and password.
This is particularly interesting because:
- It's a break in the protocol, rather than a break in a particular implementation of the protocol. This means that any standards-compliant implementation can be expected to have the same weakness. In this case the Microsoft and Apple implementations proved to be non-compliant, so (presumably by mistake) they were not vulnerable.
- If an implementation took its guidance from an erroneous comment in the protocol description, a client might exhibit a further vulnerability and use a client encryption key of all zero bytes. This particular behavior can be found both in the Linux wireless client (wpa_supplicant) and in Android 6.0 and later.
- Since many if not most implementations of WPA2 are likely to be in embedded devices with limited or no software support, it is likely that a large number of wireless clients will never be fixed.
During World War II, the interception of two long encrypted messages using identical key material was sufficient for Bletchley Park to not only decrypt the messages, but also to deduce the major details of an entire cryptosystem. Russian re-use of key material between 1942 and 1948 allowed significant decrypts of messages which would otherwise have been impossible to break.
Reusing an encryption key is generally very, very bad.
However, there's an old acronym I rather like — SNAFU — which really seems to apply here. Although this is an ingenious break which allows client messages to be intercepted or modified, it's not as serious might be thought because:
- Most corporate wireless networks are not very secure anyway. Networks shared by large numbers of people (and devices) are difficult to protect. If you're using a single shared key for authentication, but how many people know the key who shouldn't? Is it changed every time someone leaves? Or has it been shared with an outsider who needed temporary use of the Internet? Or if your network gives each user to use their own individual login credentials, has any phones or laptop been compromised by malware? And even without malware, is the third party software used by devices on your network always trustworthy? That includes every single application installed on every phone or laptop. Even if the developer is trustworthy, would you know if their security had been compromised? The day when a security boundary could be drawn around a corporate network is really long gone.
- The break requires an active attacker. The attacker needs to be near enough to the client to inject a wireless packet. The physics of the situation makes the vulnerability much more difficult to exploit than if the attacker only had to receive the wireless transmissions.
- The break does not give total access to the network. The vulnerability only allows eavesdropping and impersonation of a single client.
- Most important communications by a wireless-connected client (laptop or phone) are also end-to-end encrypted. The risks of using the device in a coffee-shop (unencrypted network where anyone can eavesdrop) or with a fake access point (possibility of a man-in-the-middle attack) are much more significant. This risk here is comparatively minor compared to these, and any mitigations taken to address these risks will typically also have mitigated the key re-installation attack.
It's a great piece of research. It's not good news for the WPA2 protocol but, in terms of typical network security, it's not the end of the world.
Michael Z. Bell