All modern Wi-Fi networks are protected by Wi-Fi Protected Access II (WPA2). The Wi-Fi standard contains a weakness that could be exploited to read previously assumed to be encrypted traffic, or to modify or inject traffic. As the problem is not bound to specific implementations, the problem can be assumed to be present in any product or device.
Due to the nature of this problem, the vulnerability might exist in all Wi-Fi implementations. CERT.org maintains an extensive list of affected products.
Details on the Vulnerability
A protocol flaw during a 4-way- handshake allows to reset the nonce by collecting and replaying retransmissions of message 3 during this process.
By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.
The following CVE IDs are assigned to track affected products:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Fixing, remediation and mitigation
Patches are available for several but not all devices. Where patches are not available, it is strongly suggested to apply the following recommendations:
- Only access SSL/TLS encrypted services and make sure the usual verification symbols are properly shown
- Reduce signal strength of your Wi-Fi devices to limit the exposure of your network
- Contact the vendor of your Wi-Fi equipment or large-scale resellers like ISPs
- Consider exchanging end-of-life Wi-Fi devices with recent devices - preferably from reactive vendors.
- Key Reinstallation Attacks - academic publication
- CERT.org Vulnerability Note VU#228519
- Ars Technica
- Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II
- WPA packet number reuse with replayed messages and key reinstallation
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.0 - TLP:WHITE - First version - 16 Oct 2017