Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: WPA Wi-fi Cracked (but it's not as bad as you think... yet) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WPA Wi-fi Cracked (but it's not as bad as you think... yet)

I saw this on a couple news sites this morning, and it's security related, so I think it's important to throw it up on the Diary for today. 

Looks like WPA (one of the methods of encrypting Wi-Fi sessions, oh yes, and I *did* just link to Wikipedia.)  TKIP keys have been hackable via Dictionary attack for a little while now, but this attack is NOT a dictionary attack. Oh yeah, and it's pretty quick too. (12-15 minutes according to the article I read).

Why do I say that it's not as bad as you think?  The researchers (named in the above article) still haven't gotten access to the actual data that is being transferred.  They just cracked the TKIP key.  But that's step 1.

So, we all know that WEP isn't really the best thing in the world (read: don't use it), WPA apparently isn't much better.  WPA2 is still uncracked as of now (as far as I know!), so ensure you are using it, if you are running Wireless networks.

Not only do you want a pre-shared key in between your computer and the access point, but you also want after-connection verification of some type if possible.  Perhaps a splash page where you have to enter your username and password to authenticate?  Perhaps some kind of 3rd party token, a la, RSA key?

So, the take away from this is, if you are using WEP (wow, you are?) or WPA, please move to WPA2. 

(Interesting fact -- You know what doesn't support WPA2?  Xbox360.  So what?  It's just a game console right?  How about what you enter in on the Xbox360 in order to buy an Xboxlive subscription?  How about, your credit card number?  I am sure there are plenty more devices that don't support WPA2, it was just an interesting observation.  Does Windows support WPA2?  I would think so right?  [I don't know])

-- Joel Esler http://www.joelesler.net

Joel

454 Posts
ISC Handler
WPA has the ability to use CCMP(AES) instead of TKIP, all you need to do is change the setting on your access point. Whereas WPA2 forces you to use CCMP(AES).
Anonymous
"(Interesting fact -- You know what doesn't support WPA2? Xbox360. So what? It's just a game console right? How about what you enter in on the Xbox360 in order to buy an Xboxlive subscription? How about, your credit card number? I am sure there are plenty more devices that don't support WPA2, it was just an interesting observation. Windows does, why doesn't the Xbox360?)"

Note: This doesn't not imply that the connection between the Xbox and server is not performed over an encrypted channel (SSL ?) over the WEP network connection. Also, the entry point is from the wireless or wired controller (up,down,left,right), not CC' numbers over WEP
David

1 Posts
"Windows does, why doesn't the Xbox360?" WPA2 encryption is a hardware operation; a device's ability to use WPA is dependent on sufficient hardware support.
Anonymous
More detailed info available at: http://arstechnica.com/articles/paedia/wpa-cracked.ars
Frank

1 Posts

Sign Up for Free or Log In to start participating in the conversation!