Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researchers Find Flaws in WPA2’s 4-way Handshake Implementations

Researchers have discovered several security vulnerabilities in implementations of Wi-Fi Protected Access two (WPA2)’s 4-way handshake, which is used by nearly all protected Wi-Fi networks.

Researchers have discovered several security vulnerabilities in implementations of Wi-Fi Protected Access two (WPA2)’s 4-way handshake, which is used by nearly all protected Wi-Fi networks.

The discovery was the result of simulating cryptographic primitives during symbolic execution for the analysis of security protocol implementations, KU Leuven researchers Mathy Vanhoef and Frank Piessens explain in a recently published whitepaper (PDF).

By applying the technique on three client-side implementations of WPA2’s 4-way handshake, the researchers discovered timing side-channels when verifying authentication tags, a denial-of-service attack, a stack-based buffer overflow, and a non-trivial decryption oracle.

Through symbolic execution, the researchers claim, one aims to exhaustively explore all code paths of a program by running on symbolic inputs instead of concrete ones. For their experiments, the researchers implemented the techniques on top of the KLEE symbolic execution engine (they modified the engine to handle cryptographic primitives).

Of the three tested implementations, two were found susceptible to trivial timing side-channels, because they verify authentication tags using timing-unsafe memory compares.

The researchers found a denial of service in Intel’s iwd daemon (iNet wireless daemon) and a stack-based buffer overflow (in code that processes decrypted data) in MediaTek’s implementation, both of which can be triggered by malicious Access Point (AP). The AES unwrap algorithm was found to be incorrectly implemented in MediaTek’s code.

Furthermore, the wpa supplicant (a cross-platform supplicant with support for WEP, WPA and WPA2 (IEEE 802.11i)) was found vulnerable to a non-trivial decryption oracle caused by processing decrypted but unauthenticated data. Tracked as CVE-2018-14526, the bug can be exploited to recover sensitive information.

“This decryption oracle can be exploited when the victim connects to a WPA2 network using the old TKIP encryption algorithm. It can be abused to decrypt the group key transported in message 3 of the 4-way handshake,” the researchers note.

The attack, however, is only possible if WPA2 is used and if the client selects TKIP as the pairwise cipher, so that the RC4 stream cipher is used to encrypt the key data field (if CCMP is selected, AES is used to protect the key data field). Both conditions are met when the Wi-Fi network uses WPA2 and only supports TKIP (in 2016, 20% of protected Wi-Fi networks used this configuration).

The flaw allows an attacker to decrypt the group key transported in message 3 of WPA2’s 4-way handshake and use it to inject both broadcast and unicast traffic. Furthermore, the key could be used to decrypt unicast and broadcast traffic, the research paper claims.

“We successfully applied symbolic execution to client-side implementations of the 4-way handshake of WPA2, by simulating cryptographic primitives, and constraining parts of the symbolic input to prevent excessive state explosions. This revealed memory corruptions in code that processes decrypted data, uncovered insecure implementations of cryptographic primitives, and even revealed a decryption oracle,” the researchers note.

Earlier this week developers of the popular password cracking tool Hashcat identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

 Related: New Method Discovered for Cracking WPA2 Wi-Fi Passwords

Related: WPA3 to Bring Improved Wireless Security in 2018

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...