two researchers of the Belgian University released

information of an exploit that they've found

for the security mechanism used on all major

Wi-Fi connections these days.

So this is WPA, the encryption protocol that was

brought in to replace the early one,

WEP, which was basically useless.

So this one has been proven to be mathematically correct.

It's been proven to be mathematically

secure and so it was thought

that you wouldn't be able to attack it. And for the last 15 years or so

there's been a few fringe effects that you could exploit to get certain things,

but in general, it's secure. Until yesterday ?

The way that WPA works is that

when the client, your computer, connects to the base station initially starts off

unencrypted and very quickly they exchange a series of messages between the two

which get them so they've agreed on a key that they're going to use to encrypt the message.

And so to understand how this attack works we need to understand how those messages are transmitted,

and then how that's used to encrypt the data, which is why I brought Mike

along to sort of help talk about the encryption side of things

Hello, Mike

Dr. Make Pound: - Hello!

What am I doing here?

- So what we've got open on the computer here is I

set wireshark going when I turned on my Wi-Fi card

It's captured a series of packets and what we can see here

is there are four packets of information that are sent

between the computer and the access point and

These effectively agree the shared key that they're going to use.

now this isn't the password you put into your Wi-Fi router.

One of the interesting things that this attack works

without ever necessarily getting hold of your password.

So we end up with four messages that are being sent between the base station and

Your computer to establish those things.

So if we have a look at them,

we got our computer here, and we have

The access point here, or the base station

and we've associated with it,

so the first thing to set up the encryption is that the access point

sends a message across, and we'll call this Message 1.

This contains various information in there including a random number

which is used, and a counter which is used for something else.

But we won't go into too much detail

And then we reply with our random number which is Message 2

They send Message 3 which contains a bit more information, and then we send

Message 4 which basically says,

"Yep. I got that. The communication is now established."

Now the way the Krack Attack works is by sitting in the middle you have another computer,

which is your malicious actor

which is going to sit there to try and break into this encryption, and he has to sit in such a way that he can

know when Message 3 is sent and stop Message 4 being sent back

- Sean: What does he do? Block it or something?

- Dr. Bagley: I mean basically the way this works

Is that you need to cause Message 3 to be received by the computer

more than once in a way that you know about

and you've got access to things and if you do that you can start capturing data

and you can use some of the techniques that Mike's going to talk about

to decrypt the information.

So one way you could do it is you could perhaps

splat a bit of noise on to the Wi-Fi signal at that point.

There are easy ways where you pretend to be

a base station and quickly send a message saying,

"Switch to me on a different channel because I've got better communications here,"

which means you receive it

And the other base station doesn't and then it sends it out

and you could sort of forward it on.

So there's various ways you could probably

push this into into use, but basically once you've got in here, and you caused this to be resent

it causes parts of the values that the computer uses to encrypt the messages

To be reset as well and once you've done that you can get into a position where you can actually start to

decrypt the messages.

Dr Mike Pound: - When the client receives message 3,

That's a moment it thinks right I've got my keys now. I can store them away ready for encryption

The problem is that if the access point doesn't receive message 4, it thinks

Oh well something must have happened to it. So I'll send message 3 again to make sure the client got it .

The bugs that these researchers have found is that if message 3 gets resent, it restores the key

and in doing so also resets all of the other cryptographic variables it's been working with, which is a real problem

In particular it's a problem when you reset something called the nonce, or a number used once.

So the way we usually encrypt in WPA is through AES, advanced encryption standard

and we do it in counter mode generally speaking because it's quite fast so

If you think back to the video we did on

XOR and

Stream ciphers we basically use AES as a stream cipher so we have an ever-increasing counter

Let's say it starts at one, and we encrypt these numbers with our AES block cipher

Here's our key coming in here

So this one when encrypted using this key will produce a block of AES encrypted data that's random.

So basically we're generating here a set of random numbers that goes on like this from the first block

and then the second, and then the third and so on all the way along

But it's not a truly random thing because if I know the key and I can still get want to generate the same, yeah

And so I mean, that's about

Unfortunate is the problem with cryptography is that we couldn't ever use truly random because we wouldn't be able to decrypt it again

We have our message bits, which are you know naught, 1, 1, naught, something different

And we XOR these together one bit at a time

And that's how we encrypt and the nice thing is to decrypt we basically regenerate

This key stream and do the exact process again

we XOR our ciphertext and get our message back out. Now counter mode is very very fast and

It's perfectly secure if your block cipher produces nicely random bits

unless

You reuse the numbers in which case it's completely broken. In this attack, remember,

We're resetting the nonce because we're sending message 3 the client sees this and goes,

"Oh I better restart my encryption from start from scratch again."

So this number goes back to one, or goes back to zero somewhere at the beginning, and so we're generating the exact same key stream

multiple times

We start by cryptic some data using the key starting at 1 2 3 4 and then it gets reset

and we encrypt some different data with 1 2 3 4

Q: So normally it doesn't go around like 1 2 3 4, 1 2 3 4. It literally keeps --

It will just keep counting up and obviously the theoretical limit will be the

128-bit number that you're trying to store. That's unlikely to happen in the time you're connected to the Wi-Fi

But it's a theoretical possibility

If they use one multiple times you can probably work out what? -- yeah,

so if you imagine that we've used one multiple times

The same keys been used, because the key didn't get changed, then the same key stream of zeros and ones have been XOR our message

and that's very very weak when we use the same key twice we can essentially nullify the key by XOR in two messages together and

Then we do a very similar process become something called crib dragging so we will come up with hypothetical bits of plaintext

we think let's say the word HTML or

Someone's login name or something like this, and we will slide it over the message until

It gets a hit and at that point

We know not only where it is

But also what the keystream bits for that position were. So it's not a completely trivial process

But on our computer it can be bruteforced incredibly quickly. If you reuse the same

counter twice with the same key in something like counter mode

It's such a huge problem because basically you can extract plaintext bits from multiple messages

Once you've started to do that then you've got some idea of what we've sent you might be able to predict what they're going to

send and sort of get in and start doing replay attacks and things like this or

injecting information in, but we've done all this without even knowing what the key was. So it's an interesting part of encryption where

You aren't necessarily secure just because the key is secret right and in this case very much not the case

The other issue is that some of these modes you can extract the

Authentication key as well so when we talked about HMAC

We had a secret key that we used to make sure the message hadn't been interfered with. Well, if we can find that key

Which you can using this attack, then you can start to forge your own messages. Start to, let's say, add in TCP packets of

HTML that conveniently holds some JavaScript that runs some ransomware for example, and then you know you're in business

And we've done that without knowing what the key is. One question

What would happen if this key was zero?

Here when we're generating this counter what happen if the key was zero. If the key is zero

Then you're encrypting one with zeros it will still produce a random output, but it'll produce a random output

That's always the same, and we will know what it is

So we could we could guess the key stream. And if we knew were in the key stream then

We could generate the right values generate the right packets. The way this

Plays out is on certain operating systems. It basically has no effect so Windows. IOS. It seems because of the way they

Follow or don't quite follow the standard it seems that this has limited effect.

There are still ways you can attack things, but it has a limited effect

So you'll say people on Windows laptops and on iOS devices should be alright?

They are safer than other devices the problem comes with them

The program that does it in Linux and on certain Android friends so the implementation used on Linux and Android

That clears the key out of memory which is a good thing to do because if you're sitting in a coffee shop when you go

After buy a coffee it's not

impossible to plug the device quickly, a Thunderbolt device to do it into the side of the machine and copy the

bit of memory out of there, which is perhaps got the key in it

And then we can decrypt your traffic so that makes sense the problem is that

When you replay message 3

Which you need to do to make the attack work

That also resets the counter, the things that Mike's talked about, and it now uses the key which is 0 to

Start encrypting these things so actually you end up with a known sequence of counters being generated

Which means that you can then as well as decrypt the messages you can sort of

insert data into that message stream and start sending things to you that you perhaps weren't expecting to get. So on certain operating systems, it's

Relatively benign on others it's more dangerous

But it's also worth remembering that we should still use WPA2 to encrypt things because the alternative is that you have no security

And that even if someone does come and do this they could do exactly the same by unplugging your base station and plugging in

a new device into the Ethernet the other side of that

and listen there anyway, so it's the risk, it needs to be patched

It'll be patched, and then we can all go back to using Wi-Fi and browsing the web

Those leaks happen all the time and so passwords are being just dumped into the internet all the time, so there's this password list called RockYou

Which is a bit of a game changer in password cracking if that's a thing like-- 50

But this is the IBM pc/xt the model 51 60 which came out two years later in 1983

So this is really what the first PC was like--