[clug] WPA2 4-way handshake client vulnerability

Chris Smart clug at csmart.io
Mon Oct 16 19:51:17 UTC 2017


"In a key reinstallation attack, the adversary tricks a victim into
reinstalling an already-in-use key. This is achieved by manipulating and
replaying cryptographic handshake messages. When the victim reinstalls
the key, associated parameters such as the incremental transmit packet
number (i.e. nonce) and receive packet number (i.e. replay counter) are
reset to their initial value. Essentially, to guarantee security, a key
should only be installed and used once. Unfortunately, we found this is
not guaranteed by the WPA2 protocol. By manipulating cryptographic
handshakes, we can abuse this weakness in practice....

Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an
all-zero encryption key in the 4-way handshake. This was discovered by
John A. Van Boxtel. As a result, all Android versions higher than 6.0
are also affected by the attack, and hence can be tricked into
installing an all-zero encryption key. The new attack works by injecting
a forged message 1, with the same ANonce as used in the original message
1, before forwarding the retransmitted message 3 to the victim."

More information about the linux mailing list