Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

A flawed Infineon Technology chipset used on PC motherboards to securely store passwords, certificates and encryption keys risks undermining the security of government and corporate computers protected by RSA encryption keys. In a nutshell, the bug makes it possible for an attacker to calculate a private key just by having a target’s public key.

Security experts say the bug has been present since 2012 and found specifically in the Infineon’s Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.

The vulnerability allows for a remote attacker to compute an RSA private key from the value of a public key. The private key can then be misused for purposes of impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks, according to researchers.

The Infineon flaw is tied to a faulty design of Infineon’s Trusted Platform Module (TPM), a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and used for secured crypto processes.

Security researchers, at Masaryk University in Brno, Czech Republic, who discovered the vulnerability (CVE-2017-15361) earlier this year, said the flaw occurs during the generation of RSA keys used by a software library in cryptographic smart cards, security tokens and other secure hardware chips manufactured by Infineon.

“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable,” according to researchers who published a technical analysis of the bug on Monday.

The bug opens the door for what’s known as a “practical factorization attack,” in which the attacker computes the private part of an RSA key, researchers said.

“The attack is feasible for commonly used key lengths, including 1024 and 2048-bits, and affects chips manufactured as early as 2012, that are now commonplace,” researchers said. “Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required.”

Last week, Lenovo, MicrosoftGoogle, and Infineon each issued security bulletins regarding the weakness and warned customers to update their impacted systems.

“Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system),” according to a Microsoft advisory. Microsoft released a Windows security update to help work around the vulnerability by logging events and by allowing the generation of software based keys.

Unlike other encryption vulnerabilities, this bug does not depend on a weak or a faulty random number generator. “Rather, all RSA keys generated by a vulnerable chip are impacted,” according to the coauthors of the report Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec and Vashek Matyas. They said the attack was practically verified for several randomly selected 1024-bit RSA keys and for several selected 2048-bit keys.

“The specific structure of the primes in question allows for a fast detection of vulnerable keys, even in very large datasets,” they said.

The worst cases for the factorization (attacks) of 1024 and 2048-bit keys are less than three CPU-months and 100 CPU-years, researchers said. “The factorization can be easily parallelized on multiple CPUs. Where k CPUs are available, the wall time required for the attack will be reduced k-times—allowing for practical factorization in order of hours or days,” the said.

Researchers broke down the cost of the practical factorization attack to $76 for the 1024-bit key and $40,000 for the 2048-bit key, both running on an Amazon AWS c4 computation instances. But they said a 4096-bit RSA key is not practically factorizable now, but “may become so, if the attack is improved.”

The vulnerability was found by a close inspection of a large number of RSA keys generated and exported from the manufacturer smart cards, according to the report. It was identified at the end of January and disclosed to Infineon in early February. In May, researchers worked with manufacturers and other affected parties to help evaluate and mitigate the vulnerability. On Oct. 16 researchers published a partial disclosure of the vulnerability and on Nov. 2 an in-depth presentation is expected to be released at the ACM Conference on Computer and Communications Security conference.

Researchers provide a number of tools for detection, mitigation and workarounds. “If a vulnerable key is found, then you should contact your device vendor for further advice,” advises researchers.

This is the second high-profile crypto bug to make news Monday. The KRACK, or key reinstallation attack, was also disclosed Monday. It allows attackers to decrypt encrypted traffic, steal data and inject malicious code depending on the network configuration.

from Threatpost – English – Global – thr… http://bit.ly/2kTlXV9

Wi-Fi at risk from KRACK attacks – here’s what to do

News of the week – and it’s still only Monday – is a Bug With An Impressive name (and its own logo!) called the KRACK Attack.

Actually, there are several attacks of a similar sort discussed in the paper that introduced KRACK, so they’re more properly known as the KRACK Attacks.

These KRACK Attacks mean that most encrypted Wi-Fi networks out there are not as secure as think.

KRACK works against networks using WPA and WPA2 encryption, which these days covers most wireless access points where encryption has been turned on.

An attacker in your midst (at least, within Wi-Fi range) could, in theory, sniff out at least some of the encrypted traffic sent to some of the computers in your organisation.

Even if an attacker can only “bleed off” small amounts of traffic, in dribs and drabs, the end result could be very serious.

(If you remember the Firesheep attack of 2010, just bled a few bytes of data when you connected to Facebook or Twitter was enough to let a crook clone your connection and access your account for as long as you stayed logged in.)

KRACK in a few words

KRACK is short for Key Reinstallation Attack, which is a curious name that probably leaves you as confused as we felt when we heard about it, so here’s our extremely simplified explanation of what happens (please note this explanation covers just one of numerous flavours of similar attack).

At various times during an encrypted wireless connection, you (the client) and the access point (the AP) need to agree on security keys.

To do so, a protocol known as the “four-way handshake” is used, which goes something like this:

  1. (AP to client) Let’s agree on a session key. Here’s some one-time random data to help compute it.
  2. (Client to AP) OK, here’s some one-time random data from me to use as well.

At this point, both sides can mix together the Wi-Fi network password (the so-called Pre-Shared Key or PSK) and the two random blobs of data to generate a one-time key for this session.

This avoids using the PSK directly in encrypting wireless data, and ensures a unique key for each session.

  1. (AP to client) I’m confirming we’ve agreed on enough data to construct a key for this session.
  2. (Client to AP) You’re right, we have.

The KRACK Attacks (with numerous variations) use the fact that although this four-way protocol was shown to be mathematically sound, it could be – and in many cases, was – implemented insecurely.

In particular, an attacker with a rogue access point that pretends to have the same network number (MAC address) as the real one can divert message 4 and prevent it reaching the real AP.

During this hiatus in the handshake, the client may already have started communicating with the AP, because the two sides already have a session key they can use, albeit that they haven’t finalised the handshake.

This means that the client will already be churning out cryptographic material, known as the keystream, to encrypt the data it transmits.

To ensure a keystream that never repeats, the client uses the session key plus a nonce, or “number used once”, to encrypt each network frame; the nonce is incremented after each frame so that the keystream is different each time.

As far as we can determine, all the KRACK attacks involve reused keystream material accessed by “rewinding” crypto settings and thus encrypting different data with the same keystream. If you know one set of data you can figure out the other – that’s the best case; some cases are worse than that because you can as good as take over the connection both ways.

Back to the handshake

At some point, the real AP will send another copy of message 3, possibly several times, until the rogue AP finally lets the message get through to the client.

The mathematical certainty in the protocol now meets cryptographic sloppiness in its implementation.

The client finalises the handshake at last, and resets its keystream by “reinstalling” the session key (thus the name of the attack), and resetting the nonce to what it was immediately after stage 2 of the handshake.

This means the keystream starts repeating itself – and re-using the keystream in a network encryption cipher of this sort is a big no-no.

If you know the contents of the network frames that were encrypted the first time, you can recover the keystream used to encrypt them; if you have the keystream from the first bunch of network frames, you can use it to decrypt the frames encrypted the second time when the keystream gets re-used.

Even if attackers are only able to recover a few frames of the data in any session, they still come out ahead.

Gold dust sounds less valuable than a gold ingot – but if you collect enough gold dust, you get to the same value in the end.

What to do

Changing your Wi-Fi password won’t help: this attack doesn’t recover the password (PSK) itself, but instead allows an attacker to decrypt some of the content of some sessions.

Changing routers probably won’t help either, because there are numerous variants of the KRACK Attacks that affect most Wi-Fi software implementations in most operating systems.

Here’s what you can do:

  • Until further notice, treat all Wi-Fi networks like coffee shops with open wireless, where your network frames are never encrypted.
  • Stick to HTTPS websites, which means the traffic between your browser and the website is encrypted even if it travels over an unencrypted connection.
  • Consider using a VPN, which means that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.
  • Apply KRACK patches for your clients (and access points) as soon as they are available.

Simply put, if you ever used open Wi-Fi access points (or Wi-Fi access points where the password is widely known, e.g. printed on the menu or handed out by the barista), you were already living in a world where at least some of your network traffic could be sniffed out at will by anyone.

The precautions that you take in those cases – why not take them all the time?

If you always encrypt everything yourself, in a way that you get to choose and can control, you never have to worry what you might have forgotten about.

from Naked Security – Sophos http://bit.ly/2xJlSVn

How the Waltham cyberstalker’s reign of fear was ended

The recent arrest and federal charges against a 24-year-old alleged cyberstalker brings into light the terrible fallout from unrelenting online harassment, and highlights that no one is truly anonymous online, not even criminals.

The crime

Arrested on 6 October, Ryan Lin of Newton, Massachusetts allegedly harassed and cyberstalked his former roommate for over a year in a manner so egregious and terrifying that it merited a federal investigation.

The harrowing details of his alleged activities are in a 28-page affidavit, written by FBI Agent Jeffrey Williams, provided by the U.S. Department of Justice—the crux of it is that Lin used email, SMS, social media and phone apps to make life a living hell for his victim; for over a year he harassed her, her roommates, her family and friends, her employers, her landlord and the community she lived in by sending death threats, rape threats, bomb threats and even child pornography.

Lin was a computer science graduate of Rensselaer Polytechnic Institute (RPI), and he had enough cybersecurity knowledge to effectively anonymize himself while he embarked on his campaign of harassment.

Outside of his formal computer science education, Lin had more than a passing understanding of infosec and opsec practices. A quick perusal of one of his active Twitter accounts reveals an interest in the Tor project, Tails (the privacy-centric Linux distribution), major data breaches like Yahoo and Equifax, and the nuances of VPN use.

The affidavit also mentions that Lin had harassed a number of former high school and college classmates. He either impersonated them with fake social media accounts under their names, or he tried to socially engineer his way into their Facebook profiles to harass them directly by creating fake profiles under the name of shared classmates.

The technology

According to the affidavit, Lin used a VPN to cover his tracks while he created the accounts that he used to send his harassing messages. VPNs hide your computer’s IP address and the traffic between you and your VPN provider is encrypted, making it incomprehensible to anyone intercepting it.

VPNs are an important security tool but there’s one major caveat: the encrypted tunnel between you and your VPN provider provides protection against everyone other than your VPN provider, who gets to see everything passing through your network.

There are a dime-a-dozen VPNs out there, including many free ones. Using a shoddy VPN service provided by an untrustworthy company can put your data at more risk than not using one at all. No matter who your VPN provider is though, you should expect them to cooperate with law enforcement if they are subpoenaed to do so.

As Lin himself noted on Twitter just days before he was arrested, a VPN can’t be relied upon to for anonymity:

Something that everyone should know  – VPN provides privacy. TOR provides *decent* anonymity (if you use it correctly) #vpn #tor #broadbandprivacy

It’s interesting that given this knowledge, it seems it was his own VPN traces that ended up being key in his arrest, according to the affidavit.

Another highly portentous tweet was called out in the affidavit:

For example, on June 15, 2017, Lin, using the Twitter handle @ryanlindev, re-tweeted a tweet from “IPVanish,” that read: “Your privacy is our priority. That’s why we have a strict zero log policy.” Lin criticized the tweet, saying, “There is no such thing as VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”

The affidavit details that Lin went through pains to anonymize his traffic by using a mix of proxy servers, several different VPN services and Tor.

In a number of the instances of online harassment under investigation, the user both used a VPN and used an anonymizing service to mask his true IP address. Taking this two-step approach provides the user with another layer of anonymity, and demonstrates an awareness of and concern about the exact issue that Lin highlights in his tweet-the fact that VPN’s track activity with logs.

From the affidavit, it appears that FBI Agent Williams used VPN logs to identify IP addresses that could be traced to Lin’s home and former employer. But that wasn’t a smoking gun, so to speak, just one of many data points used to build the case.

More data points in the case related to email addresses attributed to Lin, which he used to communicate openly with his victim and her roommates. It seems he accessed those emails using the same VPN-assigned IP address that he used to create the email accounts used to harass and threaten his victim.

Lin could face at least five years in prison if he’s convicted.

The impact

I took a special interest in this story as I live in the city that was the target of the frequent shooting and bomb threats: Waltham, a small city of just about 60,000 people.

The bomb threats started in July of this year and were sent to city schools, government offices, libraries, daycare facilities, and even a federal archive building.

In addition to the wide swath of threats, they were also increasing in frequency: there was a time where threats were sent to Waltham schools daily for days and weeks on end—in the span of just a few months the schools received dozens of bomb threats, with 24 threats in just one day.

Aside from the huge impact this made on local police (Waltham is a city of just 60,000 people), the emotional impact on the community can’t be understated.

Each school bomb threat prompted school closures or a complete student evacuation until the schools were swept and deemed safe, and with these threats coming near-daily, scaring many children from going to school, and there were more than a few parents that opted to keep their kids at home from school entirely.

There wasn’t much information that law enforcement could divulge to help calm fears as they were actively pursuing an investigation, and it seemed like there was no end in sight for these terrifying bomb threats as they continued.

Thankfully since the arrest, the bomb threats promptly stopped, and Waltham residents (myself included) are relieved, but also horrified at the nature of what was motivating these threats, unbeknownst to all of us at the time.

I’ll leave you with the words of Harold H. Shaw, Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division:

As alleged, Mr. Lin orchestrated an extensive, multi-faceted campaign of computer hacking and online harassment that caused a huge amount of angst, alarm, and unnecessary expenditure of limited law enforcement resources

This kind of behavior is not a prank, and it isn’t harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today’s arrest will deter others from engaging in similar criminal conduct.

from Naked Security – Sophos http://bit.ly/2idV6Cn

GDPR Compliance: 5 Early Steps to Get Laggards Going

GDPR Compliance: 5 Early Steps to Get Laggards Going

If you’re just getting on the EU General Data Protection Regulation bandwagon, here’s where you should begin.


1 of 7


Although the European Union’s General Data Protection Regulation (GDPR) has been in effect since 2016, and although enforcement actions kick off a mere seven months from now, many companies didn’t really appreciate the magnitude of the new privacy legislation until the Equifax breach.

An American company exposed the sensitive private data of 700,000 citizens of the United Kingdom (still part of the European Union); “sensitive, private data” that is, by the American definition. The European Union’s definition is significantly broader, and in all Equifax exposed 12.5 million UK clients’ records. It is possible that European data authorities might do different accounting.

Monetary penalties for GDPR are up to 20 million Euros or 4 percent of annual turnover (similar to revenue), whichever is higher. Data privacy authorities can also ban companies from processing certain kinds of data entirely, which can massively disrupt entire business models. Organizations must also consider the costs of defending themselves in the many lawsuits that citizens and data authorities might bring against them.

With retributions like that looming overhead, it’s no wonder that organizations are waking up to the importance of GDPR preparation. Here are a few places to start.


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio


1 of 7


More Insights

from Dark Reading – All Stories http://ubm.io/2gK0Foy

20 Questions to Ask Yourself before Giving a Security Conference Talk

20 Questions to Ask Yourself before Giving a Security Conference Talk

As cybersecurity continues to become more of a mainstream concern, those of us who speak at industry events must learn how to truly connect with our audience.

While passing through a particular city recently, I stopped in to a security conference that happened to be going on that same day. I enjoyed the opportunity to catch up with old colleagues and network with new ones. But as I listened to some of the presentations, I was reminded of how underwhelming and disappointing many can be. Speaking as both a sometime presenter and sometime attendee, here are 20 questions speakers should ask themselves before giving a security conference talk:

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

  1. Is the material fresh? No one is particularly interested in sitting through a talk rehashing ideas from 5, 10, or even 20 years ago.
  2. Is the topic relevant? That’s despite the fact that I’ve seen some pretty interesting talks that have little to no relevance or practical application.
  3. Is the material clear and easy to understand? It’s always a bit uncomfortable when you find yourself in the middle of a talk where you literally have no idea what is being discussed.
  4. Is the talk focused? If you are planning on laying out a potpourri of different topics with no unifying theme connecting them, don’t be surprised that listeners tune out.
  5. Does the talk converge? I want you to lead me through a logical progression toward a conclusion.
  6. Are the slides concise? There is nothing I hate more than to see slides overloaded with a cacophony of words. It’s even worse if you read me the slides. If you want me to read, then hand me a white paper. It saves us both a lot of time.
  7. Will attendees need to check their eyeglass prescription before they come to your talk? As much as I love diagrams, if your diagrams require a telescope to see, you’re doing it wrong.
  8. So what? Have you answered the most fundamental of all questions? If you’re going to talk for 30 to 60 minutes, make sure there is a point to it.
  9. Who cares? Perhaps this question sounds a bit harsh, but if no one identifies with or finds relevance in your talk, it missed the mark.
  10. Do you do more than rehash old points? Yes, I know that lots of organizations still don’t use multifactor authentication for whatever reason. Unless that data point (and others like it) is critical to the logical argument you’re building or you have a solution to the problem, I don’t need to hear about it yet again.
  11. Do you do more than simply ask questions? Asking the right questions is important, but it can’t be all you do during the course of your talk. (And yes, perhaps it is a bit ironic that this is one of the 20 questions I am asking.) 
  12. Do you merely highlight problems? All of us are capable of sitting around and generating a long list of everything that is wrong in security. There is really nothing novel or illuminating in that.
  13. Do you offer solutions? If you ask people what they are really interested in hearing about, they will likely tell you that they want to learn about how they can solve problems. Talks that highlight problems without offering solutions don’t really answer the call.
  14. Do you provoke thought? Pushing people outside of the box and outside of their comfort zone is a good thing, as long as it is done constructively and respectfully. Problems don’t get solved by doing nothing, or repeatedly trying the same failed techniques. Dialogue around non-traditional approaches can be a great way to jumpstart these types of efforts.
  15. Do you provide fresh content? I’m talking about new ideas, lessons learned from experience, and interesting data or results. These are quite meaningful as far as content goes. Showing a bunch of stuff anyone could have found with Google and Wikipedia, less so.
  16. Will anyone remember your talk? Have you succeeded in leaving audience members with a meaningful takeaway that they can bring home with them and reflect upon for a year, a month, or even a week?
  17. Have you stayed away from the shiny object of the day? Everyone might be talking about the latest breach, that critical new vulnerability, or that hot new security buzzword. But if all you’re doing is regurgitating the same talking points that everyone else is, the presentation will surely be forgettable.   
  18. Do you produce buzzword bingo champions? Buzzword bingo is an old sport at security conferences that has long outlived its purpose (if there ever was one)!
  19. Are you an alarmist? I can guarantee you that this approach will not be effective with anyone who is a serious security professional. It may land you a quote or two in the press, but that’s about all.
  20. Are you condescending? You may have knowledge or experience that is rare, sought-after, and valuable, but if you want others to appreciate, respect, and learn from that knowledge or experience, don’t talk to them like there is no way they could possibly grasp it.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2ytf9CI

Adobe Patches Flash Zero Day Exploited by Black Oasis APT

Adobe today released an out-of-band Flash Player update addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group.

The group known as Black Oasis was, as recently as this month, using exploits for the flaw to drop FinSpy as a payload. Sold by the controversial German company Gamma International, FinSpy, or FinFisher, is a suite of surveillance and espionage software used to remotely monitor compromised computers. It’s sold to governments and law enforcement around the world, including allegations of sales to oppressive regimes including Egypt, Bahrain, Ethiopia, Uganda and elsewhere.

The vulnerability, CVE-2017-11292, was privately disclosed Oct. 10 by researchers at Kaspersky Lab, who saw the payload and exploit used against a customer’s network. The attackers spread the exploit via email, embedding the Flash exploit inside an Active X object inside a Word document. Brian Bartholomew, a member of Kaspersky Lab’s Global Research and Analysis Team (GReAT), said retrieval of the payload—which is the latest FinSpy version—is done in multiple stages.

Adobe said Flash version on the desktop, Linux and Google Chrome is affected, as well as version for Edge and Internet Explorer 11 on Windows 10 and 8.1. Users should be sure to be running Flash on all platforms, or heed the advice of many security experts to disable Flash all together. Flash has been designated for end-of-life.

Kaspersky Lab published a report today about the zero day on Securelist.com.

Black Oasis is a bit of an enigma among APT groups. The group has been on Kaspersky Lab’s radar for nearly a year, Bartholomew said, and has had at least five zero-day vulnerabilities and exploits at its disposal since 2015, all of which have been disclosed and patched. There is only one known victim of the Flash zero day patched today, he said.

“These guys are definitely customers of Gamma. They’ve been using FinSpy for maybe the last two years,” Bartholomew said. “They were also potentially customers of Hacking Team.”

Black Oasis appears to have made use of a Hacking Team zero day, CVE-2015-5119, prior to the Italian software company being hacked in the summer of 2015 and having many of its attacks publicly dumped online.

“We know this group was also using that exploit, which we assume was unique to Hacking Team customers,” Bartholomew said. “They had access to it prior to the hack. Once the hack happened, I have not seen them using Hacking Team at all but they have been using FinSpy pretty regularly since.”

The APT group’s targets are government and military organizations in the Middle East, countries in North Africa, as well as some in Russia, Ukraine and elsewhere in Europe.

“FinSpy seems to be their payload of choice,” Bartholomew said.

This is the second zero-day vulnerability in possession of Black Oasis to be patched in the last month. In September, FireEye disclosed CVE-2017-8759, which was patched by Microsoft and used to spy on an unnamed Russian individual. The vulnerability was described as a SOAP WSDL parser code injection bug spread via Microsoft Office RTF documents. The code injection was used to download and execute script that included PowerShell commands.

“In the last two months, they’ve burnt two zero days. It’s very evident they have access to a wide swathe of zero days,” Bartholomew said.

Zero days can sell for six or seven figures on gray or black markets. They are a source of constant debate between security and privacy experts and governments who buy these attacks for exclusive use as lawful intercept tools in the name of national security or law enforcement purposes.

While Black Oasis may be very well resourced, its operational security may be lacking. For example, the group re-used command and control servers burned by the FireEye disclosure in this recent round of attacks using the Flash zero day.

“They had right around a month to move their infrastructure, but yet they didn’t,” Bartholomew said.

The emergency update comes less than a week after Patch Tuesday when for the first time in recent memory, Adobe did not publish any security updates for any of its products.

from Threatpost – English – Global – thr… http://bit.ly/2ysbapF

WPA2 weakness allows attackers to extract sensitive info from Wi-Fi traffic

WPA2, a protocol that secures modern protected Wi-Fi networks, sports serious weaknesses that can allow attackers to read and capture information that users believe to be encrypted (e.g. passwords, payment card numbers, etc.).

WPA2 weakness

“Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites, says Mathy Vanhoef, a postdoc at Belgian University of Leuven, who discovered the weaknesses and led the research.

He also came up with KRACK, i.e. key reinstallation attack, to exploit the flaws.

The KRACK attack

To understand how the attack works, one must understand how a client joining a protected Wi-Fi network receives an encryption key needed for safe communication.

“When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol,” Vanhoef explained.

“However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol.”

These key reinstallation can occur spontaneously if the last message of a handshake is lost due to background noise, so a re-transmission of the previous message is needed. “When processing this retransmitted message, keys may be reinstalled, resulting in nonce reuse just like in a real attack,” Vanhoef noted.

But this same result can be forced by an attacker who managed to achieve a Man-in-the-Middle position.

“In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” Vanhoef added.

“Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged.”

Several types of cryptographic Wi-Fi handshakes are affected by the attack: Four-way, Group Key, PeerKey, TDLS, and fast BSS Transition. The different CVE numbers assigned to the vulnerability reflect specific instantiations of the KRACK attack, so that it’s easier to track which products are affected by which instantiation.

The KRACK attack can be aimed at many different devices running a variety of OSes.

“Our attack is especially catastrophic against version 2.4 and above of wpa_supplicant, a Wi-Fi client commonly used on Linux. Here, the client will install an all-zero encryption key instead of reinstalling the real key,” Vanhoef noted.

Android also uses wpa_supplicant, and all Android versions higher than 6.0 are affected by the attack, as demonstrated in this video:


Attack limitations

The found weaknesses are in the Wi-Fi standard, so any correct implementation of WPA2 is likely affected. Also, chances are good that if your device supports Wi-Fi, it is affected.

On the other hand, the KRACK attack has its limitations. For one, the attack can’t be deployed by remote attackers – they have to be within the wireless communications range of an affected AP and the victim client.

Secondly, Web sites that correctly implement SSL/TLS (HTTPS) are still secure in theory, as the users’ browser negotiates a separate encryption layer. Alas, there are sites out there who have this protection improperly configured and, as Vanhoef noted, there are many instances in which HTTPS protection can be bypassed.

Risk mitigation and attack prevention

“Luckily, [WPA2] implementations can be patched in a backwards-compatible manner,” Vanhoef added.

“This means a patched client can still communicate with an unpatched access point, and vice versa. In other words, a patched client or access points sends exactly the same handshake messages as before, and at exactly the same moments in time. However, the security updates will assure a key is only installed once, preventing our attacks. So again, update all your devices once security updates are available.”

The good news is that some vendors have already begun pushing out the patches, and most of them are expected to offer a patch in the very near future. Google said that they will be patching any affected devices “in the coming weeks.”

It is on users and administrators to implement those patches as soon a possible.

“Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates,” the researcher explained.

“In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.”

CERT/CC offers a list of vendors whose products are affected, but keep in mind it is unlikely to be definitive.

As a temporary risk mitigation, smartphone owners could also switch to using mobile data instead of Wi-Fi when connecting to sites that handle sensitive information (e.g. online banking sites, dating sites, etc.). Connecting your computers to the Internet via a wired ethernet connection instead of Wi-Fi until you can install the needed patches might also be a good idea.

from Help Net Security – News http://bit.ly/2if5Hg8