[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Breaking WPA2 by forcing nonce reuse

On 17/10/2017 00:49, Celejar wrote:
On Mon, 16 Oct 2017 21:27:30 +0530
"tv.debian@googlemail.com" <tv.debian@googlemail.com> wrote:

On 16/10/2017 21:12, Curt wrote:

   Our attack is especially catastrophic against version 2.4 and above of
   wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will
   install an all-zero encryption key instead of reinstalling the real key.


   It was addressed in Debian by DSA-3999-1 I think, but will probably
linger for a long time on routers, phones, appliances and IoT all over
the world. After Bluetooth a few weeks ago, now wpa2 wifi, most of the
wireless consumer electronic have it's base covered and ripe for cracking...

It's crucial to understand that there's a huge difference in severity
between BlueBorne and and KRACK: the former "allows attackers to take
control of devices", and "does not require the targeted device to be
paired to the attacker’s device, or even to be set on discoverable
mode" (!) [https://www.armis.com/blueborne/], whereas the latter
'simply' breaks WPA2, and can't really hurt you insofar as you're using
secure higher level protocols (ssh, SSL/TSL, HTTPS).

I don't mean to say that KRACK isn't nevertheless a huge problem,
but it doesn't seem to be nearly as serious as BlueBorne, and it isn't
going to be catastrophic to anyone not treating WiFi as a really secure
protocol. E.g., on my home network, I do use WPA, but I still require
SSH and so on for internal communication between my local hosts.


Agreed, my post was just a quick reaction to an 'OT' labeled thread, not a lecture on the respective merits of those vulnerabilities, or an attempt to spread F.U.D.. Sorry if it came out this way (not a native speaker).

That being said, for a lot of the common use cases having an attacker sit on the assumed-to-be secured wifi and able to intercept traffic for days, weeks, months maybe since the patching will be as usual "patchy", is bad enough. It is not the same as the "bombing the dhcp server and throwing everyone off the wifi" prank. From the paper:

"We show that an attacker can force these nonce resets by collecting
and replaying retransmissions of message 3. By forcing nonce reuse
in this manner, the data-confidentiality protocol can be attacked,
e.g., packets can be replayed, decrypted, and/or forged. The same
technique is used to attack the group key, PeerKey, and fast BSS
transition handshake.
When the 4-way or fast BSS transition handshake is attacked,
the precise impact depends on the data-confidentiality protocol
being used. If CCMP is used, arbitrary packets can be decrypted.
In turn, this can be used to decrypt TCP SYN packets, and hijack
TCP connections. For example, an adversary can inject malicious
content into unencrypted HTTP connections. If TKIP or GCMP is
used, an adversary can both decrypt and inject arbitrary packets."

So using https or better for communications on the local network is a good idea, but is it the norm? Many router firmwares or built-in webservers from cameras to printers default to http, sometime don't even offer https as an option.

This isn't as bad as blueborne but it is nonetheless another of the most widely used wireless standard being broken in a short time.

It's patched in most distributions, and in router firmwares like LEDE already, was patched in some BSD even before publication, but how long before we see a patches for all affected devices?

By the way, since we are security OT'ing, check your RSA keys if you used Infineon products to generate it.[1]

[1] https://lwn.net/Articles/736520/rss

Reply to: