Wi-Fi Protected Access: More access, less protection

In Friday's IT Blogwatch, we have the key to your data, or maybe not. Not to mention where it's shakin'...

Robert McMillan cracked the case:

Security researchers say they've developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.


The Boy Genius reports with air quotes:

Tews’ attack, discovered during testing performed with his co-researcher Martin Beck, tricks the router into sending him a large amount of data and combined with a “mathematical breakthrough,” Tews is able to break WPA much faster than any previously tested method.

Tim Stevens isn't surprised:

They always knew it could be done; that a hacker with enough time and processing power could watch your WPA-protected wireless network and, eventually, decrypt your precious datas. In under 15 minutes, though? "Inconceivable!" those hypothetical security experts would say -- but they're about to get a lesson from WiFi wizard Erik Tews. He'll be giving a presentation next week at the PacSec Conference in Tokyo, describing the "mathematical breakthrough" that, he says, enables him to crack WPA-TKIP in 12 to 15 minutes.

Glenn Fleishman is checking his sums:

With the Tews/Beck method, an attacker sniffs a packet, makes minor modifications to affect the checksum, and checks the results by sending the packet back to the access point. "It's not a key recovery attack," Tews said, "It just allows you to do the decryption of individual packets." This approach works only with short packets, but could allow ARP (Address Resolution Protocol) poisoning, and possibly DNS (Domain Name Service) spoofing or poisoning.


TKIP added a second layer of integrity [over WEP] through Message Integrity Code (MIC), nicknamed Michael. ... Here's where Tews said his colleague Beck got extremely clever: because both the WEP and TKIP mechanisms are used one after another, and because the Michael code is contained within the packet that's checksummed by the weaker WEP method, an attempt to crack a packet can first use chopchop without triggering the Michael countermeasures.


Joel Esler plays games:

Looks like WPA (one of the methods of encrypting Wi-Fi sessions, oh yes, and I *did* just link to Wikipedia.) has been compromised. TKIP keys have been hackable via Dictionary attack for a little while now, but this attack is NOT a dictionary attack. Oh yeah, and it's pretty quick too. (12-15 minutes according to the article I read).

Why do I say that it's not as bad as you think? The researchers (named in the above article) still haven't gotten access to the actual data that is being transferred. They just cracked the TKIP key. But that's step 1.


(Interesting fact -- You know what doesn't support WPA2? Xbox360. So what? It's just a game console right? How about what you enter in on the Xbox360 in order to buy an Xboxlive subscription? How about, your credit card number? I am sure there are plenty more devices that don't support WPA2, it was just an interesting observation. Windows does, why doesn't the Xbox360?)


Adam Frucci exaggerates:

When it came to setting up Wi-Fi networks, if you knew what you were doing you would enable WPA security. This would keep people with a small amount of knowledge from gaining access to your network, which is very easy with the much weaker WEP security. No more! WPA security has now been cracked, rendering all but the most tightly-locked networks open for hacking.


So what should you do to secure your network? Switch to WPA2 ...


Thierry Zoller says, Is Not:

What the author basicaly says is that they found a way to: have the AP generate LOT of traffic, meaning lot of encrypted datapackets you can then use a new way to bruteforce TKIP
Quote: They have not yet, however, managed to crack the encryption keys used to secure the data that travels from the PC to the router.
In my book not crack the encryption keys means...well wpa is not cracked..

And finally...

Buffer overflow: Other Computerworld bloggers: Like this stuff? Subscribe to the RSS feed.

Our humble blogwatcher, Richi Jennings, is on holiday. Today's post is a joint venture from Ken Gagne and Joyce Carpenter.

Previously in IT Blogwatch:

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon