Does the attacker need to know PTK and GTK to attack other device?

[zyz2015]

Hi @vanhoefm

I have some doubts about these attacks.

The precondition of these attacks is that the attacker has already known PTK and GTK to attack other device, right? If yes, I don’t think this is a vulnerable loophole. The key point is that the attacker should have no way to know the PTK.

If the attacker has already known the PTK GTK, then he can do anything.

Maybe he should explain how he gets the PTK first.

[vanhoefm]

No. Where did you get this incorrect information from? If an attacker knows the PTK it means Wi-Fi security has already been broken. All the attacks work without knowing the password of the network.

The cache attack (CVE-2020-24586) does have a more exotic threat model. When an AP is vulnerable, this flaw can be exploited in Hotspot 2.0 or Enterprise networks, as long as the adversary also has credentials that are needed to connect to this network. But even there the adversary does not know the PTK of the victim! And the adversary also does not know the credentials of the victim.

[n3000]

No. Where did you get this incorrect information from? If an attacker knows the PTK it means Wi-Fi security has already been broken. All the attacks work without knowing the password of the network.

The cache attack (CVE-2020-24586) does have a more exotic threat model. When an AP is vulnerable, this flaw can be exploited in Hotspot 2.0 or Enterprise networks, as long as the adversary also has credentials that are needed to connect to this network. But even there the adversary does not know the PTK of the victim! And the adversary also does not know the credentials of the victim.

Hi, i'm a wifi beginner, i still have a question. Do you mean that the attacker do not have to know the password of the target AP? I've learned that STA and AP transmit encrypted Data after 4-Way-Handshake, if the attacker does not know the password, how can he decrypt the raw Qos packet, inject the second A-MSDU subframe and encrypt the packet ?

[vanhoefm]

Which material did you read to try to understand the attack?

The raw QoS packet is not decrypted, only its "is aggregated" flag in the header is flipped. The packet is specially constructed by the server that is contacted when the victim e.g. loads an image from the attacker's server. The adversary is not encrypting packets.

[n3000]

Which material did you read to try to understand the attack?

The raw QoS packet is not decrypted, only its "is aggregated" flag in the header is flipped. The packet is specially constructed by the server that is contacted when the victim e.g. loads an image from the attacker's server. The adversary is not encrypting packets.

Thanks for your reply. I just wonder
whether the attacker knows the password of target AP in A-MSDU inject attack?

[vanhoefm]

No, as mentioned, only the cache attack has a more "exotic" threat model (where the credentials unique to the victim are still not known though!).