Tunnel image

New WPA2 hack allows Wi-Fi password crack much faster

Wi-Fi encryption developed yet another chink in its armor this week. It’s now much easier to grab the hashed key.

So a hacker can capture a ton of WPA2 traffic, take it away, and decrypt it offline.

WPA3 can’t come soon enough. In this week’s Security Blogwatch, we’re in your GPUs, hashing your cats.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: What if Hitler didnt invade Russia?

State of Security Operations 2018

PMKID vuln in PSK nets

What’s the craic? Shaun Nichols—Cracking the passwords of some WPA2 Wi-Fi networks just got easier:

The folks behind the password-cracking tool Hashcat claim they've found a new way to crack some wireless network passwords in far less time … by snooping on a single data packet going over the air. [The] technique specifically works against … Wi-Fi networks with PMKID-based roaming features enabled … using IEEE 802.11i/p/r protocols.

Jens Steube, creator of the open-source software, said the new technique … would potentially allow someone to get all the information they need to brute-force decrypt a Wi-Fi password. … Previously, an attacker would need to wait for someone to log into a network [and] capture the four-way handshake.

Why isn’t there more love in the world? Here’s Tara Seals with a kiss: [You’re fired—Ed.]

Wi-Fi just became a little less safe. … Hackers have compromised the WPA/WPA2 encryption protocols in the past, but it’s a … time-consuming process that requires a man-in-the-middle approach.

The new strategy allows an attacker to instead lift the … Pairwise Master Key Identifier (PMKID) … directly from the router, without waiting. … The average time it takes to accomplish one’s nefarious purpose is around 10 minutes.

Hashcat creator Jens Steube describes his New attack on WPA/WPA2 using PMKID:

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called "Simultaneous Authentication of Equals" (SAE).

We think it will work against … most modern routers. … The main advantages of this attack are as follows:

Attacker directly communicates with the AP (aka "client-less" attack).
No more waiting for a complete 4-way handshake. …
No more eventual retransmissions of EAPOL frames. …
No more lost EAPOL frames. 

The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label "PMK Name", the access point's MAC address and the station's MAC address.

Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector. … [Then] we can attack this hash as any other hash type.

Sounds too simple; what’s the catch? Johannes Luther agrees, calling it Yet Another WPA Attack:

This attack is so obvious, I cannot believe nobody found it earlier (including me). It … utilizes one problem of PMKID caching: the WLAN password is actually transported over the air in a hash [so] it’s attackable using brute-force attacks.

The intent of PMKID caching is to efficiently roam between multiple access points using EAP as authentication (WPA2 Enterprise) to prevent that during a roaming event a full EAP authentication is performed. Otherwise, roaming might take some time depending on the used EAP method (e.g. EAP-TLS, PEAP), which has an impact on time sensitive applications like voice.

Typically all fast roaming technologies make use of PMK caching, including 802.11i [and] 802.11r. … Only WPA and WPA2 Personal (pre-shared key) are vulnerable. … WPA2 Enterprise (802.1X) is typically not vulnerable … because the PMK is dynamic.

WLAN vendors which send the PMKID in the first message of the 4-way handhake should consider to remove the PMKID in WPA2 PSK configured WLANs (non-802.11r). This way the exploit is fully mitigated.

If you are an 802.11r user in combination with PSK, reflect if this is really necessary. [Or] disable WPA2 Personal in your network completely and rely on WPA2 Enterprise using a secure EAP method (e.g. EAP-TLS, PEAP, EAP-TTLS).

Seems like zrm is ready to give up:

Sometimes I wonder if trying to encrypt WiFi is even worth it.

The counterargument is keeping packet headers (i.e. remote IP addresses) and plaintext DNS queries private, but that's already the use case of a VPN. Even if it's just a "VPN" to your own home router. And then it protects you even against the operator of the access point (or someone impersonating it because, as usual, the passphrase is widely distributed).

But EnviableOne feels a little déjà vu:

WPA2 is broke, we need vendors to push WPA3 updates asap.

Also wifi-alliance people, can we come up with something completeley different to switch to after?

Secure Wireless Access Protocol?

Accordingly, Steve Gibson rants gently:

It isn't clear that WPA2 routers will be able to upgrade their firmware to WPA3. … The Wi-Fi Alliance is all about certification and stamps and trademarks and nonsense which shouldn't happen.
There should be none of that … in a protocol as important to the world as wireless Ethernet access. But … that's where we are.

Even if routers could get updated, or when they're eventually replaced, all the other devices need to be updated too. … it's not clear when IoT light bulbs are gonna get themselves updated, so we're stuck with WPA2 for the foreseeable future.

The only protection here is a really high-entropy password for the access point. … I would argue that given the amount of attention this is getting [and] the fact that we are a long way away from WPA3 … there just is no excuse now not to use a password for a Wi-Fi system that it is not possible to remember.

I think we will see shortly some turnkey tools. … You know someone's gonna automate this and then that then turns lots of people loose. … It's an offline attack so after you capture the traffic you go home … turn off your Bitcoin miner and have it do hash cracking instead.

So how is WPA3 better? Larry Seltzer answers How and why:

I spoke to Dan Harkins, distinguished technologist at Aruba … and author of many of the basic standards behind WPA3. … I am writing this in a big-chain coffee shop … but the Wi-Fi security features have been turned off.

WPA3 solves this problem by implementing a new standard called Opportunistic Wireless Encryption (OWE), an author of which is none other than Harkins. An OWE-capable client and access point will behave just as with an open network like the one I’m using now, but the traffic will be strongly encrypted, even without a password. [So it] demands nothing of users nor staff.

For many years, there have been attacks against WPA2-PSK (Pre-Shared Key) networks, meaning those with shared passwords. … PSK in WPA3 uses a new authentication method called SAE (Simultaneous Authentication of Equals) … basically an implementation of another Harkins specification, Dragonfly Key Exchange.

Dragonfly does not transmit the hash of the password. [It] solves what is known as a zero-knowledge problem, meaning that the two parties attempting to connect on the network must prove to each other that they both know the secret without actually divulging [it].

But Roland6 urges us not to over-egg this:

If you don't have WiFi roaming/reassociation enabled - something that was considered a security risk back in 2007 - then your network isn't vulnerable.

If you are considering using 64 character PSKs that it is probably better to go the whole hog and go to an 802.1x implementation.

What, Palladium worry?

This is probably like all those uncountable Android security holes that somehow never get any real attacks despite all the fear-mongering.

Meanwhile, bcaa7f3a8bbc is impressed:

Impressive. Even brute-force attacks eventually get better.

The moral of the story? WPA2 Personal considered harmful, but the sky’s not falling (yet).

And Finally…

What if Hitler never invaded Russia in WWII?

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Carl Nenzén Lovén (cc:by)

Topics: Security