WPA Wi-Fi Encryption Scheme Partially Cracked

Well WEP came down long ago, it was only a matter of time before the standard that succeeded it fell too – WPA. The big news last week was that WPA has been cracked finally, it’ll be discussed this week at the PacSec Conference.

After the insecurity of WEP was exposed the majority of routers and Wi-Fi devices default to WPA, so this may be a serious and widespread security issue. Especially as though the initial method and information is public, more refined and efficient cracking methods will come to light – of course we shall report on any WPA cracking tools that we come across.

Security researchers say they’ve developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

It’s a pretty fast attack on the TKIP, WEP cracking requires a relatively large amount of traffic to get hold of enough weak IVs to crack the WEP key.

If you can break WPA in 12-15 minutes, that’s impressive! It’s not a full key cracking method though, it only yields a temporary key and doesn’t give you full access to everything.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack

Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

From what I understand it allows the attacked to basically hijack the ARP communications on the network, not the full data available.

So it could open up a router or edge device using WPA to be hijacked with ARP spoofing for some man-in-the-middle kind of attack.

Apparently an experimental implementation of the researchers’ attack has been introduced into a development version of the aircrack-ng tool.

Source: Computer World

Posted in: Exploits/Vulnerabilities, Wireless Hacking

, , , , , ,

Latest Posts:

GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.

3 Responses to WPA Wi-Fi Encryption Scheme Partially Cracked

  1. Morgan Storey November 11, 2008 at 10:15 am #

    This is no big suprise, it is also only tkip afaik, well tkip is bad, as everyone has known since well WEP… so they moved to AES in WPA and WPA2, and they aren’t vulnerable to this, of course you can still use the wonderful AES rainbow tables but they are like 120+gb for just the most common AP SSID and common WPA keys.
    Keep your key long and your SSID non-standard and this won’t work either. Then you could use the brute force ability of a RISC chip like a decent GPU or PS3, but then it is getting silly.

  2. navin November 12, 2008 at 2:05 pm #

    “Then you could use the brute force ability of a RISC chip like a decent GPU or PS3, but then it is getting silly.”

    I’d disagree!! Tht’s been proved as a PoC to be ultra-effective…will post a link later if I find it…….some people are already planning methods which’ll harness the speed of quantum computers to bruteforce…..of course, quantum computers are still a few years away, but once they’re here, bruteforcing will definitely get a boost!!

  3. Morgan Storey November 12, 2008 at 10:24 pm #

    Oh of course it is do-able, but being someone who used to run a wifi honeypot out of my house living on a very busy road, in 12months I saw exactly two people try and get in, hundreds scanned it saw it was protected with WEP64 security alone and left it alone, two actually tried to get through, neither succeeded.
    If someone wants to get in they will, if it is a big enough target they will try and they will get in. Bruteforcing through more powerful chips will make it quicker, but it will still come back to how much they want to get in.
    It is about what the best you can do, if your router only supports WPA-Tkip then use it and make the key long, change the key occasionally, and check the connected clients on your AP occasionally. When it comes time to upgrade make sure you go for WPA2, and do the same thing, that will stop 99.99999% of all attackers. It really comes back to risk versus cost. In this sea of open access points even some security can be enough, unless your SSID is BigBank or some such…