This is a guest post by Shantanu Goel.
This is a brief analysis of the WPA2 vulnerability which was covered here earlier. I’ll try to explain the vulnerability and its impacts in terms that are hopefully simple to understand for most people.
Primer of WPA2 encryption
WPA2 (or 802.11i) protocol ensures that all communication on your Wi-Fi network is secure, which means that all communication data during transit is:
- Secret or confidential (Cannot be read by anyone else)
- Immutable (Cannot be changed by anyone else)
WPA2 deals with these requirements by encrypting all the data using one of various crypto algorithms like TKIP, AES-CCM or AES-GCM, etc. All these are varieties of a type of crypto algorithms known as “Stream Ciphers” which can be attacked by key and/or Initialization Vector (IV) reuse.
To avoid using the same key for all clients connected to an Access Point (AP), WPA2 protocol negotiates a new key with each connecting client via a 4-way (or 4 step) handshake as shown below. To avoid the key reuse attacks for ongoing communication with the same client, it uses packet numbers as Nonces or Initialization vectors.
In the above steps, the client will save the encryption key when it receives “Msg3” and then send back an Ack to AP (Authenticator). Since the wireless communication is a fickle transport medium, messages may be lost. Thus AP will retransmit Msg3 if it doesn’t receive Msg4/Ack. The attack here leverages this property of the handshake mechanism combined with the actual vulnerability that the WPA2 specification leaves as open to implementation.
Vulnerability / Attack
The vulnerability is that most clients will reinstall the key when they receive the Msg3 again and also reset the packet number counters (nonces/IVs) to zeroes. By resetting the IV, a malicious actor is thus forcing keystream reuse by the client and can achieve packet data decryption. After this, it can also perform decryption/forging/injection of packets depending on the actual algorithm used by the WPA2 configuration as set in the AP/client.
To carry out the attack, the malicious actor can:
- Either capture and replay the Msg3 to the client
- Or Block Msg4 from reaching AP and thus cause AP to send it to client again repeatedly
The vulnerability was even graver on Android (6.0 & above) and Linux (wpasupplicant 2.4 & above) where their specific implementation not only reset the packet numbers to 0 but also caused an all-zero key to be installed, thus making all further attacks trivial to perform irrespective of the algorithm being used.
Mitigation of the vulnerability
There are two ways to avoid this attack:
- If an already-in-use key is being installed again, don’t reset the associated nonces and replay counters
- Ensure that any key can be installed only once.
Various hardware/software vendors may choose one of the above two approaches to mitigate the issue.
What it means to you?
As an end user of any wi-fi network, you must know that almost all devices that you use on a wireless network are vulnerable to this issue. You must download and install updates for your devices (including your phones, wifi speakers, TVs, etc.) as may be provided by the vendors.
Please note that this issue CANNOT be fixed by updating your router
Note that this is not a single vulnerability in practice and impacts various stages/types of handshakes that may occur for different wireless networks. You must install all the patches if there are multiple ones provided by your device vendor.
Shantanu Goel is the chip security guy at Qualcomm. He is an XDA Recognized Developer. He specializes in Security, Linux, Embedded Systems, Computer Science and Web development.