Wi-Fi, since it’s birth suffers from security issues. It’s first Encryption, WEP, can today be broken in a minute. and Irony — It’s still used commonly. What’s new? Computer scientists in Japan say they’ve developed a way to break the WPA encryption (considered secure) system used in wireless routers in about one minute.
The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) Encryption system. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, who plan to discuss further details at a technical conference set for Sept. 25 in Hiroshima.
Last November, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level, according to Dragos Ruiu, organizer of the PacSec security conference where the first WPA hack was demonstrated.
“They took this stuff which was fairly theoretical and they’ve made it much more practical,” he said.
As per that, an existing attack on Wired Equivalent Privacy (WEP) was modified to provide a slim vector for sending arbitrary data to networks that use the Temporal Key Integrity Protocol (TKIP).
With the Tews/Beck method, an attacker sniffs a packet, makes minor modifications to affect the checksum, and checks the results by sending the packet back to the access point. “It’s not a key recovery attack,” Tews said, “It just allows you to do the decryption of individual packets.” This approach works only with short packets, but could allow ARP (Address Resolution Protocol) poisoning and possibly DNS (Domain Name Service) spoofing or poisoning.
The paper, Practical Attacks against WEP and WPA, is now available for download.
The encryption systems used by wireless routers have a long history of security problems. The Wired Equivalent Privacy (WEP) system, introduced in 1997, was cracked just a few years later and is now considered to be completely insecure by security experts. Some researchers claim to be able to recover a WEP key in under a minute from an active network.
How WEP Hack works?
The flaw in TKIP has to do with checksums, which are used to ensure the integrity and accuracy of data. Checksums work by taking a sequence of numbers that are to be transmitted, applying a transformation to produce a short result, and appending that result to the transmission.
For instance, an ISBN that starts with 978 is 13 digits long, 12 of which represent a unique book number. The 13th is a base 10 number derived from alternately multiplying successive digits by 1 or 3, adding the results, and taking the modulo of 10. If you type in an ISBN incorrectly, a system that recalculates the checksum can determine in many cases if digits are swapped or wrong digits are entered.
With wireless transmission, the odds of missing a bit or getting it wrong are relatively high, and checksums are used both to determine whether there was an error in reception and to ensure the integrity of a packet. If the payload changes and the checksum does not, then a receiver can tell that the packet was tampered with.
This fell apart in WEP, because the checksum was so weak that techniques were developed to allow the data in a packet to be changed and a new checksum calculated. Tews mentioned the tool chopchop, which allows individual packets to be decrypted without cracking a WEP key. This program served as part of the wedge for the exploit.
WPA is an encryption algorithm that takes care of a lot of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, long or short, your WEP key is, it can be cracked. WPA is different. A WPA key can be made good enough to make cracking it unfeasible. WPA is also a little more cracker friendly. By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need. Advantages and disadvantages
WPA with TKIP “was developed as kind of an interim encryption method as Wi-Fi security was evolving several years ago,” said Kelly Davis-Felner, marketing director with the Wi-Fi Alliance, the industry group that certifies Wi-Fi devices. People should now use WPA 2, she said.
What is Wifi Alliance doing ?
Wifi Alliance had been active, they mandated Wi-Fi-certified products have had to support WPA 2 since March 2006.
“There’s certainly a decent amount of WPA with TKIP out in the installed base today, but a better alternative has been out for a long time,” Davis-Felner said. “They never achieved an un-hackable encryption.”
Enterprise Wi-Fi networks typically include security software that would detect the type of man-in-the-middle attack described by the Japanese researchers, said Robert Graham, CEO of Errata Security. But the development of the first really practical attack against WPA should give people a reason to dump WPA with TKIP, he said. “It’s not as bad as WEP, but it’s also certainly bad.”
What can you do?
Workaround- You can change from TKIP to AES encryption using the administrative console on your Wireless Routers