WPA Wi-Fi Encryption Scheme Partially Cracked

The New Acunetix V12 Engine


Well WEP came down long ago, it was only a matter of time before the standard that succeeded it fell too – WPA. The big news last week was that WPA has been cracked finally, it’ll be discussed this week at the PacSec Conference.

After the insecurity of WEP was exposed the majority of routers and Wi-Fi devices default to WPA, so this may be a serious and widespread security issue. Especially as though the initial method and information is public, more refined and efficient cracking methods will come to light – of course we shall report on any WPA cracking tools that we come across.

Security researchers say they’ve developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

It’s a pretty fast attack on the TKIP, WEP cracking requires a relatively large amount of traffic to get hold of enough weak IVs to crack the WEP key.

If you can break WPA in 12-15 minutes, that’s impressive! It’s not a full key cracking method though, it only yields a temporary key and doesn’t give you full access to everything.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack

Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

From what I understand it allows the attacked to basically hijack the ARP communications on the network, not the full data available.

So it could open up a router or edge device using WPA to be hijacked with ARP spoofing for some man-in-the-middle kind of attack.

Apparently an experimental implementation of the researchers’ attack has been introduced into a development version of the aircrack-ng tool.

Source: Computer World

Posted in: Exploits/Vulnerabilities, Wireless Hacking

, , , , , ,


Latest Posts:


SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.


3 Responses to WPA Wi-Fi Encryption Scheme Partially Cracked

  1. Morgan Storey November 11, 2008 at 10:15 am #

    This is no big suprise, it is also only tkip afaik, well tkip is bad, as everyone has known since well WEP… so they moved to AES in WPA and WPA2, and they aren’t vulnerable to this, of course you can still use the wonderful AES rainbow tables but they are like 120+gb for just the most common AP SSID and common WPA keys.
    Keep your key long and your SSID non-standard and this won’t work either. Then you could use the brute force ability of a RISC chip like a decent GPU or PS3, but then it is getting silly.

  2. navin November 12, 2008 at 2:05 pm #

    “Then you could use the brute force ability of a RISC chip like a decent GPU or PS3, but then it is getting silly.”

    I’d disagree!! Tht’s been proved as a PoC to be ultra-effective…will post a link later if I find it…….some people are already planning methods which’ll harness the speed of quantum computers to bruteforce…..of course, quantum computers are still a few years away, but once they’re here, bruteforcing will definitely get a boost!!

  3. Morgan Storey November 12, 2008 at 10:24 pm #

    Oh of course it is do-able, but being someone who used to run a wifi honeypot out of my house living on a very busy road, in 12months I saw exactly two people try and get in, hundreds scanned it saw it was protected with WEP64 security alone and left it alone, two actually tried to get through, neither succeeded.
    If someone wants to get in they will, if it is a big enough target they will try and they will get in. Bruteforcing through more powerful chips will make it quicker, but it will still come back to how much they want to get in.
    It is about what the best you can do, if your router only supports WPA-Tkip then use it and make the key long, change the key occasionally, and check the connected clients on your AP occasionally. When it comes time to upgrade make sure you go for WPA2, and do the same thing, that will stop 99.99999% of all attackers. It really comes back to risk versus cost. In this sea of open access points even some security can be enough, unless your SSID is BigBank or some such…