File Uploaders Vulnerabilities HackPra November 2012 Soroush Dalili SecProject.com.
KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef —...
Transcript of KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef —...
![Page 1: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/1.jpg)
KRACKing WPA2 and Mitigating
Future VulnerabilitiesMathy Vanhoef — @vanhoefm
HackPra, Ruhr-Universität Bochum, 18 July 2018
![Page 2: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/2.jpg)
Overview
2
Key reinstalls in
4-way handshake
Misconceptions
Practical impact Channel validation
![Page 3: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/3.jpg)
Overview
3
Key reinstalls in
4-way handshake
Misconceptions
Practical impact Channel validation
![Page 4: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/4.jpg)
The 4-way handshake
Used to connect to any protected Wi-Fi network
› Provides mutual authentication
› Negotiates fresh PTK: pairwise transient key
Appeared to be secure:
› No attacks in over a decade (apart from password guessing)
› Proven that negotiated key (PTK) is secret
› And encryption protocol proven secure
4
![Page 5: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/5.jpg)
4-way handshake (simplified)
5
![Page 6: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/6.jpg)
4-way handshake (simplified)
6
![Page 7: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/7.jpg)
4-way handshake (simplified)
7
PTK = Combine(shared secret,
ANonce, SNonce)
![Page 8: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/8.jpg)
4-way handshake (simplified)
8
PTK = Combine(shared secret,
ANonce, SNonce)
Attack isn’t about
ANonce or SNonce reuse
![Page 9: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/9.jpg)
4-way handshake (simplified)
9
![Page 10: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/10.jpg)
4-way handshake (simplified)
10
![Page 11: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/11.jpg)
4-way handshake (simplified)
11
![Page 12: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/12.jpg)
4-way handshake (simplified)
12
PTK is installed
![Page 13: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/13.jpg)
4-way handshake (simplified)
13
![Page 14: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/14.jpg)
Frame encryption (simplified)
14
Plaintext data
Nonce reuse implies keystream reuse (in all WPA2 ciphers)
Nonce
MixPTK(session key)
Nonce(packet number)
Packet key
![Page 15: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/15.jpg)
4-way handshake (simplified)
15
Installing PTK initializes
nonce to zero
![Page 16: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/16.jpg)
Channel 1
16
Reinstallation Attack
Channel 6
![Page 17: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/17.jpg)
17
Reinstallation Attack
![Page 18: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/18.jpg)
18
Reinstallation Attack
![Page 19: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/19.jpg)
19
Reinstallation Attack
Block Msg4
![Page 20: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/20.jpg)
20
Reinstallation Attack
![Page 21: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/21.jpg)
21
Reinstallation Attack
![Page 22: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/22.jpg)
22
Reinstallation Attack
In practice Msg4
is sent encrypted
![Page 23: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/23.jpg)
23
Reinstallation Attack
Key reinstallation!
nonce is reset
![Page 24: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/24.jpg)
24
Reinstallation Attack
![Page 25: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/25.jpg)
25
Reinstallation Attack
Same nonce
is used!
![Page 26: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/26.jpg)
26
Reinstallation Attack
Keystream
Decrypted!
![Page 27: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/27.jpg)
Key Reinstallation Attack
Other Wi-Fi handshakes also vulnerable:
› Group key handshake
› FT handshake
› TDLS PeerKey handshake
For details see our CCS’17 paper:
› “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”
27
![Page 28: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/28.jpg)
Overview
28
Key reinstalls in
4-way handshake
Misconceptions
Practical impact Channel validation
![Page 29: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/29.jpg)
General impact
29
Receive replay counter reset
Replay frames towards victim
Transmit nonce reset
Decrypt frames sent by victim
![Page 30: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/30.jpg)
Cipher suite specific
AES-CCMP: No practical frame forging attacks
WPA-TKIP:
› Recover Message Integrity Check key from plaintext
› Forge/inject frames sent by the device under attack
GCMP (WiGig):
› Recover GHASH authentication key from nonce reuse
› Forge/inject frames in both directions
30
![Page 31: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/31.jpg)
Unicast
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
31
![Page 32: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/32.jpg)
Handshake specific
Group key handshake:
› Client is attacked, but only AP sends real broadcast frames
› Can only replay broadcast frames to client
4-way handshake: client is attacked replay/decrypt/forge
FT handshake (fast roaming = 802.11r):
› Access Point is attacked replay/decrypt/forge
› No MitM required, can keep causing nonce resets
32
![Page 33: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/33.jpg)
Implementation specific
iOS 10 and Windows: 4-way handshake not affected
› Cannot decrypt unicast traffic (nor replay/decrypt)
› But group key handshake is affected (replay broadcast)
› Note: iOS 11 does have vulnerable 4-way handshake
wpa_supplicant 2.4+
› Client used on Linux and Android 6.0+
› On retransmitted msg3 will install all-zero key
33
![Page 34: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/34.jpg)
34
![Page 35: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/35.jpg)
35
Android (victim)
![Page 36: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/36.jpg)
36
![Page 37: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/37.jpg)
37
![Page 38: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/38.jpg)
38
![Page 39: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/39.jpg)
39
![Page 40: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/40.jpg)
40
Now trivial to intercept and
manipulate client traffic
![Page 41: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/41.jpg)
Is your devices affected?
github.com/vanhoefm/krackattacks-scripts
41
› Tests clients and APs
› Works on Kali Linux
Remember to:
› Disable hardware encryption
› Use a supported Wi-Fi dongle!
![Page 42: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/42.jpg)
Countermeasures
Many clients won’t get updates…
AP can prevent (most) attacks on clients!
› Don’t retransmit message 3/4
› Don’t retransmit group message 1/2
However:
› Impact on reliability unclear
› Clients still vulnerable when connected to unmodified APs
42
![Page 43: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/43.jpg)
Overview
43
Key reinstalls in
4-way handshake
Misconceptions
Practical impact Channel validation
![Page 44: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/44.jpg)
Misconceptions I
Updating only the client or AP is sufficient
› Both vulnerable clients & vulnerable APs must apply patches
Need to be close to network and victim
› Can use special antenna from afar
No useful data is transmitted after handshake
› Trigger new handshakes during TCP connection
44
![Page 45: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/45.jpg)
Misconceptions III
Obtaining channel-based MitM is hard
› Can use channel switch announcements
Using (AES-)CCMP mitigates the attack
› Still allows decryption & replay of frames
Enterprise networks (802.1x) aren’t affected
› Also use 4-way handshake & are affected
45
Image from “KRACK: Your Wi-Fi is no
longer secure” by Kaspersky
![Page 46: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/46.jpg)
Overview
46
Key reinstalls in
4-way handshake
Misconceptions
Practical impact Channel validation
![Page 47: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/47.jpg)
Background: new attacks require MitM
47
Attacking broadcast WPA-TKIP
› Block MIC failures
› Modify encrypted frames
Traffic Analysis
› Capture all encrypted frames
› Block certain encrypted frames
![Page 48: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/48.jpg)
Background: new attacks require MitM
48
Exploit implementation bugs
› Block certain handshake messages
› E.g. bugs in 4-way handshake
Other attack scenarios
› See WiSec’18 paper [VBDOP18]
› E.g. modify advertised capabilities
![Page 49: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/49.jpg)
Threat model & defense
› Attacker manipulates channel and bandwidth
› No low-layer attacks (e.g. beamforming)
› No relay attacks (e.g. AP and client out of range)
Want to make attacks harder, not impossible
≈ stack canaries.
Solution: verify operating channel when connecting
49
![Page 50: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/50.jpg)
Verify Operating Channel Information (OCI)
50
Operating class Channel number Segment index 1
Operating Channel Information (OCI) element:
Defines regulatory
domain & bandwidth
Defines primary channel
Defines secondary channel
for 80+80 MHz networks
![Page 51: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/51.jpg)
Problem: Channel Switch Announcements (CSAs)
Unauthenticated CSAs
› Need to verify securely
Authenticated CSAs
› May not arrive verify reception!
Solution: authenticate CSA using SA query
51
![Page 52: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/52.jpg)
Limitations
Other (partial) MitM attacks still possible:
› Adversary can act as repeater
› Physical-layer tricks (e.g. beamforming)
So why use this defense?
› Remaining attacks are harder & not always possible
› Straightforward implementation
52
![Page 53: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/53.jpg)
Standardization & implementation
53
Will be part of the new 802.11 standard
PoC: github.com/vanhoefm/hostap-channel-validation
![Page 54: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/54.jpg)
Conclusion
› Flaw is in WPA2 standard
› Proven correct but is insecure!
› Update all clients & check Aps
› New defense: Channel Validation
54
![Page 55: KRACKing WPA2 and Mitigating Future Vulnerabilities · Future Vulnerabilities Mathy Vanhoef — @vanhoefm HackPra, Ruhr-Universität Bochum, 18 July 2018. Overview 2 Key reinstalls](https://reader036.fdocuments.in/reader036/viewer/2022071101/5fd9be82975fd401f82f4dc2/html5/thumbnails/55.jpg)
Questions?krackattacks.com
Thank you!