- WiFi Protected Access II (WPA2) handshake traffic could potentially be manipulated by attackers within range of vulnerable devices, according to recent research. The WiFi vulnerabilities could lead to malicious users gaining access to passwords, emails, or other sensitive data, and even allow ransomware to be injected.
The US Computer Emergency Readiness Team’s (US-CERT) Coordination Center (CERT/CC) said that the vulnerabilities are in the WPA2 protocol, “which means that all WPA2 wireless networking may be affected.”
“WPA2 handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client,” CERT/CC said in a release. “An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used.”
“Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.”
Weaknesses could be exploited using key reinstallation attacks (KRACKs). Organizations must perform security updates as soon as they become available, stressed researchers who made the discovery.
“Note that if your device supports Wi-Fi, it is most likely affected,” according to Mathy Vanhoef of the imec-DistriNet group at KU Leuven. “During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks.”
The potential attack could happen through the 4-way handshake of the WPA2 protocol, which happens when an individual wants to join a WiFi network. The handshake confirms that the user and access point have correct credentials, such as the previously shared network password.
Vanhoef explained that attackers will trick users into reinstalling an already-in-use key during key reinstallation attacks.
This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
Changing a WiFi password will not prevent or mitigate the attack, warned Vanhoef.
“Instead, you should make sure all your devices are updated, and you should also update the firmware of your router,” he cautioned. “Nevertheless, after updating both your client devices and your router, it's never a bad idea to change the Wi-Fi password.”
Potential attacks could potentially be used against WPA1 and WPA2, Vanhoef added. Personal and enterprise networks are also vulnerable, as well as “any cipher suite being used (WPA-TKIP, AES-CCMP, and GCMP).”
Healthcare organizations cannot assume that they will not be impacted by the found WiFi vulnerabilities. Entities must install updates to affected products and hosts as soon as they become available.
Employees must also be advised against using WiFi until necessary patches have been implemented.
Failing to perform system updates or install security patches could lead to serious issues for organizations across all industries, including healthcare. US-CERT previously warned entities about how unpatched and unsupported software may increase the risk of being affected by malicious software, such as ransomware.
The Petya ransomware strain encrypted the master boot records of infected Windows computers, for example. US-CERT warned that the ransomware exploited vulnerabilities in Server Message Block (SMB) and made devices unusable.
The agency urged organizations to disable SMBv1 and to block “all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”
“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices,” the agency added. “The benefits of mitigation should be weighed against potential disruptions to users.”