The KRACK attack: How does it affect your smarthome?

Landing firmly in the bucket of "Of course it did...", only a week after writing about how all is well with WPA2 so long as you have a strong password, a flaw in the protocol design is uncovered that completely bypasses a strong password.

After reading up on the various tech coverage of the last couple of weeks, things have settled down somewhat. We've gone through the usual phases of "ZOMG everything is broken!", through "It's bad, but not as bad as we thought" and now we've landed on "OK, we can work with this".

A Short Primer

Before we look at the impacts on the smart home, let's take a quick look at what is going on first.

A researcher at the Distrinet research group of the department of Computer Science at KU Leuven uncovered a novel flaw in the WPA2 wireless security protocol earlier this year. The flaw involves the way a supplicant (client) wanting to join a WPA2 secured network handles a hiccup in the 4-way handshake.

WPA2-Handshake.gif

Essentially, the first two messages of the 4 way handshake involve the access point and the supplicant sending each other a 'nonce'. This is a random single use number used in cryptography algorithms, hence the term 'number once'. As the nonce is used to initialize the cipher stream, which is the random bit sequence used to encrypt the traffic between the device and the network, it is imperative that it only be used ONCE.

The problem arises when the 4th message in the handshake which is the acknowledgment of the session key, or PTK, being received), doesn't arrive at the access point. Being a helpful access point, it assumes it got lost through a collision, interference or some such, so it resends the 3rd message. This causes the supplicant to reinstall the key again, and reset the stream. In crypto this is a big no-no because it allows an attacker to reverse engineer the cipher stream and decrypt the session by looking at how known content is encrypted.

The Impact

OK, so that sounds really bad...anyone can break into your network at will and there's nothing you can do about it.

The actual severity varies by device and configuration. Android 6.0 and higher, and Linux are especially vulnerable as the key replay causes the client to reset the key to 0, allowing the attacker to decrypt everything (as they now know the actual key in use). Networks using TKIP or GCMP are similarly effected as the nonce reuse allows not only packet decryption, but forgery and injection as well.

Microsoft and Apple, on the other hand, mis-implemented the protocol in a way which, fortuitously, makes them immune to the bulk of the attack methods tried so far. They are still vulnerable to one attack vector though, the group key handshake.

As a result, even though WPA2 is used, the adversary can now perform one of the most common attacks against open Wi-Fi networks: injecting malicious data into unencrypted HTTP connections. For example, an attacker can abuse this to inject ransomware or malware into websites that the victim is visiting.
— Mathy Vanhoef, DistriNet

As the attack allows largely open access to communications between your device and the network, the researchers note the effect is similar to being on an open Wifi network without a VPN. As such, the main devices you want to be protected are those handling personal data; your actual PCs, phones, and so forth. Your IoT devices are typically going to be low value, as they aren't handling anything that is useful in many cases. Some articles have noted devices like TVs and voice assistants may have credentials to services like Netflix and Amazon, but again, when those credentials are used they typically will be over TLS encrypted connections by virtue of the services themselves, not the device.

It would be possible for a concerted attack on a device to potentially expose other vulnerabilities and access it's internal storage. In such an event you may have a breach, but only if the device is not storing the credentials securely. It would be naive to think this is given, we've seen plenty of cheap consumer grade devices doing this badly, but the better products (like Nest and Canary) have this covered.

The availability of patches will also vary widely. The better device makers that have control of the relevant firmware will be rolling out patches soon for the most part, but there are many who are reliant on the wireless chipset manufacturers to release an update for the hardware itself, and there will be many further that have no mechanism for updating that firmware at all.

CERT has a real time list of affected devices, but this is fairly unhelpful. As Mathy Vanhoef notes in his Q&A, if your device uses WiFi, it's probably affected.

Mitigations

There are some significant mitigations worth nothing though. First is that we're talking about the session key between the access point and a specific targeted device, not the whole network. This doesn't allow an attacker cart-blanche access, and it doesn't expose the network key or passphrase. This means your exposure is down to which devices you have that are vulnerable, and that comes down to which are getting patched. All the major players are on the ball, and will have patches out for their devices in the net month or so, if they haven't already (Microsoft has already pushed theirs, even though their, and Apple's, implementation of WPA2 was largely immune). Apple, Google, Amazon, Nest and others have announced theirs are on the way shortly.

In addition to that list, I've looked at a few other significant companies to see what their status is.

LiFX has patches in the works, but some of their lighting products need updates from the chipset manufacturer. SmartThings doesn't use WiFi on their hubs, so they are unaffected directly. Many others are silent at this point including Canary, Wink, Netatmo, and others with clear WiFi exposure.

Note that while patching routers is a good idea, they are not the target of KRACK unless they are acting as clients. If you run a mesh network then some of them are, indeed, doing that and will need to be patched.

The second mitigation is that this is not an easy attack to deploy. It requires a man-in-the-middle attack by an attacker in WiFi range of your network. A bogus Access Point needs to be established to spoof your real one, using the same MAC Address. The researchers managed that by putting the rogue AP on a separate channel to avoid Ethernet collisions. At this stage, it's non-trivial and localized, but it's getting easier with further research and you know it will be weaponized soon enough. This means we can't afford to be complacent.

The third mitigation is that any good device sending traffic to the internet (usually their own cloud service) should be using TLS encrypted connections. TLS encrypted traffic is still out of reach of an attacker, they can only see the encrypted data passing by.

Conclusion

The sky is not yet falling. The best advice is to get everything you can patched as soon as you can, but continue to use WPA2-PSK with a strong password, it's still the best we have. The fix is actually trivial and equates to a check in the 4-way handshake along the lines of "If I receive the key, but I've already installed it, don't do it again".

We can assume many cheap IoT devices will not get patched, so we need to assess what we have, what it has access to, and whether we care. It may be time to retire some of the less stellar examples of technology we have if they're not getting supported and pose a risk to our privacy. Definitely be sure to update your phones and PCs as soon as possible, and probably avoid using public WiFi on them until you have.