A replay attack occurs when a hacker records and replays a secure communication between two legitimate sources. While this may sound like a man-in-the-middle attack, replay attacks are a separate, less complex form of the typical man-in-the-middle approach. This is because it does not require a hacker to break into anything in order to obtain the credentials.
It is simply a repetition of raw data captured and replayed to trick security measures on the resource. To understand how a re-attack works, we first need to look at the typical way that a legitimate data transaction works between two network devices.
How normal communication works
Typically, two devices that securely communicate over a computer network have ways to verify their identity. For example, when you enter a website, you provide a username and password. These credentials tell the server that you are who you say you are. Once this is established, you can freely access the information stored on your behalf.
In most cases, your username and password are not stored on the target server. Instead, the server has a hash of your password. A hash is a mathematical function performed on a text string that you use as a password. When you enter your password, a hash function is performed on the text and the new and old hash codes are compared. If they match, you're in the game!
In addition, the connection and all data that passes through it is usually encrypted. Usually over HTTPS. These are incredibly tight security measures. Which replay attack completely bypasses by simply copying and reproducing the authentication portion of the original message in bulk.
How re-attack works
Man-in-the-middle attacks work because network packets often have to travel through devices and network equipment that are not owned by the sender or the recipient. Alternatively, an attacker can simply position himself between two communicators, intercept the message and transmit it with modification.
The idea behind a re-attack is not to intercept and modify the original message for your own purposes. Instead, an attacker is simply eavesdropping on every bit of data. There is no need to break the encryption or understand anything in the original message. The trick is to figure out which part of the encrypted message is the "handshake" where the credentials are requested, and then just replay that before adding your own instructions after authenticating.
Thus, you can access networks and services or repeat financial transactions, but with changed amounts and destinations. Sounds too simple, right? Well, the good news is that replay attacks are a well-known problem and there are various ways to mitigate it.
Mitigating replay attacks
Determining whether the message is original or replay is a critical means of mitigating replay attacks. There are different ways to do this, but the most common is a random session key.
This means that the sender and receiver agree on a unique random session number on the initial exchange. When the exchange ends, this session key cannot be used again, so if a re-attack is attempted using the same key, the recipient knows it is illegal.
There is an even easier way to deal with replay attacks. Messages should just have timestamps embedded in the transmission. Since the attacker does not know what is in the encrypted data, the replay will include exactly the same timestamp as the original message of the legitimate sender, clearly marking it as fraudulent.
Repeated attacks can still be a problem
While mitigation for common replay attacks is standard these days, that doesn't mean this attack vector is dead in the water. Replay attacks can be effective when combined with certain vulnerabilities.
The most prominent recent example was the 2017 KRACK attack, which breached the WPA 2 security protocol used by nearly every WiFi device on the planet. The only reason the KRACK didn’t pose as much of a problem as it could, but because of the short range at which it operates. It has since been fixed.
More importantly, WPA 3 replaces WPA 2. And new exploits are being discovered all the time. There will always be some kind of vulnerability that makes it possible to re-attack.
