This talk first explains how the KRACK attack against WPA2 works, and then discusses several new implementation-specific improvements.
The Key Reinstallation AttaCK (KRACK) works by tricking a victim into reinstalling an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. We illustrate the idea behind this attack against the 4-way handshake, and then we discuss its practical impact. Simplified, an adversary can abuse it to replay and decrypt traffic, and possibly forge traffic.
We also present new research where we abuse implementation-specific bugs to further improve the attack. In particular, we first show that certain routers wrongly accept replayed handshake messages. This enables trivial key reinstallation attacks against routers, even if they don’t support 802.11r. Second, some clients reuse the old SNonce during a rekey, allowing an attacker to cause a key reinstallation by replaying old 4-way handshake messages. Third, certain devices incorrectly install the group key, making it easy to replay broadcast frames towards the client. Fourth, many devices were found to accept replayed broadcast frames even without triggering a key reinstallation. Finally, we demonstrate how replaying broadcast Wi-Fi frames can be abused to attack smart devices such as Wi-Fi-enabled power plugs.