Slashdot Mirror

← Back to Stories (view on slashdot.org)

WPA Encryption Cracked In 60 Seconds

Posted by timothy on from the nicholas-cage-has-an-alibi dept.

carusoj writes "Computer scientists in Japan say they've developed a way to break the WPA encryption system used in wireless routers in about one minute. Last November, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level. The earlier attack worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm."

11 of 322 comments (clear)

  1. Re:Cool by MooseMuffin · · Score: 5, Insightful

    You'll be able to provide more free wireless too!

  2. Re:Secure protocols for home wifi? by Mad+Merlin · · Score: 5, Insightful

    Wired ethernet. Not only is it vastly more secure, it's also an order of magnitude or two faster than wireless.

    --
    Game! - Where the stick is mightier than the sword!
  3. Re:Secure protocols for home wifi? by pantherace · · Score: 4, Insightful

    I challenge you to show me a consumer available wireless that actually runs at 1 gigabit.

  4. Re:The rat race continues.. by ChrisMounce · · Score: 3, Insightful

    I'm not sure if you're calling shielded cables an example of security through obscurity, but if you did, they're not.

    Knowing exactly how your cables are shielded doesn't help me snoop on anything passing through those cables.

  5. Re:How does the VPN help? by NitroWolf · · Score: 4, Insightful

    Are you *positive* that the VPN connection is uncrackable? If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data. If the VPN system is so secure, why aren't we using it for the wireless connection? That is, make the wireless network a VPN using the same algorithms you use for your VPN?

    While I am not commenting on the security or lack of security in a VPN connection, I believe I can answer this. The simple fact is, most routers can't handle the encryption load of a full blown VPN, especially one with multiple users. Even dedicated routers that are made to handle this can only handle 5 or 10 at a time until you start plopping down the big bucks for the serious VPN routers.

    So using VPN level of encryption on a home router is not going to happen until processing power is increased dramatically on the cheap CPUs they use.

  6. Re:The rat race continues.. by Lord+Ender · · Score: 4, Insightful

    Actually, it is a mathematical fact that OTP is perfectly unbreakable. P=NP doesn't enter into it.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  7. Re:How about free secure wireless? by Jurily · · Score: 3, Insightful

    As they say, locks are only good for honest people.

    The main reason you want a strong lock is not because they're unbreakable, but because your neighbor should be the easier target.

  8. Re:The rat race continues.. by gclef · · Score: 4, Insightful

    Oh, fer crying out loud, if you're going to use wikipedia notation, at least *check* wikipedia first:

    The Vernam-Mauborgne one-time pad was recognized early on as difficult to break, but its special status was only established by Claude Shannon some 25 years later. He proved, using information theory considerations, that the one-time pad has a property he termed perfect secrecy; that is, the ciphertext C gives absolutely no additional information about the plaintext

  9. Re:The rat race continues.. by JoshuaZ · · Score: 4, Insightful

    The original question was "The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7?" Presumably then you eventually run out of one time pads. OTP is secure iff you have either a shared source of randomness or have some other secure channel to transmit the material. And if you have a shared source of randomness you need then to have that source somehow secure. There are good reasons we don't use one time pads on a daily basis.

  10. Re:It wasn't broken by Anonymous Coward · · Score: 3, Insightful

    They've found a way to decrypt TINY packets only a few bytes long (like ARP) and inject fake ones of the same length.

    So no real traffic sniffing, and definitely no WPA key recovery.

    I cant see really how this would be a useful tool in aircrack as you have no way of doing anything else with the network!

  11. Re:Cool by Shakrai · · Score: 3, Insightful

    Mac address whitelists are a waste of time. Anyone who is competent can just monitor your network long enough to discover the mac address of a trusted device and switch his device to that address. Anyone who isn't competent isn't going to be able to bypass WPA.

    If you want to get really paranoid you can back up your encryption with a non-permissive firewall that will only pass traffic for your device after you authenticate with it somehow. I used to do this back in the days when WEP was our only option. I ran my network wide open (since WEP is utterly pointless) but had a Linux box setting in front of it that refused to pass traffic unless I authenticated with it.

    If you want to get creative you can program the firewall to redirect all unauthenticated http requests to goatse.cx instead of dropping them. That'll teach em to try and mooch off your network without permission ;)

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.