KRACK Key Re-installation Attack - WPA2 Attack

KRACK (Keyless Re-installation Attack) is a vulnerability in WPA2 (Wireless Protected Access 2) that could allow an attacker to eavesdrop on Wi-Fi traffic, reading encrypted network traffic, and in some cases, sending traffic back to the network

Threat ID:: CC-1703
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 16 October 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

Millions of Wi-Fi enabled devices are at risk including Windows, Apple, Linux, Android and more.

There are several key management vulnerabilities in the four-way handshake of the WPA2 security protocol. The impact of exploiting these vulnerabilities include, but are not limited to, packet decryption, packet replay, TCP connection hijacking and HTTP content injection.

To exploit this vulnerability, an attacker would have to be physically close to the target device. The attacker cannot derive the WPA2 encryption key (or password) and hence cannot connect malicious devices directly to the Wi-Fi network. There is no need to change Wi-Fi passwords or other enterprise credentials in response to the KRACK vulnerability.

Note that as a protocol-level issue, this will likely affect all correct implementations of the standard including WPA2 Personal (as commonly seen on home networks and in small businesses) and WPA2 Enterprise profiles.

CVE identifier CVE-2017-13080 has been assigned to the KRACK vulnerability.

Update 01 May 2018

A number of BD (Benton, Dickinson and Company) Pyxis medical products are vulnerable to KRACK key re-installation attacks. An attacker may use this attack to gain access to sensitive medical data.

For a full list of affected products further information please see the BD Security Bulletin and ICS-CERT Advisory ICSMA-18-114-01.

Update 05 Oct 2018

The researchers who originally discovered KRACK have released a new paper detailing several new exploitation methods. They claim they are now able to perform KRACK-based attacks on the 802.11v standard and the Fast Initial Link Setup (FILS) and Tunneled direct-link setup PeerKey (TPK) handshake used in mobile environments.

Several proof-of-concept exploits have also been released by the researchers, who say that they are able to bypass current patches.

For further information:

Release the Kraken: New KRACKs in the 802.11 Standard white paper (Vanhoef & Piessens, 2018)

Threat updates

Date	Update
1 May 2018	A number of BD (Benton, Dickinson and Company) Pyxis medical products are vulnerable to KRACK key re-installation attacks. An attacker may use this attack to gain access to sensitive medical data. For a full list of affected products further information please see the BD Security Bulletin and ICS-CERT Advisory ICSMA-18-114-01.

Date

Update

1 May 2018

A number of BD (Benton, Dickinson and Company) Pyxis medical products are vulnerable to KRACK key re-installation attacks. An attacker may use this attack to gain access to sensitive medical data.

For a full list of affected products further information please see the BD Security Bulletin and ICS-CERT Advisory ICSMA-18-114-01.

Remediation steps

Type	Step
	KRACK does not compromise connections to secure services that are encrypted using HTTPS or VPN technologies. Using a trusted Virtual Private Network (VPN) should protect wireless communications from the attack but please note the VPN provider will be able to log all of your internet traffic - privacy is not threatened if application layer application encryption is in use. If you require a secure, encrypted connection, consider using Ethernet. Microsoft released security updates on October 10, 2017 as part of Update Tuesday to resolve this vulnerability in all affected editions of Windows. Customers who have Windows Update enabled and who applied the latest security updates are protected automatically. See Microsoft Security Advisory CVE-2017-13080 Other vendors are developing patches to remediate this issue - please monitor for patch releases. Users are protected once both the user's device and the Wi-Fi router has been patched. Monitor enterprise wireless networks - wireless intrusion detection system (WIDS) may be able to signature an attacker attempting to use the KRACK vulnerability. Check the configuration of enterprise wireless access points – if access points or Wi-Fi routers are configured to use the older TKIP standard, you should update its configuration to use AES-CCMP. WPA2 Enterprise mode may be susceptible to attack even after clients have been patched. You should temporarily disable client functionality on devices that act as Wi-Fi repeaters and disable 802.11r (fast roaming) until the wireless access points have also been patched. Note - Wi-Fi networks protected by WPA2 are still more secure than a Wi-Fi network protected by WEP or WPA and free public Wi-Fi services.

Type

Step

KRACK does not compromise connections to secure services that are encrypted using HTTPS or VPN technologies.
Using a trusted Virtual Private Network (VPN) should protect wireless communications from the attack but please note the VPN provider will be able to log all of your internet traffic - privacy is not threatened if application layer application encryption is in use.
If you require a secure, encrypted connection, consider using Ethernet.
Microsoft released security updates on October 10, 2017 as part of Update Tuesday to resolve this vulnerability in all affected editions of Windows. Customers who have Windows Update enabled and who applied the latest security updates are protected automatically. See Microsoft Security Advisory CVE-2017-13080
Other vendors are developing patches to remediate this issue - please monitor for patch releases. Users are protected once both the user's device and the Wi-Fi router has been patched.
Monitor enterprise wireless networks - wireless intrusion detection system (WIDS) may be able to signature an attacker attempting to use the KRACK vulnerability.
Check the configuration of enterprise wireless access points – if access points or Wi-Fi routers are configured to use the older TKIP standard, you should update its configuration to use AES-CCMP.
WPA2 Enterprise mode may be susceptible to attack even after clients have been patched. You should temporarily disable client functionality on devices that act as Wi-Fi repeaters and disable 802.11r (fast roaming) until the wireless access points have also been patched.
Note - Wi-Fi networks protected by WPA2 are still more secure than a Wi-Fi network protected by WEP or WPA and free public Wi-Fi services.

CVE Vulnerabilities

Status

CVE-2017-13080

Last edited: 17 February 2020 11:33 am