TR-50 - WPA2 handshake traffic can be manipulated to induce nonce and session key reuse

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member


All modern Wi-Fi networks are protected by Wi-Fi Protected Access II (WPA2). The Wi-Fi standard contains a weakness that could be exploited to read previously assumed to be encrypted traffic, or to modify or inject traffic. As the problem is not bound to specific implementations, the problem can be assumed to be present in any product or device.

Vulnerable systems

Due to the nature of this problem, the vulnerability might exist in all Wi-Fi implementations. maintains an extensive list of affected products.

Details on the Vulnerability

A protocol flaw during a 4-way- handshake allows to reset the nonce by collecting and replaying retransmissions of message 3 during this process.

By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.

The website and the corresponding scientific paper describe the process in detail.

The following CVE IDs are assigned to track affected products:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Fixing, remediation and mitigation

Patches are available for several but not all devices. Where patches are not available, it is strongly suggested to apply the following recommendations:

  • Only access SSL/TLS encrypted services and make sure the usual verification symbols are properly shown
  • Reduce signal strength of your Wi-Fi devices to limit the exposure of your network
  • Contact the vendor of your Wi-Fi equipment or large-scale resellers like ISPs
  • Consider exchanging end-of-life Wi-Fi devices with recent devices - preferably from reactive vendors.


Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.


  • Version 1.0 - TLP:WHITE - First version - 16 Oct 2017