WPA2 Key Reinstallation Attacks

By jgreen posted Oct 16, 2017 06:02 AM


I will assume if you’re reading this, you have already heard the news – the world’s first major break in WPA2-Enterprise.  If not, head over to the excellent site created by the author of the attack, and then see the security bulletins page to get Aruba’s official word on the vulnerabilities.  I wrote those documents to give you the facts; I’m going to use this blog post to give you my opinions, and to provide a forum for discussion and Q&A.  I and my Aruba colleagues will be monitoring the discussion forum in the coming weeks, and we’ll do our best to answer questions in a timely manner.


First things first:  Is the sky falling?  Do you need to shut down your Wi-Fi network?  I’m going to give that a qualified “no”, depending on your mix of client devices.  If you’re on top of patch management, you may likely already be protected against this attack to a great degree.  Microsoft, Apple, Google, Intel, Aruba, Cisco, and other major vendors have been working on fixing these vulnerabilities for a few months now.  As I write this on October 15, I don’t know for a fact that my Windows 10 laptop is already patched, but I have a strong suspicion that some Wi-Fi updates were part of last Tuesday’s update from Microsoft.  Aruba published critical security advisories last week and tried to get the “upgrade your software now” message out as strongly as possible – customers who were able to update their software last week do not need another update today. 


OK, but what if you’re NOT really on top of patch management, because you work for one of the thousands of companies that requires weeks to get through the change management process?  I think, again, the sky isn’t necessarily falling.  An attacker (who has to physically come to my location and attack my clients through an entirely-detectable man-in-the-middle attack) can decrypt my client-to-AP traffic with pretty high probability, and can replay my client-to-AP traffic.  The attacker can’t send arbitrary traffic (i.e. can’t inject traffic of his own), can’t decrypt AP-to-client traffic (note: assumes you have disabled 802.11r), can’t modify my traffic in transit, and doesn’t get any authentication tokens or keys.  It’s bad, but it’s not THAT bad, especially when I consider that all of my sensitive communication is done over HTTPS or TLS (full disclosure: I often use my corporate laptop, running corporate applications, on public Wi-Fi hotspots without my VPN client running).  Your mileage will vary, of course – for some of you, what I’ve described is an unacceptable level of risk.  For others, you can tolerate it.


Side note:  If you’re using TKIP, the sky IS falling.  This latest attack lets an attacker inject traffic into your network.  Of course, TKIP has been broken for a number of years now, and I assume if you’re using it, you are already aware of the risks and have taken steps to put additional layers of defense in place. (Side-side note: Some of our customers still use WEP.  There are business reasons why they do this.  I don’t judge…)


As a security professional, I often have mixed feelings about vulnerability discoveries.  On the one hand, this is a huge pain for all of us involved.  Believe me, I understand the discussions that are happening in IT departments and maybe even in executive suites all over the world right now.  On the other hand, any time a major vulnerability is surfaced, I can’t help admiring the ingenuity and creativity that went into its discovery.  Dr. Mathy Vanhoef at KU Leuven is not new to Wi-Fi security – he has been building up to this latest discovery for several years now.  And despite the current pain he has caused us, we owe him a debt of gratitude.  Ultimately, his work (and the work of all security researchers) will make us all safer.  Security protocols NEED to be tested (and broken… and fixed.)  Without that, we simply don’t know how much to trust them.  Look at the progression from SSLv2 up to the soon-to-be-standardized TLS 1.3 and you’ll get a picture of how that process works.  Each iteration gets better, until we reach a point where the protocols are so strong that attackers go off and look for a different weakest link.  With today’s announcement, the protocol actually held up fine – we don’t need a WPA3, but rather some implementation tweaks to the existing protocol.  That’s very good news, because it means the solution is “patch” (something we’re already required to do in order to maintain good security) rather than “back to the IEEE drawing board”.


Do you have questions about what this all means – either the facts or the opinions?  Visit this thread we have going in the community. We’ll do our best to answer.