
Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys [pdf] - hadronzoo
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_vanhoef.pdf
======
evgen
WPA2 is toast.

Ref to the CVEs that will make a lot of network admins hate Monday:
[https://twitter.com/nick_lowe/status/919527451570638848](https://twitter.com/nick_lowe/status/919527451570638848)

And some background:
[https://eprint.iacr.org/2016/475.pdf](https://eprint.iacr.org/2016/475.pdf)

~~~
evgen
Also worth nothing that the attack in the OP is on TKIP, but the KRACK attack
that will be revealed tomorrow is based upon problems with the RNG (the
example RNG, which apparently everyone used, is trivial to break and the
protocol is also kind enough to provide you with a huge chunk of the entropy
used in seeding the RNG. D'oh!)

~~~
mschuster91
This comment should be made the top comment. Thanks for the information.

I guess this implies not "only" passive eavesdropping but also network access
in environments without a MAC address filter (not that these can't be spoofed
regardless)?

~~~
sengork
Spoofed yes but they're hard to guess in advance without prior knowledge of
the device's MAC address.

~~~
djrogers
MAC addresses are broadcast in the clear regularly, so any device doing that
without some randomization is ripe for the picking.

~~~
willstrafach
Worth noting also: You vannot randomize it when connected to a Wi-Fi network.

------
londons_explore
"We initialize the random number generator with the system uptime, then use it
to make crypto keys" \- really?!?

"We also publish the system uptime in an unencrypted broadcast message to save
you the effort of even bruteforcing it".

Does nobody do security reviews on this stuff, or are these weaknesses there
deliberately?

The line between incompetence and malice really is thin here...

~~~
cm2187
And on a device equipped with a radio, it's not very hard to generate entropy.

~~~
gsich
The radio might not be exposed to the OS. If it's a Fullmac device, you
usually don't have access to the radio stuff. Even with Softmac, there's not a
guarantee.

~~~
cm2187
I am sure that's a problem on the client, but on the AP, the manufacturer
controls both the hardware and the OS.

~~~
gsich
Not necessarily. Again with fullmac devices you don't control the complete
hardware.

~~~
cm2187
Yeah but if you are Cisco, Netgear or DLink, and tell your supplier that you
want a function to access noise in the signal, or you want to get a true
random number based on that noise, I am sure they could accommodate in future
generations of their chip at an insignificant cost.

------
ealexhudson
This is a 2016 paper. Tomorrow's details are apparently about forcing nonce
reuse in most WPA2 implementations. Don't let the date fool you into thinking
it's old news being discussed!

~~~
arkadiyt
Details for tomorrow's WPA2 attack will be published to:
[https://www.krackattacks.com/](https://www.krackattacks.com/)

------
sengork
Here is a good summary of the situation right now:
[https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-
now/](https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/)

------
madmod
I understand that the info to answer my question may not be public yet. I
would greatly appreciate an an answer by someone who can explain when it is.

If an attacker had recorded encrypted WiFi traffic in the past and then
performed one of these attacks could they see the traffic? (I know TLS is used
for a lot of traffic, but in time that will be broken too.)

It seems to me that a patient attacker could gain a lot of sensitive info
given enough time. Is this assumption flawed? I would love to hear why/why
not. (Nonces make decryption of large amounts of TLS traffic impractical?)
What about the impact of just knowing DNS lookups? (Real world info on DNS
caching? Does DNSSEC stop this? Is it widely implemented?) What if a data
broker recorded a lot of encrypted WiFi traffic at a public place like a mall?
(Could they learn MAC addresses? mDNS device names? DNS lookups? I bet a lot
of tracking cookies and other advertiser tokens don’t bother with TLS which
could get them emails and more.)

Someone recording encrypted WiFi traffic from a sensitive network may have
enough motive to do something this long-term and the attack would be
(electronically) undetectable. Most people rarely change their passwords and
at a minimum this would give an attacker knowledge of the internal network,
intranet sites, and services used by targets.

~~~
cjbprime
I expect they could, yes; WPA2 doesn't offer forward secrecy.

But WPA2 never offered much anyway. If you're on mall wifi, you can _already_
see unencrypted traffic for everyone else, because the client keys are
derivable from the shared passphrase (which presumably everyone at the mall
has been told) and overhearing the four-way handshake when someone joins. And!
You can even fake a disconnect message that forces the four-way handshake to
happen again, if you weren't around when the client originally joined.

All of which is to say, WPA2 in passphrase (PSK) mode never actually provided
meaningful encryption against other people on the network. :( Someone forgot
to tell the protocol designers that Diffie-Hellman exists. Using Diffie-
Hellman would achieve both removing the exploit where you observe the four-way
handshake, and providing for forward secrecy too.

~~~
mysterypie
> * If you're on mall wifi, you can already see unencrypted traffic for
> everyone else*

Without contradicting your observation, I want to mention that virtually
anything important you do on the Internet these days--from online banking to
Google searches to reading Hacker News--is protected by a second independent
layer of encryption: HTTPS. I'm not excusing the WPA2 flaws, but I do think
that your bank info, web searches, and Hacker News comments are secure even at
the mall.

If someone can offer a credible explanation of why online banking or other
HTTPS activity is insecure on public wifi, I'd like to hear it please.

~~~
kakarot
If you don't have extensions that force HTTPS on all content, you could, for
example, get served a malicious image file.

from the article:

> they won’t be able to pretend to be a secure site like your bank on the
> wifi, but they can definitely pretend to be non-secure resources

------
simosx
The article says that only WPA2-TKIP is vulnerable to the downgrade, therefore
running WPA2 with only AES should be fine.

~~~
krallja
Stay tuned for tomorrow's KRACK announcement, then.

------
billh
Here's the CCC talk with the author of this white paper:
[https://www.youtube.com/watch?v=KJWd-
_BDC_g](https://www.youtube.com/watch?v=KJWd-_BDC_g)

~~~
evgen
There are also a BlackHat Europe 2017 paper that is apparently a strong
foreshadowing on the attack.

------
Viper007Bond
Here's an article on Ars about it: [https://arstechnica.com/information-
technology/2017/10/sever...](https://arstechnica.com/information-
technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-
eavesdropping/)

------
krallja
Well, if there's one piece of (somewhat) good news around this and
[https://www.krackattacks.com/](https://www.krackattacks.com/), it's that TLS
and VPNs will become even more common.

Where did WEP and WPA2 come from, anyway? What's the historical reason we
aren't all using TLS to connect to our APs?

~~~
djrogers
> What's the historical reason we aren't all using TLS to connect to our APs?

Because it’s insanely impractical for home use? Hey, here’s your new WiFi
router. Just install this new root CA on all your devices, create a device
cert for each machine and install that very as well, and don’t forget you need
to re-do this every year...

~~~
throw5427
Trust keys on first use. Like SSH.

[https://www.tedunangst.com/flak/post/moving-to-
https](https://www.tedunangst.com/flak/post/moving-to-https)

"So how does one verify that the downloaded cert is the original? The same way
the CAs do. Perform a DNS lookup, make a web request, trust the result. The
addition of HPKP would indicate that people find the CA model untrustworthy,
solving the problem with trust on first use key continuity. Why not cut out
the middle man? Protesting the CAs is admittedly pretty futile, but if I can’t
do it, who can?"

~~~
dogma1138
The router isn’t the issue here the clients are.

