Millions of 1st generation Amazon Echo smartphones and 8th generation Amazon Kindle e-books have been affected by two dangerous vulnerabilities (CVE-2017-13077 and CVE-2017-13078) that allow for attacks with key reinstallation (Key Reinstallation Attack, KRACK).
KRACK is a replay attack on any Wi-Fi network with WPA2 encryption. All secure Wi-Fi networks use a 4-step “handshake” scheme to generate a cryptographic key.The attacker forces the victim to reinstall the already used cryptographic key in the third stage of the 4-stage “handshake”. By using the AES-CCMP stream cipher in WPA2, reinstalling the key greatly weakens encryption.
“An adversary could trick a victim device into reinitializing the pair-wise key used in the current session (this is not the Wi-Fi password) by crafting and replaying cryptographic handshake messages. By exploiting this flaw, an attacker is able to gradually reconstruct the encryption XOR stream and then sniff the victim’s network traffic”, — describe attack in ESET company.
Exploiting vulnerabilities allows an attacker to carry out DoS attacks, decrypt any data transmitted by the victim, fake data packets, forcing the device to reject packets or even introduce new ones, as well as intercept confidential information such as passwords or temporary cookies.
“1st Generation and 8th Generation Kindle devices were vulnerable to two KRACK vulnerabilities. We were able to repeat reinstalling the pair encryption key (PTK-TK) with a four-way handshake (CVE-2017-13077) and reinstalling the group key (GTK) with a four-way handshake (CVE-2017-13078)”,- said the ESET researchers.
It should be noted that KRACK attacks, like any other attack on a Wi-Fi network, require close proximity in order to be effective. This means that the devices of the attacker and the victim must be in the coverage area of one Wi-Fi radio network in order for the compromise to take place.
Attacks on Amazon devices and, presumably, on other devices are also unlikely to significantly affect the security of information transmitted over the network. This is due to the fact that most of the confidential data is protected by additional security measures that exceed standard WPA/WPA2 encryption.
Read also: Attackers exploited a 0-day iTunes vulnerability to spread ransomware
ESET researchers reported Amazon vulnerabilities back on October 23, 2018. On January 8, 2019, Amazon confirmed the vulnerabilities and prepared the necessary patches. To fix the problem, the company introduced a new version of wpa_supplicant – a small program that manages the wireless protocols on the device.
Most users today have most likely already installed this patch, however, researchers recommend that device owners check to see if they are using the latest firmware.