[ENW-P-C-2017128] Huawei Wi-Fi Product Notice: WPA2 Key Reinstallation Vulnerabilities

1      Background

On October 16, 2017, a research paper titled with "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was published by Mathy Vanhoef. This paper discusses multiple vulnerabilities in Wi-Fi Protected Access (WPA) and WPA2. These vulnerabilities may allow for reinstallation of pairwise transient keys (PTKs), group keys (GTKs), or integrity group keys (IGTKs) on wireless clients or APs.

By exploiting these vulnerabilities, attackers can force wireless clients to connect to rogue APs and intercept the credit card number, user name, password, photos, and other sensitive information in network traffic. Through certain network configurations, attackers may also inject malicious data into a network to remotely install malicious software. All devices using WPA2 may be subject to these vulnerabilities.

Huawei has initiated the vulnerability warning process to fix the vulnerabilities. For the progress, visit the official website of Huawei Product Security Incident Response Team (PSIRT):

http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171017-01-wpa-en

2      Impact

a)    Terminals using WPA2 authentication, for example, mobile phones, tablets, and laptops

b)   APs working in station mode, for example, leaf APs in WDS/Mesh mode

c)    The WPA/WPA2 security mechanism on the network is not cracked, so WPA/WPA2 passwords will not be intercepted.

d)   Attackers can guide terminals to rogue APs without the valid pre-shared key (PSK) or certificate, initiate the man-in-the-middle attack (MITM attack) to the terminals, and attempt to obtain sensitive information such as the user name and password.

3      Attack Mechanism

a)    The wpa_supplicant component has a bug. Attacks can be launched against clients by leveraging the 4-way handshake of WPA2. The 4-way handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and AP have the correct credentials (such as the pre-shared password of the network). Additionally, the 4-way handshake negotiates an encryption key for encrypting all subsequent traffic.

b)    Attackers listen on the third negotiation packet during the 4-way handshake between a client and a valid AP to initiate multiple replay attacks, which trigger the encryption key reinstallation on the client. During this process, related parameters (such as replay counter) are reset to their initial values. As a result, the same encryption key is used for many times, generating security vulnerabilities.

c)    After vulnerabilities are triggered, the encryption strengths of packets sent by clients are lowered. Attackers may decrypt the packets to obtain application-layer information.

4      Huawei Wi-Fi Products Are Not Affected

a)    APs working in non-station mode are not affected by the vulnerabilities.

b)    For APs in station mode: The open-source component wpa_supplicant is not used by Huawei APs. The WPA2 key negotiation process is implemented using the Huawei-developed component. Through strict analysis and testing by Huawei, it is confirmed that these vulnerabilities do not exist on the key loading mechanism of Huawei APs, so Huawei APs are not subject to these vulnerabilities.

c)    For terminals running on Huawei's Wi-Fi networks, it is recommended that appropriate operating system patches be installed to defend against attacks.