Add1son's Blog

A place for pondering, planning and projects

WPA2 is Broken – KRACK

The HOT new trend is to name the vulnerability that was found with a cool catchy name (CVE’s just don’t cut it anymore), this one holds the name “KRACK”. Other notable vulnerabilities that were named other than this one being Heartbleed, Badlock and ImageTragick.

The embargo on this vulnerability broke at 6AM EST, 10/16/2017 and the following eruption and hype up this this point was very interesting. The technicality of this attack lies in the 4 way handshake in authentication with WPA2 and the mechanism is described much better than I would be able to describe in the sources listed at the bottom.

The implications and proposed fixes here are what are interesting. In the paper countermeasures are listed as mitigation of the key installation attacks and changing the way the Pairwise Transient Keys (PTK) is negotiated. The questioning of the 802.11 standards ambiguity continues in part 6.6 of Discussion as well as the way proofs work theoretically and in practice and whether or not these differ. Finally the fact that nonce recuse is present in GCMP and not CCMP and can be mitigated by the use of a nonce misuse-resistant encryption scheme would reduce the total impact. This is all the information from the paper however, I stumbled upon a Github Repo that is a bit dated at the time of writing that addresses other inherent security flaws that are how WPA2 networks were previously compromised in what is called “Call for WPA3 – what’s wrong with WPA2 security and how to fix it”.

Wireless communication isn’t going away and I believe that rolling the call for WPA3 in the form of a restructure of how WPA works as well as questioning the way the 802.11 standard is built are overall beneficial in making wireless networking as secure as possible. The other interesting takeaway is the idea that the way that the general gap between the way things work theoretically or from a design perspective vs actually in a environment is something that academia and practitioners will not soon get away from.

Sources:
CVE
Bleeping Computer Article
Hip Website
PDF Writeup

Threat model analysis: inmates with homebrew equipment

One of the first headlines that came across my feed today read as the title of this post does, “Investigation finds inmates built computers and hid them in prison ceiling”. Archive.org Link

Immediately after reading this the following thoughts went through my head

  1. How could IT be so unaware of these ethernet lines running directly into their own networking infrastructure?
  2. How did they get caught?

    The answer to the 1st question is easily found when looking at the photo used in the article to describe the state of the cabinets that housed what I can only assume to be the core network switches that looked like a rats nest of copper cable.The second question however is somewhat answered in the article itself, It states “Authorities say they were first tipped off to a possible problem in July, when their computer network support team got an alert that a computer “exceeded a daily internet usage threshold.” When they checked the login being used, they discovered an employee’s credentials were being used on days he wasn’t scheduled to work.”Very interesting that this would be the only alert that would pop for this type of an intrusion. This lead to the thought of “well they must not have had access to that type of information that would allow them to spoof their employee credentials based off of who was scheduled to work?”

    The article goes on to say that “The Ohio Inspector General says investigators found an inmate used the computers to steal the identity of another inmate, and then submit credit card applications, and commit tax fraud. They also found inmates used the computers to create security clearance passes that gave them access to restricted areas.”

    In my mind this means that if these inmates had access to the internet why didn’t they just learn to figure out how to check the employee schedule or at least scribble down on hand what people they saw working and correlate their logins as such. Given the fact that they were using an employee login, we can only assume that this required a password auth as it wouldn’t make sense for a login prompt to just allow you to identify as any user without verifying that you are that user. This means that at some point they had to of acquired the credentials of an employee and used those credentials to login to access the internet. Even just monitoring the patterns of use should have tipped off the network administrators to this long before noting that an off the clock employee was using the system. Another idea would be to limit access to correlate to times worked which would be a strange arbitrary change to implement but could be easy if the time card / scheduling service was able to export a .csv.

This type of negligence is just incredible to see especially on a network that is dealing with something as potentially dangerous as fugitives getting access to SCADA systems or lock / unlocking doors via a web console.

The article goes into detail speaking of the idea that “lax security” allowed the inmates to get the computer equipment to their respective cells. Computers aren’t getting any larger and with a platform such as the Raspi or the Raspi Zero the profile of these things are going to continue to dwindle down until you may not be able to stop them from being transferred in and out of a facility. This means that network security should be an even higher concern and proper IPS / IDS implementation will be needed along with vlan integration and other network security practices in order to keep the network safe. Hell even then, what if your inmates start building a meshnet in which they communicate with decentralized technology, what then? It just reminds me that we truly ain’t seen nothing yet.

Edit: After finding an additional article they uploaded a full .pdf of the report which is most likely what got this news coverage.