By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged.
The same technique can also be used to attack the group key, Peer Key, TDLS, and fast BSS transition handshake.
When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. Unfortunately, we found this is not guaranteed by the WPA2 protocol.
By manipulating cryptographic handshakes, we can abuse this weakness in practice.
Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.
This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.
For example, an attacker might be able to inject ransomware or other malware into websites.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations.
However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment.
As a result, the client may receive message 3 multiple times.
Our detailed research paper can already be downloaded.
As a proof-of-concept we executed a key reinstallation attack against an Android smartphone.
Therefore, any correct implementation of WPA2 is likely affected.