Replay Attack: Process, Impacts, and Defence

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Okta
Updated: 04/14/2022 - 6:11
Time to read: 3 minutes

A replay attack involves eavesdropping on a network and intercepting a data packet. After the theft, a hacker can resend the same message. The server, not realising the problem, does just what the hacker wants.

Understanding replay protection is critical. In 2020, data breaches cost companies an average of $3.86 million. Replay attacks are dangerous, in part, because hackers don't need advanced skills to pull one off. 

What is a replay attack?

Devices exchange information via packets. Some contain all of the bits and pieces a hacker needs to pull off a very real and dangerous theft.

For example, your device exchanges passwords and session keys with a server. A hacker listens in and steals that information. Later on, the hacker sends the same information again. The server believes it's speaking with you. The hacker can then do anything you can do on the server.

Researchers tell us a lot about replay attacks. They say companies are vulnerable due to complex network structures. Many agents work together to accomplish seemingly simple tasks. Overtaking just one could lead to a chain reaction of failures.

A hacker could use a replay attack to:

  • Steal your car. A recording device steals the communication between your key fob and your vehicle. The hacker then sends the signal again and drives away. In 2016, researchers discovered that several different vehicle types are vulnerable to this form of attack. 
  • Authorise bank transfers. A hacker copies a packet sent between you and your bank. Sending that again could prompt the bank to repeat the action (such as transferring funds again, but this time to a different destination). Researchers say hackers using this approach resend packets very quickly, and they're almost always exactly the same. 

Wireless replay protection steps to take 

Replay attacks work because hackers can steal something you're using right now and send it again without changing a thing. To block this attack, you must make theft harder, allow packets to expire, or attach some other form of authentication to each packet. 

Let's dig into specifics. You could try:

  • Challenge handshake authentication. An authenticator sends a formal challenge message. The sender must respond with an answer based on a shared secret. That shared secret itself is never sent, so it can't be stolen.
  • Kerberos. This authentication protocol runs on timestamps, and messages deemed too old are automatically discarded.
  • One-time passwords. Each transaction comes with its own authentication method that's never used again.
  • Secure routing. Firewalls and other protection forms ensure that packets are never stolen in the first place.
  • Session identifiers. Each message comes with a session identification and component number. These two items aren't interdependent, so they're harder to steal or replicate. Even if theft occurs, the old session ID won't work.
  • Timestamps. Each message comes with a built-in expiration time.

Know that these steps won't stop a replay attack in progress. Take your system offline, implement these steps, and reboot. That way, an old theft won't result in new losses.

We talked quite a bit about packets in this piece. They're critical to the Internet Control Message Protocol. Find out more about ICMP and what it does in this blog.

References

What Is the Cost of a Data Breach? (August 2020). CSO. 

Resilience Against Replay Attacks in Computer Systems. (April 2021). EurekAlert.

Radio Attack Lets Hackers Steal 24 Different Car Models. (March 2016). Wired. 

Replay Attack: A Prevalent Pattern of Fraudulent Online Transactions. (2018). IEEE Xplore.