WPA Wi-Fi Encryption Scheme Partially Cracked

Well WEP came down long ago, it was only a matter of time before the standard that succeeded it fell too – WPA. The big news last week was that WPA has been cracked finally, it’ll be discussed this week at the PacSec Conference.

After the insecurity of WEP was exposed the majority of routers and Wi-Fi devices default to WPA, so this may be a serious and widespread security issue. Especially as though the initial method and information is public, more refined and efficient cracking methods will come to light – of course we shall report on any WPA cracking tools that we come across.

Security researchers say they’ve developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

It’s a pretty fast attack on the TKIP, WEP cracking requires a relatively large amount of traffic to get hold of enough weak IVs to crack the WEP key.

If you can break WPA in 12-15 minutes, that’s impressive! It’s not a full key cracking method though, it only yields a temporary key and doesn’t give you full access to everything.

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack

Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

The work of Tews and Beck does not involve a dictionary attack, however.

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

From what I understand it allows the attacked to basically hijack the ARP communications on the network, not the full data available.

So it could open up a router or edge device using WPA to be hijacked with ARP spoofing for some man-in-the-middle kind of attack.

Apparently an experimental implementation of the researchers’ attack has been introduced into a development version of the aircrack-ng tool.

Source: Computer World

Posted in: Exploits/Vulnerabilities, Wireless Hacking

, , , , , ,

Latest Posts:

Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.

3 Responses to WPA Wi-Fi Encryption Scheme Partially Cracked

  1. Morgan Storey November 11, 2008 at 10:15 am #

    This is no big suprise, it is also only tkip afaik, well tkip is bad, as everyone has known since well WEP… so they moved to AES in WPA and WPA2, and they aren’t vulnerable to this, of course you can still use the wonderful AES rainbow tables but they are like 120+gb for just the most common AP SSID and common WPA keys.
    Keep your key long and your SSID non-standard and this won’t work either. Then you could use the brute force ability of a RISC chip like a decent GPU or PS3, but then it is getting silly.

  2. navin November 12, 2008 at 2:05 pm #

    “Then you could use the brute force ability of a RISC chip like a decent GPU or PS3, but then it is getting silly.”

    I’d disagree!! Tht’s been proved as a PoC to be ultra-effective…will post a link later if I find it…….some people are already planning methods which’ll harness the speed of quantum computers to bruteforce…..of course, quantum computers are still a few years away, but once they’re here, bruteforcing will definitely get a boost!!

  3. Morgan Storey November 12, 2008 at 10:24 pm #

    Oh of course it is do-able, but being someone who used to run a wifi honeypot out of my house living on a very busy road, in 12months I saw exactly two people try and get in, hundreds scanned it saw it was protected with WEP64 security alone and left it alone, two actually tried to get through, neither succeeded.
    If someone wants to get in they will, if it is a big enough target they will try and they will get in. Bruteforcing through more powerful chips will make it quicker, but it will still come back to how much they want to get in.
    It is about what the best you can do, if your router only supports WPA-Tkip then use it and make the key long, change the key occasionally, and check the connected clients on your AP occasionally. When it comes time to upgrade make sure you go for WPA2, and do the same thing, that will stop 99.99999% of all attackers. It really comes back to risk versus cost. In this sea of open access points even some security can be enough, unless your SSID is BigBank or some such…