Slashdot Mirror

← Back to Stories (view on slashdot.org)

WPA Weak Key Cracker Posted

Posted by michael on from the bet-the-NSA-already-has-it dept.

Glenn Fleishman writes "The folks at TinyPEAP released a cracking tool to break Wi-Fi Protected Access (WPA) keys. WPA is the replacement for weak WEP keys in the original 802.11b specification. Robert Moskowitz of ICSA Labs released a paper almost exactly a year ago documenting how WPA keys that were short and lacked randomnness could be subject to cracks. This tool automates the process. Moskowitz advised choosing passphrases of more than 20 characters or generating random keys of at least 96 bits, but preferably 128 bits. Some tools exist to produce better keys, including chipmaker Broadcom's SecureEZSetup (in selected hardware) and Buffalo Technologies' hardware-based AOSS for automatic key generation and propagation. Enterprise-based WPA with 802.1X doesn't have this weakness: each user gets a long WPA key that's randomly generated and uniquely assigned--and can be frequently changed during a session."

7 of 168 comments (clear)

  1. I'm all for this. by Anonymous Coward · · Score: 5, Funny

    Leaving my WAP wide open all the time allows experienced crackers to access all the best pr0n sites with ease via my connection. All I then have to do is check the logs and Voila! There they are! Saves me looking for them and having to wade thru the pop-ups and bogus sites!

  2. Re:What Morons by PedanticSpellingTrol · · Score: 5, Insightful

    Jesus christ, I hope you don't have a job in security. If all your packets are unencrypted, anybody can sniff them, see what MAC addresses are recieving traffic, and thus are on the whitelist. From there, it's a simple matter to spoof the MAC in software. This feature is built into linux, windows and OS X. The myth that MAC addresses are a universally unique identifier is dangerous and has to be dispelled.

  3. This is why by zakezuke · · Score: 5, Funny

    This is why I setup a stand alone wifi network that when ever war-drivers discover my "wireless network" everything they visit gets redirected to goatse. The result, I've observed is usually a loud exclamation followed by the sound of screeching tires and burnt rubber.

    Next i'll observe when I secretly host a wifi network near starbucks and replace everything with a small mirror of www.khaaan.com.

    --
    There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
  4. Re:By its nature... by slashdot.org · · Score: 5, Insightful

    When you really think about it, by nature wireless networking can never be too secure. I mean, your data is being broadcasted across the air to another point. Think about it.

    I guess that's an understandable misconception about security. But security has by nature nothing to do with wireless or wired.

    Good security is based on the principle that other people WILL have access to your encrypted data.

    Unfortunately, the people that implemented security in the wireless protocols did a piss-poor job and left it vulnerable to (known!) attacks.

    However, if you just ran IPSec or something over your wireless connection, you'd be fine.

  5. Re:Just name all your specific MAC addresses by hsidhu · · Score: 5, Insightful

    ummmm how hard is it to sniff the traffic, and get the MAC addess that is allowed and then spoof it?

  6. Re:Just name all your specific MAC addresses by IHateSlashDot · · Score: 5, Insightful

    You're kidding right? MAC filtering provides absolutely no added security. Once the encryption is broken, spoofing a MAC address is trivial.

  7. What are "short" WPA keys supposed to be? by rpp3po · · Score: 5, Insightful
    It is easy to see, that the original poster of this story has no clue about encryption. There are several misconceptions in his posting:
    1. He writes: "WPA is the replacement for weak WEP keys in the original 802.11b specification". This is wrong. "weak key" ist a crypographic term for - wonder - weak keys, like 128 bit, consisting of 1's only (1111111111111...). For like 30 years, even WEP, has taken measures to prevent this kind of keys during use. WEP's problem in fact is the deterministic generation of IV's of the keystream, not weak keys.
    2. "Moskowitz advised choosing passphrases of more than 20 characters or generating random keys of at least 96 bits, but preferably 128 bits." That's also misunderstood. The PSK (pre shared key) even when not using 802.1X is always 256-bit. It's generated -from- a passphrase that you type in. A passphrase like "abc" e.g. contains less than 16 bits of security. So a WPA key generated from the passphrase "abc", although still being 256-bit, can be cracked within the time of a 16 bit brute force attack. This is done by simply generating WPA keys from all passphrases between "aaa" and "zzz". So you always use 256 bit keys (PSK's), but they can be generated from much smaller passphrases.
    3. "each user gets a long WPA key". See above. The keys are always the same size of 256 bit. When using 802.1X there is only maximum "randomness". That's the difference. It think the poster still thinks that WPA works like WEP where you actually use different key lengths.
    One could think that I'm very picky about his words. I think not. Especially in cryptography it is important to know exactly what part of a cryptographic chain you're talking about, when talking about weaknesses. TinyPEAP seems to be just a tool for people like the original poster and script kiddies, who are in fact NOT knowing what they are talking about. It's just a bruteforce tool to try out WPA passphrases. This is supposingly faster for people using short passphrases than bruteforcing keys directly.