In late 2017, researchers discovered a significant flaw in the wireless security protocol commonly-used to secure Wi-Fi connections.
This WPA2 attack was dubbed KRACK – short for Key Reinstallation Attack – and while it was swiftly patched by most manufacturers, the fact that such a significant flaw existed in the WPA2 standard was cause for alarm.
As such, the industry consortium responsible for Wi-Fi development, the Wi-Fi Alliance, swiftly got to work on finishing WPA3, the next version of the standard. This was widely hailed as being a more secure protocol than its predecessor, and one that would stop hackers being able to hijack your wireless connection.
Sadly, this may not be the case after all.
The WPA2 KRACK attack
The KRACK attack was discovered by researcher Mathy Vanhoef, and works by exploiting the four-way handshake protocol used by numerous cryptographic methods including the WPA2 standard.
When a client device (like a laptop or smartphone) wants to join a network, the four-way handshake determines that both the client device and the access point have the correct authentication credentials, and generates a unique encryption key that will be used to encrypt all the traffic exchanged as part of that connection.
This key is installed following the third part of the four-way handshake, but access points and clients allow this third message to be sent and received multiple times, in case the first instance is dropped or lost. By detecting and replaying the third part of the four-way handshake, attackers can force the reinstallation of the encryption key, allowing them to access the packets being transmitted.
What actions the attacker can carry out depends on which subset of the WPA2 encryption standard is in use. If the victim is employing AES-CCMP encryption, then packets transmitted by the victim can be decrypted and read, allowing the theft of sensitive information. Vanhoef warns that “it should be assumed that any packet can be decrypted”.
This also allows the decryption of TCP SYN packets, which can then be used to hijack TCP connections and perform HTTP injection attacks, such as infecting the target with malware.
If the target is using WPA-TKIP or GCMP (also known as WiGig), the potential damage is even worse. In addition to decryption, key reinstallation allows hackers to not only decrypt and read packets, but also to forge packets and inject them into a user’s traffic. WiGig is particularly vulnerable to this.
Dragonblood WPA3 vulnerabilities
WPA3 was supposed to address the security shortcomings of the WPA2 standard, and was officially launched at CES 2018 to much fanfare. The most notable change was the introduction of the ‘Dragonfly’ handshake. A type of handshake officially known as the ‘simultaneous authentication of equals’ handshake (or SAE for short), Dragonfly uses forward secrecy to protect previous browsing sessions, along with a high-entropy pairwise master key to prevent password guessing.
However, in April 2019, Vanhoef and fellow researcher Eyal Ronen published a paper detailing five flaws in the standard, which the researchers are terming ‘Dragonblood’. This was followed by the discovery of two additional flaws in August.
Dragonblood attacks exploit a range of vulnerabilities, including forcing WPA3-compatible devices to downgrade to WPA2 and then launching the KRACK attack against them, altering the handshake to force access points to use weaker cryptography, and exploiting side-channel leaks to gain information about the network password, which can then be used to brute-force it.
The Wi-Fi alliance has begun work on fixing the flaws, which will likely result in an updated version of the standard being issued. An updated standard is not expected to be backwards-compatible with any pre-existing WPA3 devices. Vanhoef and Ronen have said that addressing these flaws is surprisingly hard, and criticised the Wi-Fi alliance for developing the standard behind closed doors, instead of allowing the open source community to contribute to its development.
Will I have to buy new equipment?
It’s not clear at this point when WPA3.1 will be ready to roll out, if rolls out at all. Nor is it clear if it will be free from the bugs that have plagued previous versions. When it has been satisfactorily shown to be free of flaws, you may want to invest in new networking equipment which supports the standard – until then, users are advised to apply any patches or firmware updates as soon as they become available.