9

A new attack was discovered which allows cracking a WPA2 passphrase without needing to capture the 4-way handshake. While this doesn't weaken the password itself, it does mean that an attacker can begin their cracking attempts without needing to force deauthentication in order to actually capture the handshake. I am wondering how this can be most effectively mitigated.

Since this attack requires roaming, is it enough to ensure that 802.11r is not enabled and to set rsn_preauth=0 in the hostapd configuration to disable 802.11i/RSN/WPA2 pre-authentication?

forest
  • 64,616
  • 20
  • 206
  • 257

1 Answers1

1

This doesn't seem like an effective mitigation as disabling roaming would simply mean that the 4 way handshake has to occur any time that the AP the client is connecting to changes, so it would mean that any time roaming actually occurs, the original vulnerability would still be a problem.

Unless the roaming is not actually needed or the roaming vulnerability is somehow worse than the attack on the 4 way handshake, I'm not sure that this suggested mitigation is particularly effective. If you don't need roaming, then there is no reason not to turn it off though.

Caveat, I'm not an expert on WPA2, so I'm working off a basic reading on the subject, so if anyone who knows more wants to chime in to either confirm or deny my analysis, that would be great.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • I understand that disabling roaming does not mitigate capture of the 4-way handshake. I'm not asking about avoiding that, simply this new attack involving PMKID. In other words yes, there are other attacks, but would disabling roaming in the ways specified mitigate _this_ attack? That is my question. – forest Aug 06 '18 at 22:07
  • @forest - except, for a mitigation to be effective, it needs to actually solve the problem. If I'm losing blood to a mosquito, I can blow my hand off with a shotgun to get rid of the mosquito, but it doesn't exactly solve my blood loss problem. The reason this attack is bad is that it allows an offline attack on the key without needing to capture a 4 way handshake, but if the mitigation makes it trivial to capture the 4 way handshake, then it's not a fix. – AJ Henderson Aug 07 '18 at 04:57
  • The PMKID attack gives additional capabilities to the attacker. I am asking about removing those _particular capabilities_, regardless of whether or not they have other ways to achieve the same goal. As an analogy, a question asking about mitigating WEP IV reuse attacks could still be answered despite the fact that WEP has plenty of other (unmitigated) vulnerabilities. – forest Apr 26 '21 at 23:02