WPA Security Vulnerability

  • Updated on August 31, 2022

On October 16, 2017 an issue with the implementation of the 4-way handshake used under the WPA/WPA2 security protocols for wirelesss networks was disclosed.

What is the Issue?

When connecting to a wireless network protected with WPA/WPA2, a 4-way handshake is used to establish a per-device temporary cryptographic key to protect transmissions. The 4-way handshake itself is mathematically proven to be secure, however most implementations of the 4-way handshake were found to be vulnerable to attack. Similar attacks were found to be effective against implementations of the group key handshake and the 802.11r handshake. It is important to emphasize the vulnerability is in the implementation of these items, and that there is no inherent security flaw necessitating WPA2 be redesigned.

Who is affected?

This attack is primarily against client* devices. The attack involves forcing a retransmit of the 3rd step in the 4-way handshake, or injecting retransmits, causing the client device to reset key cryptographic parameters which invalidate certain assumptions that form the basis of the mathematics used to protect wireless transmissions. An attack against 802.11r works on the same principle, however 802.11r is disabled by default on Grandstream APs. The following table illustrates capabilities of an attacker using this family of vulnerabilities against

Grandstream clients and access points. 4-Way Handshake and 802.11r cases are weaknesses in the cryptography between the AP and single device, affecting only unicast traffic, while Group Key is a weakness in the cryptography used for broadcast and multicast traffic.

Replay

Decrypt

Forge

4-Way Handshake

TKIP

AP->Client

Client->AP

Client->AP

CCMP

AP->Client

Client->AP

No

802.11r

TKIP

Client->AP

AP->Client

AP->Client

CCMP

Client->AP

AP->Client

No

Group Key

AP->Client

No

No

It is important to note that a patched client is secure, even if unpatched devices are connected to the same wireless network.

What should you do?

Because this attack is primarily a weakness in the client, you should immediately patch all client devices. Please refer to your device vendor for more details, or see below for additional information on Grandstream endpoints.

Hardening Grandstream Access Points

“Out of the box” Grandstream Access Points are not affected by this issue. This does not mean that vulnerable client devices are protected, only that there is no issue with the Access Point side. Vulnerable clients must still be updated.

Even though, we patched the fix to GWN APs for both WPA2 4-way handshake and 802.11r vulnerability.

ProductFirmware Version

GWN7610

1.0.4.22

GWN7600/7600LR

1.0.4.12

Affected Grandstream Endpoints

The following table lists affected Grandstream products and the patched firmware version that the devices should be upgraded to.

ProductFirmware Version

GXP1760W

1.0.1.30

GXV3240/3275

1.0.3.184

GAC2500

1.0.3.19

GVC3200

1.0.3.46

* Please note that here, clients refer to devices such as mobile phones, tablets, computers and any device connected to the wireless network. Check with the manufacturers of your client devices to ensure you have installed all appropriate updates to keep your information secure.

Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support

Leave a Comment

We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.
Accept