What is PMKID?
Pairwise Master Key Identifier (PMKID) is a type of roaming feature in a network. Recent improvements in hacking have been targeting it for exploitation in vulnerable processes, thereby demanding that ongoing security efforts better address it and its affected procedures.
New wi-fi hacking strategies have been using coding and processes that have made it easier for hackers to learn user passwords for a wide range of router types that are commonly used in homes and businesses. Specifically, processes targeting PMKID zero in on internal network protocols with its features enabled, bypassing critical processes. The method was initially discovered by accident, in an assessment of developments in WPA3 security standards, with the exploitations realized to be potentially applicable to existing security systems.
What Security Vulnerabilities Are Concerning?
Online sources including The Hacker News report that hackers have used the approach successfully to gain pre-shared key (PSK) user account login passwords, which they have then used to hack the wi-fi networks of their victims. This has led to hackers penetrating even further into user databases to gain or misuse other information. While earlier methods have demanded that hackers stand by while waiting for their targets to log in to the network and acquire a complete four-way authentication handshake of EAPOL, the PMKID approach does not require this.
This approach, therefore, makes it easier for hackers to access sensitive information, since they can instead use the Robust Security Network Information Element (RSN IE) with a single Extensible Authentication Protocol over LAN (EAPOL) after making a request from their access point. This is also significantly more efficient and with higher potential for multiple attacks from a single point.
Generally, a successful attack occurs in three steps, which may or may not be followed by the subsequent abuse of personal or otherwise sensitive information. In the first step, the hacker uses a tool such as hcxdumptool to make a request to the PMKID. The PMKID is thereby asked, from the hacker’s point, and the hacker can use the tool to prepare to dump information received to a file for future access and misuse.
In the second step, the tool is used to process frame output, converting it to a hash format for future acceptance. In the third step, a tool such as Hashcat can be used to crack the WPA PSK password, at which point the hacker has the potential to access the personal information of users.
Researchers have been vague in terms of the specific routers involved and the extent of routers most vulnerable to PMKID attacks. The general method seems to be most threatening in 802.11i/p/q/r networks with their roaming functions enabled. This, unfortunately, describes most current routers, while WPA3 developments have only recently begun to counter aspects of the fundamental nature of the vulnerabilities.
The Hacker News reports that WPA3 is a new form of security protocol that is required to address previous WPA2 vulnerabilities that have been increasingly exploited despite smaller non-version-specific security developments. Newer developments employ a new framework that includes features that cannot be encompassed by these smaller software and security upgrades, demanding foundational improvements. An example of a foundational technological improvement is the establishment of Simultaneous Authentication of Equals (SAE).
In addition to the nature of the vulnerability, as is common with modern hacking potentials, access to directions in a PMKID attack are readily available online. SecuredYou is an example of one of many online sources that walk users through potential attacks. According to this source, in an optimized approach, users should first request PMKID from the router, install hcxdumptool and hcxpcaptool, and make network requests for recording through additional described steps.
Other online sources, including the Latest Hacking News and The Register, report that such an approach can be currently used for success in 10 minutes or less on most networks, depending on the extent of active network traffic. Hacking has never been so easy for predators.
What’s Been Happening In Research And Development?
Software and security protocol developers have been addressing the issue most directly through WPA3 and network security strategy research and development. One recent patent has attempted to address and improve an aspect of vulnerability by enhancing an extensible authentication protocol re-authentication protocol (EAP-RP) framework in message transition.
Another recent patent has targeted the way network information is configured and authenticated while maintaining PMKID in addition to a basis on a transient identity key pair provided to other access points. Such developments may benefit users more quickly or to greater extents than the implementation of WPA3.
What’s The Bottom Line?
- PMKID attacks do not require the same waiting times.
- The potential detriment is high.
- WPA3 technology can counter the attacks.
- Other non-WPA3 patents/developments may work but should be tested first.
Published on 6th September 2018 by Jeanne DeWitt.