A security researcher has cracked WPA2, the encryption standard used to secure most modern Wi-Fi networks. This would allow an attacker to read all information passing over a wireless network secured by WPA2.
Android and Linux are described as “particularly vulnerable,” and are both described as “trivial” to attack. However, iOS and macOS, along with other platforms, are also vulnerable.
Mathy Vanhoef, a postdoc security researcher in the computer science department of the Dutch university KU Leuven, discovered the flaw.
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks […] Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks […]
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected […] If your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.
As a proof-of-concept, Vanhoef’s team executed a key reinstallation attack against an Android smartphone. In the demonstration, the attacker was able to decrypt all data that the victim transmits.
The attacks only decrypt data encrypted by the WiFi connection, but can’t touch data encrypted by a secure website encrypted using the HTTPS protocol. However, attackers could make use of separate attacks against the HTTPS encryption.
The attacks exploits the communications that occur when a device joins a WPA2-protected Wi-Fi network.
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
Luckily, Vanhoef says WPA2 can be patched to block the attack, and the patch is backward compatible. Users are advised to patch their router with new firmware as soon as it becomes available.
The Wi-Fi Alliance has posted a security advisory, stating that it is aware of the issue, and that multiple platform providers have begun deploying patches for the issue. So far, there is no evidence the attack has been used in the wild, but it would be difficult to detect the attack if it were used.