The Vanhoef-Piessens effect - the attacks which target WPA encryption

First published in Computing – The Vanhoef-Piessens effect – the attacks which target WPA encryption

Not a month seems to go by without a devastating cyber-attack or new critical vulnerability making front-page news. October is no different, this time it is Wi-Fi that is under attack. Pre-eminent Wi-Fi researchers Mathy Vanhoef and Frank Piessens have this week released details of a range of attacks that target WPA encryption, the encryption that underpins most Wi-Fi networks worldwide.

Previous attempts against WPA

Previously, WPA encryption has remained strong, with the algorithm having been proven unbreakable by various researchers. There have been various attacks against associated protocols such as Reaver/Bully targeting the Wi-Fi Protected Setup (WPS) PIN that can be used to quickly connect new devices to your network, or CowPatty which can be used for offline password attacks. While both are possible threats, vendors were quick to implement changes to protect against Reaver/Bully, an offline password cracking requires considerable compute power, limited key space or a poorly selected pre-shared key.

Four-way handshake issues

At the heart of the Vanhoef attack is the four-way handshake, a process whereby the access point and client can independently verify that they each know the pre-shared key. By authenticating in this way, it not only allows control of access to the network, but also some protection against malicious access points.

The four-way handshake creates a new encryption key that will be used to encrypt all subsequent traffic. After the third message in this handshake, the encryption key is installed, but as Wi-Fi frames often get lost due to poor signal this process can often, quite legitimately, be repeated many times to ensure a successful handshake.

Pleased to meet you, what was your name again?

This attack works by collecting message three and replaying it, forcing the client to install the same encryption key, resetting the nonce and replay counters. By resetting nonce values, the same encryption key is used and, therefore – due to the cipher in use – the same cryptographic keystream is used. Once there is known content, it becomes a trivial matter to derive the keystream and decrypt the transmissions.

Impact

The result of this attack is that TCP connections can be hijacked and therefore HTTP connections can be used for injecting data or malware. Connections without additional security such as TLS/SSH/IPSEC can be read in plaintext and known attacks such as SSLStrip can now downgrade these connections.

During their initial research, Vanhoef and Piessens noted that Linux-based devices (including Android) were particularly susceptible, but subsequent research has made some of these attacks possible against all operating system vendors.

The attack also works regardless of the WPA variation used: AES-CCMP, TKIP or GCMP with various levels of susceptibility, depending upon the protocol used.

The biggest concern here is that the attack is most successful against WPA-GCMP which is expected to underpin streaming, docking, and enterprise applications in the coming years. Attacks against this protocol enable an adversary to recover the authentication key, which in GCMP is used to protect both communication directions.

What will happen next?

Vanhoef and Piessens have promised to release a proof-of-concept tool in the coming weeks which will no doubt immediately find its way into popular penetration testing distributions. This means there may well be a raft of curious ‘researchers’ attempting these kinds of attacks on an ad-hoc basis. More targeted attacks are likely to be leveraged against higher profile networks such as enterprise or closed networks for high-value targets.

The theory behind the attack is strong. But the issue is due to implementation of WPA by vendors (as shown by Linux devices being more susceptible) rather than a fundamental flaw in the underlying protocol, so it should be relatively trivial to patch – indeed, major vendors are already rolling out fixes.

The problem is that IoT devices often go unpatched, some devices will no longer be supported while other have never been supported, and with WEP networks still making up over 10% of global networks (Wigle.net), we are likely to continue to see significant Wi-Fi attacks for years to come.

The attack also presents the Wi-Fi Alliance with a timely hastener to address other underlying issues with current Wi-Fi implementations. At present (in most 802.11 implementations) anyone near a device can send de-authentication packets and knock users off a network; authenticated users can conduct various layer 2 and layer 3 attacks, and there are still residual privacy concerns.

What can I do?

Users need to ensure devices are up to date and should look for patches specifically for this vulnerability. In the meantime, ensure networks for which you have control use WPA2 AES-CCMP – the least vulnerable protocol to this attack (however, this is not a preventative measure).

Following current security advice, you should always treat wireless networks as insecure; this vulnerability does nothing to change that. Business and personal users often connect to public open networks, or semi-closed corporate networks (hotels, airports etc). The amount of attacks taking place on these networks is vast and people should assume their traffic can be intercepted. By ensuring transport layer security through VPNs and TLS (with rigorous checking), we can assume data will remain confidential, but this does not wholly take away the threat from injected malware which calls for a layered approach to reducing the risk.