What's new

WPA2 broken

lowpro

lowpro

Professional Abecedarian
Programmer Mythical Veteran Mr. Nice Guy
Messages
4,528
Reaction score
2,041
Points
725
Sin$
0
That's right, the day has come. Rest easy WPA2, it was good while it lasted.
https://www.krackattacks.com/

TL;DR:
You can repeatedly resend the 3rd packet in a WPA2 handshake and it'll reset the key state, which leads to nonce reuse, which leads to trivial decryption with known plaintext. You can then own the network. It's in the standard, so this is abuse of a feature, meaning hard to fix. Also in Linux and Android when this attack is performed the key is immediately set to all 0s, so it actually is instantly cracked (vs other platforms which would take a few seconds).
No POC yet, this is a messed up situation though.
 
Cakes

Cakes

お前はもう死んでいる
VIP
Retired
Mythical Veteran Platinum Record End of the Year 2017
Messages
20,705
Reaction score
20,272
Points
3,870
Sin$
-7
That's right, the day has come. Rest easy WPA2, it was good while it lasted.
https://www.krackattacks.com/

TL;DR:
You can repeatedly resend the 3rd packet in a WPA2 handshake and it'll reset the key state, which leads to nonce reuse, which leads to trivial decryption with known plaintext. You can then own the network. It's in the standard, so this is abuse of a feature, meaning hard to fix. Also in Linux and Android when this attack is performed the key is immediately set to all 0s, so it actually is instantly cracked (vs other platforms which would take a few seconds).
No POC yet, this is a messed up situation though.
That's nuts. A lot of interesting things have been made public lately. First the SHA1 collision, now this. I wonder how well known this exploit was across security agencies...
 
lowpro

lowpro

Professional Abecedarian
Programmer Mythical Veteran Mr. Nice Guy
Messages
4,528
Reaction score
2,041
Points
725
Sin$
0
That's nuts. A lot of interesting things have been made public lately. First the SHA1 collision, now this. I wonder how well known this exploit was across security agencies...
I'm guessing very, WPA2 is a high value target, although many security agencies just use the de-auth attack (if you've ever heard of stringrays/IMSI catchers, etc), those systems work against wifi as well. This is a better attack since no user involvement is needed, altough considering how little involvement is needed in a de-auth attack where a client has autoconnect enabled (most do), I'm not sure how much more effective this is in practice.

If you want to find out more about de-auth attack, check out https://www.aircrack-ng.org/doku.php?id=deauthentication :
TL;DR, you can spam de-auth packets to everyone, anyone connected to a wifi network disconnects, you can use aircrack-ng and reaver to copy the wifi network, and if your signal is stronger than the original the client will connect to you and send you the wifi password, which you accept then send them over to the real network, now you have the wifi password :smile:
 
Cakes

Cakes

お前はもう死んでいる
VIP
Retired
Mythical Veteran Platinum Record End of the Year 2017
Messages
20,705
Reaction score
20,272
Points
3,870
Sin$
-7
I'm guessing very, WPA2 is a high value target, although many security agencies just use the de-auth attack (if you've ever heard of stringrays/IMSI catchers, etc), those systems work against wifi as well. This is a better attack since no user involvement is needed, altough considering how little involvement is needed in a de-auth attack where a client has autoconnect enabled (most do), I'm not sure how much more effective this is in practice.

If you want to find out more about de-auth attack, check out https://www.aircrack-ng.org/doku.php?id=deauthentication :
TL;DR, you can spam de-auth packets to everyone, anyone connected to a wifi network disconnects, you can use aircrack-ng and reaver to copy the wifi network, and if your signal is stronger than the original the client will connect to you and send you the wifi password, which you accept then send them over to the real network, now you have the wifi password :smile:
That does sound a lot more effective than this KRACK method. Time to wrap my router in foil.

Edit: also worth mentioning that there was a Wi-Fi firmware exploit released that affects iPhones multiple Apple devices (patched as of iOS 11 & tvOS 11) a few days ago. Not a good month for Wi-Fi, it seems.
 
Last edited:
Top Bottom
Login
Register