Researcher Discovers Encryption Attack ‘Devastating’ for Android and Linux

- October 16, 2017

A security researcher at the Belgian university KU Leuven has discovered a cryptographic flaw in the four-way handshake used by a majority of devices to encrypt communications.

Mathy Vanhoef says he accomplished the attack by tricking devices into reusing an already-in-use key, done by replaying handshake messages. He dubbed the vulnerability KRACK for Key Reinstallation Attack.

“Essentially, to guarantee security, a key should only be installed and used once,” the Vanhoef wrote in his report. “Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

When a phone or computer or other client joins a WiFi network, it first executes what’s known as a four-way handshake to negotiate a session key that will be used to communicate privately while on the network.

In a published research paper Vanhoef writes that an access point that does not receive a proper acknowledgment message after passing a key will pass the same key again. Each time the client receives that message, it will reinstall the same session key. The researchers’ proof-of-concept attack is to artificially force this key reinstallation and thereby compromise the data-confidentiality protocol.

“As a proof-of-concept we executed a key reinstallation attack against an Android smartphone,” Vanhoef writes. “…Our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into [reinstalling] an all-zero encryption key.”

While the researchers note it is a particularly devastating attack for Android, Linux and OpenBSD, it is also viable on other platforms—though maybe to a lesser degree—on macOS and Windows.

Once the reused key is successfully installed, an attacker could use it to decrypt packets sent from clients or even inject malicious code like malware or ransomware.

The flaw does not necessitate a new encryption protocol, the researchers say. It is instead possible to apply a backward-compatible patch that will ensure a key is only installed once, preventing the reuse attack.


Edit: For information about what Cisco products are vulnerable, see the issued advisory here. You can also read more about the vulnerability and Cisco’s response here.