How to prevent WPA1/WPA2-PSK attacks

On Aug 4, 2018, a new method to exploit a known vulnerability was announced by Jens Steube from the Hashcat project for wireless networks that use WPA1/WPA2-PSK (pre-shared key), allowing attackers to obtain the PSK being used for the particular SSID. The vulnerability affects most wireless vendors using roaming technologies, including Cisco Meraki, and targets information exchanged between the client and AP via management frames during roaming inherent in the 802.11 protocol. Customers using Meraki APs are vulnerable if using fast roaming (802.11r) with PSK.

How does an attack occurs?

Roaming technologies were developed to improve the access point handoff experience of wireless client devices as they physically move about a given network and, by virtue of distance and signal strength, automatically associate and disassociate with various access points (APs). Associating with a new AP takes time due to the necessary authentication. Fast Roaming (FT) speeds up the authentication and association process for roaming clients, helping to protect against packet loss and poor performance in high-bandwidth applications like VoIP calls or streaming content.

As part of the attack, an attacker can target the re-association process to obtain the unique master key ID used for the specific client. The master key ID is derived from the master key (also PSK) and name, AP MAC address and client MAC address. Since the master key is derived from the PSK and other details can be easily obtained, an attacker can obtain the key. Because this attack uses a dictionary attack to determine the PSK being used, it is highly recommended that admins use strong passwords that are not susceptible to guessing attempts.

Who’s affected?

Meraki has already identified at-risk customers and notified them about the vulnerability. Only customers using FT with WPA/WPA2-PSK on Meraki APs are affected. Additionally, a warning has been added to the Meraki dashboard notifying customers if their configuration makes them vulnerable. SSIDs using WPA/WPA2-Enterprise are not affected by this vulnerability as the key generation process is very different as compared to PSK.

How to prevent it?

To gauge impact, customers can leverage a new tool available in the Meraki dashboard by going to Announcements > KRACK & PMKID Vulnerability Impact to check any networks that might be affected. Customers can easily turn off 802.11r (FT) for all affected networks directly from the tool. Only customers affected by the PMKID and/or KRACK vulnerability will see the tool in the dashboard.

To determine whether 802.11r is enabled for a given Meraki wireless network, navigate to Wireless > Configure > Access Control in the Meraki dashboard, and look under Network Access:

We strongly urge all customers to disable 802.11r when used with PSK. Our technical experts are available to assist with any questions or concerns you may have.