Slashdot Mirror
Feds Hack Wireless Network in 3 Minutes
xs3 writes At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys. This article will be a general overview of the procedures used by the FBI team.."
Note to self: change WEP key to something other than "DEADBEEFDEADBEEFDEADBEEFDE".
Damn those feds are good.
It takes me longer than 3 minutes just to type the WEP key from my router into my client!
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
I live in the middle of nowhere. I think I may notice two men sitting with a laptop in an ominous black car with government plates, as the only place they could be close enough is my driveway.
Still, it may be time to look at running an IPSEC tunnel over the wireless network.
When I first read the closing line of the article, I chuckled.
Then I felt dismayed.
It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.
Obliteracy: Words with explosions
None of the agents could be reached for comment, as they were all busy arresting eachother citing the Patriot Act and the DMCA.
-Peter
People just need to realize that nothing is infalliable, maybe when this is mentioned on Fox News or CNN the general public will learn that they shouldn't trust their network for sensitive data. I know I don't.
Assembled, for your pleasure:
-------
Title: The Feds can own your WLAN too
Introduction
Millions of wireless access points are spread across the US and the world. About 70% percent of these access points are unprotected--wide open to access by anyone who happens to drive by. The other 30% are protected by WEP (Wired Equivalent Privacy) and a small handful are protected by the new WPA (Wi-Fi Protected Access) standard.
At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys.
This article will be a general overview of the procedures used by the FBI team. A future article will give step-by-step instructions on how to replicate the attack.
WEP Cracking - The Next Generation
WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.
Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text.
Traditionally, cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets--a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key.
Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!"
On with the Show
Before we get into the steps that the FBI used to break WEP, it should be noted there are numerous ways of hacking into a wireless network. The FBI team used publicly available tools and emphasized that they are demonstrating an attack that many other people are capable of performing. On the other hand, breaking the WEP key may not necessarily give an attacker complete access to a wireless network. There could also be other protection mechanisms such as VPNs or proxy servers to deal with.
For the demonstration, Special Agent Bickers brought in a NETGEAR wireless access point and assigned it a SSID of NETGEARWEP. He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers.
Note that normally, you have to find wireless networks before you can crack them. The two wireless scanning tools of choice are Netstumbler for Windows or Kismet for Linux. Since the other WEP cracking tools are mainly Linux-based, most people find it easier to stick with Kismet, so they don't have to switch between Windows and Linux.
Another FBI agent started Kismet and immediately found the NETGEARWEP access point. Just for fun, a third agent used his laptop and ran FakeAP, a program that confuses scanning programs by putting up fake access points.
Attack!
After a target WLAN is found, the next step is to start capturing packets and convert th
I am surprised that wireless A/P dont block a MAC address after X number of attempts
Is WPA a solution? WPA is just as, if not more, susceptible to a dictionary attack because its password based. WEP isnt usually, but in this case they were using a dictionary attack to crack APs which generate keys from english words. Like Linksys does.
More info here.
They didn't do a dictionary attack. What they did was use aircrack that uses a statistical method to crack the key. You need lots and lots of packets and they got those using void/deauth and a replay attack. It's all in the article.
Also, you also only need one packet to brute force a key.
If you're going to cut-and-paste for karma, please CITE YOUR REFERENCES!
w w.tomsnetworking.com/Sections-print-article111.php +%22definite+improvement+over+WEP+in+providing+wir eless+security%22&hl=en&client=firefox-a
The page you snipped this from is cached here:
http://66.102.7.104/search?q=cache:ChC8gBE_LsEJ:w
This doesn't show that WEP is insecure... simply that the key-generation schemes favored by many manufacturers are insecure. Netscape 2.2 was vulnerable to the same type of weakness by using 22 bits of information to build it's 40 bit session key for SSL.
BTW, assuming a similar key generation scheme, this technique could break AES or 3DES, the encryption algorithm is irrelevant here. Why is it that vendors of security products can't figure out security?
I only managed to get to the third page of the useless article (seriously people, put more than 2 paragraphs on a page!)
But so far I have "He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers." which makes me wonder if they actually used a dictionary attack...
Finally loaded the 4th page. Apparently they knocked an authorized user off the AP repeatedly and collected the resulting flood of reauthentication packets, plus used packet replay attacks to get the AP to respond to replayed ARP requests (apparently they are easy to spot in a pcap dump despite encryption). This gave them all the IVs they needed to crack the key.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Actually, the Password was 1-2-3-4-5.
I found that to be rather disturbing, since I have the same combination on my luggage.
What is surprising is that such a l33t cr3w used powerpoint for their presentation :/
Glad I didn't go through the effort of locking mine down. Who has the last laugh now, Mr. "You gotta lock that thing down"?
Adventure City Tours
So, just about any law you can break with a computer is now fair game. When you go to court just refer to the three minutes it could have taken some nefarious hacker to use your network without your knowledge. Since the likelihood of such an attack is low then I recommend everyone use a dictionary entry to generate keys. It will keep your neighbours off your network and you'll leave yourself with a perfect reasonable doubt defence when sued or prosecuted.
Nah, they have the manufacturers build in a backdoor! Didn't you watch 24 last night? All they needed was the manufacturer ID and they got root access!
WEP is like gun laws in the US. They only keep the honest people from having guns. What a great society we live in.
Um no, WEP is like a lock on your door and shades on your curtains. It provides you with a certain level of protection and privacy. They won't stop the prof. thief or the determined voyeur. If you need/want a higher level of privacy/safty, then one needs to take additional steps to try to attain them.
Note too that having WEP enabled also is a useful tool when it comes time to prosecute. If you leave your packets unencrypted for the world to see, then someone might have a reasonable argument for "accidentally" capturing your data (hey, there is no law against sniffers right). However, if you have WEP enabled (regardless of how strong), then someone would have to be actively trying to break your key to get to your data. You can then prove intent.
Bull. They just walked around looking under keyboards.
If you aren't part of the solution, there is good money to be made prolonging the problem
The other is the PowerPoint guru :-P
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I always click on the printer-friendly format. That usually gives you the article and pictures on one continuous page.
128 bits. Roll one 8-sided die 51 times (discarding the least-significant bit of the last roll).
.50c. I'm fairly certain you could find cheaper prices. I estimate the total cost of this hardware randomizer at $20 if done on the cheap.
To speed up the process, get one of those
clear boxes they use to make sure people take the right number of pills per day. Get one with more than 22 boxes. (4 times a day for a week = 28, fairly common)
Put dice in boxes. Put a sheet of something solid on the door side. Shake. Invert. voila, random byte strings. w/ 28 boxes you have 84 random bits. Repeat twice for your 152 bit key, dropping the last 16 bits.
chessex.com has a variety of dice - you can can order single d8s for
Someone will probably complain about the non-cryptographic quality randomness of this process. But you only need cryptographic quality randomness when you're going to use it very repeatedly and someone can attack the similarity between them. Since the nonrandomness isn't known to anyone outside and you probably aren't generating a massive number of keys you're fairly safe. To increase security, buy dice from multiple manufacturers and occasionally switch around the lots.
(every 4 d8 values converts to 3 hex values. If you're converting by hand, you could alternately use a pair of dice for a hex value, generating only 56 bits per shake but only needing a table of 16 values to convert by hand to hex. You could also use 4 sided dice for this equally well, since you're only using 4 bits per pair.)
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
I'm the author of the article.
1. Where in the article does it say the FBI developed the attacks? Did you RTFA?
2. For the IDS comment, I did state that it is NOT a stealthy attack. Not stealthy = IDS will pick it up.
3. You weren't at the talk, and it shows. They did give credit (a LOT of credit) to KoreK and Devine, but I didn't put it in the article. So you can blame me for it.
Note that even if WEP is trivial to crack it serves a purpose: The same purpose as a lock on a screen door or window.
It doesn't keep out a burglar.
It DOES make it clear that your INTENT was to keep him out, and that if he breaks in his INTENT was to break in.
This is a very important legal point if/when you, or law enforcement, bring action against him.
Similarly, the computing community has generally interpreted permission settings (on files and the like) as an expression of intent, generally honoring them even if they have the ability to bypass them.
This transfers directly to wireless access points: Some people deliberately leave their APs open, to let others use them as a community resource. Generally this is done by leaving them at the default settings. While there may be confusion about it if an AP is in this state, there is NO confusion about the intent if WEP is enabled.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
My WAP is directly connected to my internal network and has NO WEP enabled or anything else. it's "wide open" and it's more securethan any company wireless access point I have ever seen.
If you can not recieve the signal, you can access or hack it. My home has aluminum siding with aluminum screening. my accesspoint is in the basement on the street side with another sheet of aluminum 1 wavelength away from the antennas in the direction of the street.
so far even holding a wireless card AGAINST the windows screens will give you no signal, you must be in the house to get a signal, and then it's strong.
The first thing in security is to make sure that your wireless signal is not going places you do not want it to.
Do not look at laser with remaining good eye.