How to crack KRACK: Action plan from Malaysian security experts

AvantiKumar | Oct. 24, 2017
Here are some guidelines from CyberSecurity Malaysia and digital security experts for IT admins and internet users on how to stay safe from the latest exploit - KRACK.

hacker (Storyblocks)

Credit: Storyblocks

 

  Here are some guidelines from national digital security agency CyberSecurity Malaysia and digital security experts for IT admins and internet users on how to stay safe from the latest exploit - KRACK.

Krack - which stands for Key Reinstallation Attacks -  is the name of a major vulnerability in Wi-Fi routers' WPA2 security protocol uncovered recently by researcher Mathy Vanhoef.

WPA2, which replaced the WEP protocol in about 2003, was created by the Wi-Fi Alliance to cover up eavesdropping on what websites your computer is trying to access.

The flaw in WPA2 will allow "man-in-the-middle" eavesdropping attacks, as well as possible ransomware and other malicious code injections, Vanhoef has said in various media reports.  Krack may allow attackers to steal credit card numbers, passwords, chat messages, emails, photos, and so forth.
 
Dato' Dr. Haji Amirudin Abdul Wahab (pic below), chief executive officer of CyberSecurity Malaysia, confirmed to Computerworld Malaysia (over the weekend of 22 October) that the globally used Wi-Fi Protected Access 2 (WPA2) Wi-Fi security protocol has been broken. "This standard is the most commonly used security standard by Wi-Fi networks around the world."

CWSS - Keynote Dato' Dr Amirudin - CyberSecurity Malaysia

"This attack abuses design or implementation flaws in cryptographic protocols and resets the key's associated parameters such as transmit nonce and receive replay counters," explained Dr Amirudin. "Several types of cryptographic Wi-Fi handshakes are affected by the attack."
 
As IT administrators know, WPA2 puts devices through a four-way handshake, and Krack will forces part three to be resent repeatedly, promoting your Wi-Fi access point to look for a response from the router.

While it's a clever attack on a protocol, Krack appears to require attackers be close enough to a router's signal to connect to it, like any normal sign-in to a Wi-Fi network. Also, Krack is "highly effective" against devices running Android and Linux operating systems.

The nitty-gritty

Independent threat intelligence specialist Azril Azam (pic below) told Computerworld Malaysia: "Krack has been one of the most discussed security topics in 2017.  The attack occurs at a deep, very low level and quite technical.  The two researchers from Belgium who discovered the protocol weaknesses have setup a website for general understanding (krackattacks.com)."

AZRIL AZAM

"This exploit aims to trick a 'victim' Wi-Fi (802.11) supported device into reinstalling an already used cryptographic key, which is used to encrypt and decrypt network traffic. The attacker achieves this by manipulating and replaying/retransmit cryptographic handshake messages. Krack is not a cryptographic algorithm attack - it only targets the 4-Way-Handshake (4WH) in the WPA2 protocol itself," he said.
 
Azril explained that although Krack mainly targets the WPA2 4WH, since other protocols in the Wi-Fi 802.11 family are also embedded, the same 4WH process may impact these other protocols.
 
 The following are the protocols possibly affected by the 4HW attack from Krack:

KRACK-attack-setup

mage (Azril): Krack Attack Setup

Azril, however, believes that a Krack attack "is quite difficult and not as easy as shown in the YouTube video demo by the two Belgium researchers."

"First, the attacker needs to apply Man-In-The-Middle (MiTM) attack techniques between the Wi-Fi Access Point (AP) and the Wi-Fi Client," he explained. Secondly, setting a rouge AP with different MAC address for forwarding the packets between real AP and its Client is not possible. The attacker will have to employ a channel-based MiTM attack by cloning the real AP on a different channel with same MAC address and SSID. The following paper describe in detail on how to established Wi-Fi MiTM Channel Attack
 
"Thirdly, by default both Windows & MacOS (including iOS) do not accept retransmission of Message3 in the 4WH," Azril continued. "This is because it violates the 802.11 standards. As such, Windows, MacOS (iOS) are not vulnerable against Wi-Fi Client WPA2 4WH but still vulnerable on the Group-Key Handshake. These operating systems are also vulnerable to Krack is the attacker decided to target the AP for the 802.11R Fast BSS Transition (FT) Handshake."

 Guidelines from security experts
 
When alerting Computerworld Malaysia about the exploit, former white hat hacker turned financial security consultant LGMS director,  Fong Choong Fook (pic below), summed it up as: "If you are using Wi-Fi in office or home, you are vulnerable."

Fong LGMS (new Aug17)

"Researchers will be presented more detail in the coming Black Hat Europe hacking conference," said Fong. "The attack, in particular is targeting the weakness in the WPA2 protocol. WPA2 is widely use in the Wi-Fi access points today. Most, if not all Wi-Fi networks today are using WPA2 one way or another. Wi-Fi users are advised to update their wireless access points and their computer immediately."

"Microsoft Windows have released the patches; however popular network device manufacturers such as D-link and TP-link have yet [at the time of this interview] to release any firmware update at this moment of writing," he said. "The fixes need to apply in both ways, the Wi-Fi client (e.g. Microsoft Windows) and the Wireless Access Point (e.g. D-link Wi-Fi router)."
  
According to a statement by the Wi-Fi Alliance:  "This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users."
 
As of 17th October, Microsoft revealed it quietly patched Windows last week against vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure wireless networks. All supported versions of Windows received the update, according to the catalogue listing, including Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016. On the same day, Apple also announced a patch for MacOS, iOS and WatchOS.
  
However, as other firmware updates (such as to actual routers) may take a little while to appear, local digital security specialists have offered some guidelines to IT admins and internet users to combat this latest vulnerability.
  
Azril, and Fong agree on the main advice from CyberSecurity Malaysia. Their advice has been collected and summarised below.

Advice for IT Admins

  Advice for users:

Fong added. "This is the *largest scale* of vulnerability impact in the history of WPA protocol. We have not even touched on the impact surface of the Internet of Things (IoT), which may be using WPA.  Krack's impact may turn out to be far more serious than we know today."

CyberSecurity Malaysia's MyCert has issued an advisory and the appendix below gives contact details to report suspected cybersecurity attacks. (See - www.mycert.org.my/en/services/advisories/mycert/2017/main/detail/1288/index.html)
 
  To see some latest local digital security news, visit:


The latest edition of this article lives at Computerworld Malaysia.

Appendix
To report incidents at Cyber999, please use these channels: