A Stronger Handshake
The announcement came as a shock to the cybersecurity industry. In October 2017, the U.S. Computer Emergency Readiness Team (CERT) reached out to roughly 100 organizations to alert them of a new vulnerability affecting a major Wi-Fi protocol—WPA2.
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol,” it said. “The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.”
The specific vulnerability was Key Reinstallation Attacks, otherwise know as KRACK, which allowed attackers to interrupt the authentication process to create a key for encrypted data on a secure network.
Richard Gold, lead security analyst for Digital Shadows, describes KRACK as a method of violating how cryptographic connections work. The worst-case scenario would allow this attack to disable encryption on a network—meaning an attacker would be able to see all data on the network.
“For a security protocol, that’s a pretty devastating attack,” he says.
While there have been no reports of an attacker using KRACK on an organization to compromise its security, actions have been taken to beef up Wi-Fi protocol security in general since its release.
After the October CERT announcement, patches were released to address the problem and the Wi-Fi Alliance introduced new security enhancements for WPA2 in January.
These new enhancements helped lay the groundwork for the alliance’s new protocol—WPA3—which was released in June 2018.
“WPA3 takes the lead in providing the industry’s strongest protections in the ever-changing security landscape,” said Edgar Figueroa, president and CEO of the Wi-Fi Alliance, in a statement upon its release. “WPA3 continues the evolution of Wi-Fi security and maintains the brand promise of Wi-Fi Protected Access.”
The Wi-Fi Alliance is made up of 818 companies across the world and is designed to foster “interoperability, adoption, and evolution of Wi-Fi globally,” according to its website. As part of this effort, it releases Wi-Fi protocols, including WPA2 in 2004.
WPA2 was widely adopted by organizations for corporate use (WPA2-Enterprise) and by device manufacturers for private use (WPA2-Personal). However, it was not—as the KRACK vulnerability demonstrated—immune from attack.
Gold, who has led teams to attack WPA2-Personal and WPA2-Enterprise networks, explains how it can be done.
WPA2-Personal relies on using a password to gain access to the Wi-Fi network. Someone who wants to have access to the network must have the correct password. So, for instance, a houseguest might ask the homeowner for the password to the Wi-Fi network to connect his or her iPhone.
When the visitor enters the password to join the network, the iPhone and the Wi-Fi router will perform what’s called a handshake—a check to see that the iPhone is using the right credentials.
“What you can do as an attacker is sniff that handshake—listen to that handshake,” Gold says. “And you’ll capture in an encrypted form the hashed form of the password.”
An attacker can then take that collected hash, plug it into a machine that’s not on the Wi-Fi network, and run through a list of hashed words until the attacker finds a match—this is known as a dictionary attack.
To pull this off, the attacker is relying on the fact that most people choose poor passwords, so Gold says it’s typically an effective method of attack to gain access to the network because most people fail to create strong passwords or they reuse the same password for multiple accounts.
Attacking a WPA2-Enterprise network takes a little more effort. Instead of using a password to authenticate a user and his or her device, the network often uses a Windows authentication mechanism.
“It’s based on you as an individual, your password, the same password you type to log into Windows; that’s the same password you type to log into authenticate to the wireless network,” Gold explains. “They have merged those two authentication systems together.”
These authentication systems run through a server, called a radius server. An attacker would set up a server that impersonates the real radius server.
“What happens is then I—the attacker—wander around the office or nearby and due to the way the wireless standard works, your device will try to connect to the access points it thinks are the best, the one with the best signal strength,” Gold says.
If the impersonating server has more strength, victims’ devices would likely connect to it using their credentials. The attacker would then capture those hashed credentials, plug them into a machine that’s not on the targeted network, and use a dictionary attack to obtain the password information needed to gain access to the network.
Then, the attacker can go back, connect to the network using those stolen credentials, and use that connection to access corporate data or launch a cyberattack.
To address these vulnerabilities, the Wi-Fi Alliance began crafting a new protocol several years ago and released it in June 2018.
“Building on the widespread adoption of WPA2 over more than a decade, WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, and deliver increased cryptographic strength for highly sensitive data markets,” the alliance said in a statement on the new protocol’s release.
The major change from WPA2 to WPA3 is the handshake that devices use to authenticate with a Wi-Fi router to connect to a Wi-Fi network. This new handshake is called Dragon Fly and is designed to deliver protection even when users choose poor passwords.
This improved handshake will address two major security problems, Gold says.
“One is that it will provide protection even when users choose poor passwords because of the way it generates cryptographic parameters for the exchange, and it’s supposed to prevent you from doing offline attacks,” he explains.
The Dragon Fly handshake directly addresses those offline attacks, requiring those attempting to gain access to the network be talking to the Wi-Fi router on the network. Attackers will not be able to save hashed passwords, take them offline to conduct a dictionary attack, and then come back to infiltrate the network later.
“That’s exactly the right thing to be focusing on, because, as we can see, dictionary attacks are what we use—almost exclusively,” Gold says. “Directly addressing those concerns with the Dragon Fly handshake is a really good thing.”
Along with the improved handshake, which is required to achieve the WPA3 certification, the Wi-Fi Alliance made suggestions that organizations can implement to improve their Wi-Fi security.
Organizations have the option to use 192-bit minimum-strength security protocols and cryptographic tools, an increase from the former industry standard of 128-bites. This option is not available for WPA3-Personal because the alliance “addressed 192-bit security in scenarios where this level of support is necessary, such as highly sensitive environments like military, government, or finance,” it said.
And for open Wi-Fi networks, Wi-Fi networks that do not require a password to join, such as those often found in lobbies or cafes, the Wi-Fi Alliance released Wi-Fi Enhanced Open.
“Wi-Fi Enhanced Open addresses open or public networks by integrating cryptography mechanisms to provide each user with unique individual encryption that protects data exchange between a user device and the Wi-Fi network,” the alliance explained.
Currently when a user connects a device to an open or public network, the traffic between that device and the Wi-Fi router is visible to others on the network. With Wi-Fi Enhanced, the network would use what’s called opportunistic wireless encryption.
The router will basically ask a device that’s trying to connect if it supports encryption. If it does, such as a device that’s WPA3 certified, it sets up an encrypted channel for communications automatically.
“So that hop of sending traffic from your device to the router will be encrypted, so even other people on the network will not be able to see your traffic,” Gold says. “That’s basically encryption without you having to do anything—which is quite cool.”
The WPA3 protocol was released over the summer, and Qualcomm announced it would support it across its entire line of products and services shortly afterwards. Intel, Cisco, Broadcom, and Aruba also said in press statements that they would support implementation of the new protocol in their products.
However, Gold says he thinks broad adoption of WPA3 will be slow—especially because the Wi-Fi Alliance will continue to support WPA2 for the time being.
“Most equipment will support both for the foreseeable future, which actually raises an interesting issue,” he adds. “Whenever there are multiple versions of something running, the first thing to think about is how as an attacker do I stop people from using this new modern stuff with good security features and use the old broken stuff instead?”
For instance, an attacker would look to downgrade devices to WPA2 so they can be more easily compromised.
“If I can force you to use WPA2, and you’re using a bad password, then I’m probably going to have a good chance to get in,” Gold says.
And just because KRACK has not been used to compromise an organization’s network—that we know of—doesn’t mean that attackers will not develop even more robust methods to access Wi-Fi networks.
“These guys did a great piece of work and now other people will be building on it,” Gold says. “There will be more in the future for this avenue of attacks.”