KRACKing WPA/2 Part 2 - Android Exploit
2017-10-18 - [46] 8:2
This blog post assumes you have read the previous blog post, KRACKing WPA/2. If you have not, please read that post first.
What Is the KRACK Android Exploit?
The researcher who discovered the Key Reinstallation attack on WPA/2 also found a terrifying exploitable bug in some versions of wpa_supplicant (2.4 and 2.5) which effected many Linux distributions, but more importantly, many Android phones running Android 6.0 (I do not know if other versions of Android were effected, as the research paper only specifically mentions Android 6.0 and I have not personally tested this bug on other versions of Android), which is a large market share of Android users.
[HTTPS] Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (Paper Download)
Normally, when the third handshake is sent to the client a second time, they will reinstall the PTK and reset the nonce. On the effected versions of wpa_supplicant, an unexpected behavior happens where the PTK will become an all-zero encryption key. The attacker can then trivially decrypt messages from the client and encrypt messages to the client using an all-zero encryption key as well.
What Does This Mean?
This bug means that an effected device would authenticate to a legitimate router in a cryptographic fashion and then an attacker can hijack the connection, making the client believe that it is still connected to the router when in reality the client is connected to the attacker. The attacker will be the access point to the client and the client wouldn't notice.
What if the Client is Already Connected to the Router?
Specially crafted wifi packets can be broadcasted to clients to essentially state "I changed wifi radio channels, try connecting to me at this new channel." This is a request that has practical and legitimate reasons for existing, but it can also be utilized to hijack a connection in this case. The client would then connect to the attacker and the attacker would pretend to be the client in order to connect to the router, acting as a Man-in-the-Middle. At that point, the attacker can attack the client with the KRACK exploit. This principle can be used to exploit the client with the normal KRACK exploit as well as the all-zero encryption key exploit.
Patch Your Stuff (If You Can...)
Supported Linux distributions should either have a patch out for wpa_supplicant already or be sending out a patch decently soon. The same goes for supported Android devices. There is a problem though... and that problem is how difficult it is to patch unsupported Android devices, which become unsupported very quickly with the high turnaround rate of Android devices coming out. Device manufacturers may provide patches for older devices, but I am honestly not holding my breath for that to happen. We'll just have to see what happens in that regard.
Turning This Exploit Into a Script
There is a decently high chance that I will be making a PineAP Module of this exploit in particular for the Wifi Pineapple. That said, I talked to Seb Kinne a little bit about this exploit and he is well aware of it and its potential. I'll just have to see how things go over the next few weeks in terms of free time to put this into an easy to use script and have it tested.