November 8, 2008

WPA is sick (Not dead yet!)

I`m glad (As a security adviser) and again glad (As a for-hire intruder) that WPA is seriously sick ,but not really died yet ! Later you`ll notice why I`m glad in both positions.

Few days ago I noticed a post in SANS dairy portal announcing a new attack against WPA leading to compromise integrity and partially confidentiality of underlying traffic protected by WPA. Full technical details and possibilities are not disclosed yet and everyone have to wait few days till announced talk on PacSec .

So what is this about ?
Let`s get back to 2004 , the time practical chop-chop attack against WEP encryption came out of dark. WEP was actually (read theorically) broken since 2001 but chop-chop concept made so easy that even your grandmother can own you !
In chop-chop the encryption is not really attacked , and as a result of sucessfull attack you would NOT get clear-text of data protected by WEP (RC4 if you like crypto terms). chop-chop only let you make educated guesses on contents of some of encrypted packets (like ARP) and confirm that you can repreduce these packets with your own values while still not knowing the encryption key used to protect it .
Why was this possible in WEP? It`s because of the way protocol was designed . in WEP we can split protection of 802.11 frames into two parts . One part is the payload (where encrypted data resides) and another part is the checksum of encrypted part . If you try to send a modifyed (encrypted) payload that don`t match it`s checksum it would be rejected by access-point , but if you do a right guess where checksum and payload matches, AP will replay back an ACK . This is where chop-chop catch it to begin it`s attack . In chop-chop attack is implemented against ARP packets , because of their nature . ARP packets are small and their contents are easy to guess . In short , you have only two bytes to guess (or actually brute-force) to find a right match between checksum and header of packet. these two bytes are last two part of IP digit , like 192.168.X.Y. Other parts of ARP packet are fixed and known . As a result attacker will be able to get clear-text content of frame without knowing the key used to encrypt them.
Finally result of chop-chop attack will be used to make AP generate too many packets with weak IV , letting us to crack and extract encryption key .

In WPA things are a little different . There are some countermeasures to prevent attacker from continuing re-sending frames with bad checksum . If the client recives two bad-checksums withing 60 seconds , it will pause 60 seconds and then attempt to generate new key and negotiate the connection again . This is what TKIP do and why WPA is better than WEP because of enhanced checksum algorythm (Named 'Michael') implemented in WPA. Note that TKIP is still weak becayse it`s still based on RC4 and is not the best workaroung for WEP weaknesses. TKIP (as one of three workarounds provided for WEP death) was just to keep backward-compatibility . Other two workarounds provided were based on AES encryption .




How new attack against WPA is possible?

In chop-chop , to be able to break things we needed to be able to re-send packets, which is exactly what TKIP prevent to happen . Here`s the main point or trick in discovered attack against WPA . Basically and based on standars , considering existance of TKIP we can only have two re-sends . But this new attack let us have something between 7 to 15 re-sends , making it possible to use chop-chop concept again , against WPA !
The trick is that , although TKIP monitor and prevent re-sending but there is a weakness in this monitoring and prevention process . New attack abuse a 802.11e feature; QoS .
In QoS , packets can be prioritaised . This happen by placing different packets in different queus . Like VoIP packets in queu one , normal data in qeue two and etc ... and QoS will manage these packets (marked with different queues) to give them priority to travel arround network. Here`s exactly where things break for TKIP . IEEE has not considered this little queue point while implementing TKIP , so if you use different QoS queues for each of your re-send attempts, TKIP will miss them! Although 802.11e seems to have only 4 available queues for QoS but the standard have actually 8 . Reasearchers discovered that there are still 8 more available for marking packets in some way . Each available queu means ability to re-send one more frame!
Low number of available queues is why this attack takes long time ( 900 seconds as they have announced the talk, which is for guessing a valid ARP packet and 16bits of to-guess values) . If we send too much (more than one re-send withing 60 seconds over each available queu) , TKIP will generate new key and we`re lost .

This research is a result of work of Erik Tews (The guy behind PTW attack) and Martin Beck , a member of aircrack-ng team .
There are some notes about this new attack.
  • This attack is valid only against WPA , and WPA2 ( Whith using AES as encryption) is considered safe. This is why I was happy at begining of the post! Since few years ago I've compleletly ignored WPA in my consultances and never accepted WPA to live just because some lame people out there in network can not upgrade their devices to support WPA2.
  • Don`t waste a single day if you`ve not upgraded your environment to WPA2 . Even with WPA2 you should NOT rely on the security of protocol and you`re highly recommended to use second layer of deffence by implementing IP-Sec or VPN over wireless links.
  • This attack will NOT lead to compromizing clear-text data directly and like chop-chop just let us gain access to the PRGA (used to ecnrypt frames).
  • This attack only works against traffic FROM access-point TO client . Client to AP traffic is considered safe.
  • This attack make it possible to inject packets in affected traffic stream! For example , it is possible to implement ARP Poisoning attack through abusing it.
  • This attack is still as slow as discovering one bit of frame per minute . This is why it`s effectiveonly against small packets like ARP or DNS. However it`s just time limitation , and most of hackers have enough time for what they`re planning to do!
  • This research is NOT a secret anymore . Researchers provided some PoC through SVN repository of the aircrack-ng suite . The tool is named TKIPtu-ng .

If you`re interested in reading more (technical) details about this new attack I recommend you reading these two sources . Wait few days and we`ll all get full details :)
Keep this in mind that this is just the discovery phase of this new attack vector! I belive there would be many improvements and new tricks based on this in future . So, there`s no reason to not to think to migrate to WPA2 .

I`m planning to practically test this attack ASAP , so I may update you through new post on this topic . Now I have a better motivation to unpack and use my 300mw Ubiquiti wireless adaptor :p

[Update 1 // November 9]
Well , the official paper related to their interesting work has just been published. Here it is.