Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

unKRACK: Mitigating Future WPA2 Vulnerabilities

Mathy Vanhoef

4 vote(s)

This talk explains how recent attacks against WPA2 work, including but not limited to the KRACK attack, and how they all rely on a multi-channel man-in-the-middle (MitM) position. More importantly, we present a novel countermeasure to mitigate both existing and future attacks against protected Wi-Fi networks by detecting and prevent this multi-channel MitM.

In the past few years there have been several new attacks against protected Wi-Fi networks, with the most well-known one being the Key Reinstallation AttaCK (KRACK) against WPA. Interestingly, nearly all these attacks rely on a so-called multi-channel MitM position. This position does not allow an adversary to decrypt traffic, but does enable reliable manipulation (blocking, delaying, modifying) of encrypted traffic. These abilities can then be used to perform actual attacks against the protocol, or to exploit a vulnerability in a specific implementation. The idea behind this MitM position is to clone the AP on a different channel, trick the client into connecting to the Access Point (AP) on this rogue channel, to then forward frames between both channels so the client and AP can communicate. This enables an adversary to reliably delay, block, or modify encrypted frames sent between the client and AP.

To give a concrete example of how this MitM position is used, we begin by reminding the audience how it was used in the KRACK attack to exploit the 4-way handshake of WPA2. We also clear up some misconceptions about the KRACK attack, and present new implementation-specific improvements that we recently discovered. These new findings encompass new key reinstallations in APs, and faulty installations of the group key. Additionally, we briefly explain how the multi-channel MitM has previously been used to break the older WPA-TKIP encryption algorithm, and how it has been used to perform downgrade attacks to RC4 against the 4-way handshake.

In the second part of the talk, we present a novel extension to the Wi-Fi standard that prevents multi-channel man-in-the-middle attacks. The core idea behind this extension is simple: authenticate the operating channel of the access point when connecting to the network. Surprisingly, designing and implementing such a mechanism is more tedious than expected. We will discuss three major obstacles that we had to overcome. First, how to unambiguously encode the current channel of the network, and how to handle wide-bandwidth channels such as 40, 80, or 80+80 MHz channels. Second, we discuss how to securely handle channel switches that occur when the AP dynamically changes the channel of the network. Third, we explain how to do all this in a backwards-compatible manner. Finally, we release a proof-of-concept implementation of our extension, and report on our progress to get this extension included into the official 802.11 standard. We hope this motivates companies and people to implement and use our novel defense!

To conclude, we believe our method to detect and prevent multi-channel MitM attacks will make it significantly harder to exploit the next big attack against protected Wi-Fi networks.


Mathy Vanhoef is a postdoctoral researcher at KU Leuven. He is most well known for his KRACK attack against WPA2, and the RC4 NOMORE attack against RC4. His research interest is in computer security with a focus on wireless security (e.g. Wi-Fi), network protocols, applied cryptography, and software security. Currently his research is about automatically discovering (logical) vulnerabilities in network protocol implementations, and proving the correctness of protocol implementations. Apart from research, he is also interested in low-level security, reverse engineering, and binary exploitation.