WPA Encryption Cracked In 60 Seconds

carusoj writes "Computer scientists in Japan say they've developed a way to break the WPA encryption system used in wireless routers in about one minute. Last November, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level. The earlier attack worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm."

Cool

[el_tedward]

So we'll be able to get more free wireless now?

Re:Cool

[MooseMuffin]

You'll be able to provide more free wireless too!

Re:Cool

[godrik]

My wireless network is kept open. I prefer to be sure that it is not safe than believe it is :) BTW, I call it ParasiteNet. :)

Re:Cool

[Lumpy]

I do the same but I have a coovaAP set up for the roaming to snag free WiFi near my home.

Keeps people out of my junk, and I can limit what they can do.

Re:Cool

[Chapter80]

I prefer to be sure that it is not safe than believe it is :)

"I'm safe. My secure wireless router is no where near Japan. There's no way they can pick up signals from me."

(This came from a guy who would only buy American electronics, because he really didn't want to watch Japanese game shows and doesn't speak Japanese, Thai. or Korean.)

Re:Cool

[Shakrai]

Mac address whitelists are a waste of time. Anyone who is competent can just monitor your network long enough to discover the mac address of a trusted device and switch his device to that address. Anyone who isn't competent isn't going to be able to bypass WPA.

If you want to get really paranoid you can back up your encryption with a non-permissive firewall that will only pass traffic for your device after you authenticate with it somehow. I used to do this back in the days when WEP was our only option. I ran my network wide open (since WEP is utterly pointless) but had a Linux box setting in front of it that refused to pass traffic unless I authenticated with it.

If you want to get creative you can program the firewall to redirect all unauthenticated http requests to goatse.cx instead of dropping them. That'll teach em to try and mooch off your network without permission ;)

Re:Cool

[Chapter80]

Actually no.

From wikipedia:
About 70% of the people in Taiwan belong to the Hoklo ethnic group and speak both Standard Mandarin (officially recognized by the ROC as the National Language) and Taiwanese Minnan (commonly known as "Taiwanese"

Secure protocols for home wifi?

[tacarat]

TFA lists AES. I'm curious what else is considered useful. Anybody using hacked routers to run tomato and the like are very welcome to discuss their security thoughts.

Re:Secure protocols for home wifi?

[Hijacked+Public]

This list is still accurate, if you apply the comment on #4 up to #5 as well.

And run DD-WRT.

Re:Secure protocols for home wifi?

[v1]

It's probably not so much a matter of what base crypto they're using (a la AES, SHA, etc) but how they're implementing the key exchange when negotiating the connection. Implement good crypto wrong and you open the door. Initial negotiations between parties is a tricky, multistep affair for good security, to prevent MITM.

Re:Secure protocols for home wifi?

[Mad+Merlin]

Wired ethernet. Not only is it vastly more secure, it's also an order of magnitude or two faster than wireless.

Re:Secure protocols for home wifi?

[ColdWetDog]

Wired ethernet. Not only is it vastly more secure, it's also an order of magnitude or two faster than wireless.

No wireless? Lame.

Re:Secure protocols for home wifi?

[pantherace]

I challenge you to show me a consumer available wireless that actually runs at 1 gigabit.

Re:Secure protocols for home wifi?

[John+Hasler]

> They do not work on...

Yet.

Re:Secure protocols for home wifi?

[Cyner]

SMC SMC10GPCIE-XFP 10Gbps Ethernet Card, available at NewEgg

Re:Secure protocols for home wifi?

[dissy]

When your options for your internet connection top out below 10mbps, does it matter that your LAN can only do 22? Or 144?

Yes, it matters.

It might not be needed for you, if all you use your PCs for is to use the internet, but not talk to each other heavily.

Others however have an internal autonomous network of machines that all talk to each other and only occasionally out to the internet.

Running a fileserver to play videos on your multiple entertainment PC devices on TVs, tossing large files around, running onsite+online backups... None of those things need an internet connection at all to do, yet there is a slight noticeable difference between doing them at 11mbit and doing them at 1000.

Re:Secure protocols for home wifi?

[An+ominous+Cow+art]

No spiders? That's madness! Who will fix the Web when it breaks?

Re:How Long?

[0100010001010011]

Backtrack really doesn't "do" anything, it's just an awesome integration of separate tools.

aircrack is the base package that would most probably implement this.

I'm safe.

[rawls]

Lucky for me, I use WEP, so I'm safe.

Re:I'm safe.

[marcansoft]

Nintendo loves the ancient concept of having games statically link the system libraries and drivers (they still do that, even for the Wii). That's the reason - each WiFi-enabled game includes a copy of the WiFi setup screen and talks directly to the hardware. They've (shortsightedly) defined the DS hardware to support WEP only, and they can't change that now without breaking existing software.

I've already ranted about this before. Basically, Nintendo has locked themselves out of practically any update or improvement on both the DS and Wii fronts. For example, they will never be able to improve upon the Wii home menu, since a copy of it is bundled with every game and they can't replace it. The only exception to this rule are the IOS drivers for Wii titles, which are upgradable, but they make up for that by using retardedly low-level interfaces for them and apparently having policies in place of never touching existing versions of IOS except for security purposes (i.e. closing exploits). This is, say, why a system-level all-game background WiiSpeak VoIP will never, ever happen.

The rat race continues..

[simp]

The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7? Sometimes a bit of obscurity can go a long way. Good luck trying to sniff my shielded network cables. Yes, I've heard the tempest stories but I'm jumping to the conclusion that those techniques are only available to big $$ governements institutions and are not used by the random drive-by hacker (yet..)

Re:The rat race continues..

[ChrisMounce]

I'm not sure if you're calling shielded cables an example of security through obscurity, but if you did, they're not.

Knowing exactly how your cables are shielded doesn't help me snoop on anything passing through those cables.

Re:The rat race continues..

[Lord+Ender]

That's not a very intelligent question. Obviously, OTP can be secure in the long term for any definition of long term. Public key cryptography has always been secure, and probably will be until really really good quantum computers are developed. Symmetric key crypto is as secure as ever, and there's no indication this will change soon. Some cryptographic hash algorithms are less useful today, but most are still more than good enough.

So, yes, crypto can certainly be "secure" in the long term. Protocols with design flaws (like WPA-TKIP) will never be secure. The more "obscure" the protocol, the more likely it is to be insecure, as it won't benefit from peer review.

Re:The rat race continues..

[Chris+Burke]

The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7?

Yes. It's a basic assumption in communication security that your communication medium is insecure and can be monitored or modified at will by an attacker.

You can design an authentication/key exchange protocol so that the only way to access the data is to break the encryption algorithm, or via social engineering.

You can design an encryption algorithm so that it cannot be broken except by a brute force attack in an infeasible amount of time, meaning like 1000 years assuming Moore's Law continues unabated the whole time and major world governments want your data.

It's just a tricky thing to get right. And sometimes (WEP) it seems like they weren't even trying.

Re:The rat race continues..

[Lord+Ender]

Actually, it is a mathematical fact that OTP is perfectly unbreakable. P=NP doesn't enter into it.

Re:The rat race continues..

[xianthax]

"Shielded Network Cables"

have virtually no impact on emissions from the cable, and do have no impact if your equipment doesn't have shielded connectors which is unlikely, a shield that is not properly grounded will create higher emissions and increase external noise pickup. Shielding on Ethernet cables is to limit noise going into the wire, and is only effective at lower frequencies, its mostly for keeping 50/60Hz mains noise off the wires.

You could install ferrites on the cable to limit common mode noise but i don't see a security benefit to that.

The EM field from a network cable is already _extremely_ low do to it being a differential signal carried on a twisted pair i'd be extremely impressed if you could enough of a field to pick up the differential mode signal without physical contact with the bare wires. if you are getting emissions you are better off solving that problem with higher quality cable with lower resistance copper and tighter / more consistent twists in the pairs. If your getting high emissions your probably having trouble getting data through the cable anyway, if the EM fields aren't canceling you aren't getting a clean differential mode signal out the other end.

Re:The rat race continues..

[gclef]

Oh, fer crying out loud, if you're going to use wikipedia notation, at least *check* wikipedia first:

The Vernam-Mauborgne one-time pad was recognized early on as difficult to break, but its special status was only established by Claude Shannon some 25 years later. He proved, using information theory considerations, that the one-time pad has a property he termed perfect secrecy; that is, the ciphertext C gives absolutely no additional information about the plaintext

Re:The rat race continues..

[JoshuaZ]

The original question was "The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7?" Presumably then you eventually run out of one time pads. OTP is secure iff you have either a shared source of randomness or have some other secure channel to transmit the material. And if you have a shared source of randomness you need then to have that source somehow secure. There are good reasons we don't use one time pads on a daily basis.

Re:The rat race continues..

[JoshuaZ]

Doesn't work. You can't transmit this way more bits than your pad started with. So you end up with just as many bits worth of shared random data that you started with.

Re:The rat race continues..

[Chris+Burke]

No, you can't guarantee it's secure.

I meant what I said and I said what I meant.

A perfect implementation with a mathematically secure algorithm can be broken over time.

You're absolutely right, over an arbitrary amount of time it can be broken. But you can make make mathematical statements about the average complexity of doing so. You can then get a good idea of what key size you need to make it secure in the long term for whatever definition of "long term" suits your purpose, just by making a few basic assumptions such as...

You can't be sure that the government doesn't have a quantum computer ready to crack your shit. You can't be sure the space aliens aren't monitoring you.

Or that the government has doesn't psychics reading the password from my mind. Or that I don't live in The Matrix. Or that I'm not already dead!

But seriously, there's very little chance the government is sitting on giant quantum computers. The Manhatten Project was long ago. The government may still be a place where projects guilt built that push the envelope of technology, but it's really just combining existing tech with a large budget. The state of the art in materials science, fabrication, and computing technology is in private industry and universities, as is the engineering required. It's not a matter of budget or will that's keeping quantum computers big enough to rapidly crack the best public key crypto from being built tomorrow; mega-cheese is already being spent on the problem. There's just going to be a lot of time going into this research.

So, if I could mathematically guarantee it'll take on average thousands of years with today's technology to break some encryption even assuming continuing exponential growth, would you say that encryption is secure against that technology? It make only take decades for the next quantum leap (ironic pun because quantums are small) in technology to come around, but what secret are you keeping that someone will have snooped on and then kept around for 20 years hoping quantum computers would come around to let them read it, yet that you're sending over the internet so it gets snooped in the first place. Hell even national security/political secrets aren't that sensitive and they at least exercise physical security as well. Since we already know of algorithms that are similarly secure against quantum computers, isn't having however many years or decades of knowing your secret is safe enough when you can switch as soon as it is necessary?

Let me put it this way: I may not be able to guarantee in the sense of ensure, but I would be happy to insure the security of certain algorithms for a reasonable monthly premium. :)

You can't even be sure your hat is made of genuine tin foil!

Oh, but now there you're just wrong. I have ensured that my hat is genuine tin foil through neural-quantum scanning ('psychic transmutation' for laymen). And here, I mean my tinfoil hat is genuine both in the sense of being absolutely pure elemental tin and in the sense of being extremely sincere.

If the government could defeat that... Well then believe me, they would not be trying so hard to find and stop me, nor would they be failing so badly.

Re:The rat race continues..

[Sique]

Or to be more specific:

Let's call the first OTP P1 and the new one P2.

We encrypt Message M1 with P1 by using M1^P1, then we send the new Pad P2 as P1^P2. Finally we send M2 encrypted with P2.

To guess a part of M2 with a known part of M1, you just do:

(M1^P1)^(P1^P2)^(P2^M2), and you get M1^(P1^P1)^(P2^P2)^M2 = M1^M2.

So each part of M1 you already know reveals a part of M2.

Time to start working on WPA3?

[JSBiff]

So, does this mean it's time to start working on whatever the replacement will be for WPA2? WPA is broken. . . but at least we can use WPA2 (for now). I'm guessing WPA2 will someday be broken, so we need to have something to replace it which has not (yet) been broken. Seems like wireless security rests on a never-ending game of move the goal, before the goal is reached (where the 'goal' for crackers is to crack the 'current' security protocol).

Although, thinking about this more, it makes me wonder - does anyone ever 'record' encrypted traffic from targets of interest, in the hopes that, maybe right now they can't crack it, but maybe in 2 or 3 years, they'll be able to crack it, and if they have a 'recording' of the cyphertext, which they can later decrypt, they can get possibly interesting info/data (data could very easily still be useful and interesting 3 or 5 years from now, particularly things like state/corporate secrets, but even more mundane info like people's social security numbers, answers to online password 'reset' security questions, etc).

I suppose that if I could think of it, someone else already has, and already is doing it.

So, from that standpoint, even if the security researchers stay 'ahead' of the blackhats, the blackhats can still get useful info within a relatively useful amount of time. Just because you've upgraded to WPA2 or WPA+AES, doesn't mean you're completely protected, if someone snagged encrypted traffic in the past which was 'secured' by TKIP.

Re:Time to start working on WPA3?

[arndawg]

That's why if you have really important information going through the wireless. You either A) Use a VPN tunnel or B) Don't use wireless.

Re:Time to start working on WPA3?

[smellsofbikes]

Although, thinking about this more, it makes me wonder - does anyone ever 'record' encrypted traffic from targets of interest, in the hopes that, maybe right now they can't crack it, but maybe in 2 or 3 years, they'll be able to crack it, and if they have a 'recording' of the cyphertext, which they can later decrypt, they can get possibly interesting info/data (data could very easily still be useful and interesting 3 or 5 years from now, particularly things like state/corporate secrets, but even more mundane info like people's social security numbers, answers to online password 'reset' security questions, etc).

One of the parts of Neal Stephenson's "Cryptonomicon" I enjoyed the most was when one character sent another character a message encoded with, as I recall, 4096-bit security, and the character receiving it, while his computer was decoding it, went through the mental gymnastics of comparing the speed of prime factoring algorithms, taking into account Moore's Law and how many new computers were coming online, to conclude that whatever was in the message, it was meant to stay secret for at least 40 years, as opposed to the sender's usual 10 year threshold, making the recipient particularly nervous about the contents.

Re:so, uh,

[rawls]

The original paper is here

yep....

[Em+Emalb]

That's why I don't even bother with passwords on my wireless at ... Hello Friends! Please to hand over your credit and debit card informations at this time, I am thanking you not a lot. My name is Desmund Boutrous-Boutrous Gali Johnson IV and I have some news of the not so happy sort. Your uncle, and my business mentor and/or friend, McGuyver has been known to be passed away at this time going forth.

Please to send me monies by any means as possible soonest.

Wamerst thoughts and heated Regards, BBGIV

(that's about how long it would take to crack it. Damn.)

Re:Slashdot sucks...

Jokes are supposed to be funny.

As usual

[trifish]

And the most important piece of information comes at the very end of the summary (just not to diminish the sensation or prevent FUD):

They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm.

How does the VPN help?

[JSBiff]

Are you *positive* that the VPN connection is uncrackable? If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data. If the VPN system is so secure, why aren't we using it for the wireless connection? That is, make the wireless network a VPN using the same algorithms you use for your VPN?

Re:How does the VPN help?

[NitroWolf]

Are you *positive* that the VPN connection is uncrackable? If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data. If the VPN system is so secure, why aren't we using it for the wireless connection? That is, make the wireless network a VPN using the same algorithms you use for your VPN?

While I am not commenting on the security or lack of security in a VPN connection, I believe I can answer this. The simple fact is, most routers can't handle the encryption load of a full blown VPN, especially one with multiple users. Even dedicated routers that are made to handle this can only handle 5 or 10 at a time until you start plopping down the big bucks for the serious VPN routers.

So using VPN level of encryption on a home router is not going to happen until processing power is increased dramatically on the cheap CPUs they use.

Re:How does the VPN help?

[mcrbids]

Are you *positive* that the VPN connection is uncrackable?

No, and nobody ever is. Which is why security protocols are so conservatively deployed. Protocols are proposed and analyzed by lots of people who are (hopefully) much smarter than you or I. Protocols that withstand years of this scrutiny and review are slowly trusted more and more (EG: SSL) over other protocols that get picked apart. (like WEP)

If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data.

This whole paragraph makes no sense at all, and makes it clear that you do not understand encryption, especially dual-key cryptography. Please RTFM.

If the VPN system is so secure, why aren't we using it for the wireless connection? That is, make the wireless network a VPN using the same algorithms you use for your VPN?

WEP, WPA, and AES are protocols that logically establish a sort of Virtual Private Network on otherwise public radio waves. The main difference between these protocols and a true VPN is that they aren't layered on top of IP, like a VPN, but are instead layered on the datagram protocol of the radio signal itself. The problem is that WEP was quickly implemented and was never really peer reviewed. Thus, it had numerous flaws that were discovered very quickly.

From a security standpoint, WEP is sort of like locking your ground-floor window. It allows you to announce your intention of privacy, but it's quite easily compromised by somebody with the digital equivalent of the nearest rock.

It wasn't broken

[mx_mx_mx]

They have just found a way to decrypt a packet using the WEP chopchop algorithm. Master key can't still be recovered. Move along, this isn't news

Re:It wasn't broken

They've found a way to decrypt TINY packets only a few bytes long (like ARP) and inject fake ones of the same length.

So no real traffic sniffing, and definitely no WPA key recovery.

I cant see really how this would be a useful tool in aircrack as you have no way of doing anything else with the network!

Wireless Routers

[Wowlapalooza]

Minor nitpick with the article: WPA is a general wireless security protocol[1] which isn't limited to wireless routers. Regular APs (Access Points) use it, as of course do wireless clients.

[1] Actually, to nitpick myself, WPA isn't even technically a protocol, it's a certification program which confirms that particular devices implement the IEEE 802.11i standard

Re:mac address whitelist filters?

[radish]

MAC filters are worthless, always have been (it's trivial to change the MAC on a device to a whitelisted one). And I don't see any evidence that WPA2/AES is "fast becoming insecure", as this attack specifically doesn't work against that setup.

I have a better security...

[AmigaHeretic]

I don't know why people insist on using WEP, WPA, WPA2, etc..

I just made my SSID "Logon for only $3.99 per minute"

Haven't ever seen my neighbors log on even once.

_

Re:I have a better security...

[mungewell]

I have mine set to 'I read your email'.

Not new

[MobyDisk]

TKIP was fundamentally broken, by design. We knew that. TKIP was invented as an intermediate encryption that could run on the same hardware that WEP ran on. It allowed router manufacturers to use something better than WEP without having to beef-up their hardware. It worked well, and bought several years before it was completely broken. Anyone who has a router using TKIP bought at a bad time, and is stuck with something that's only a little better than WEP. The solution is to buy a router that supports WPA2, which has real AES encryption.

Re:Experiences

[krenaud]

What? A 7 year old Linksys WRT54G can handle 24-30Mbps with AES encryption, current versions are even faster, and if you choose wisely you can find 80-90Mbps home routers from Dlink/Netgear today.

These routers are more than adequate for more than "light surfing".

Re:How about free secure wireless?

[Fast+Thick+Pants]

And don't forget to set them for different channels.

Alternately, if you run dd-wrt, you can try setting up mutltiple virtual wireless networks and have them broadcast separate SSIDs so it looks like you've got two routers.

Re:How about free secure wireless?

[Jurily]

As they say, locks are only good for honest people.

The main reason you want a strong lock is not because they're unbreakable, but because your neighbor should be the easier target.

Re:How about free secure wireless?

[gnud]

Yay solidarity! =)

Re:How Long?

[mftb]

Manpages.

Re:mac address whitelist filters?

[CrashandDie]

Because they are transmitted bright and clear all over the place? Whitelisting the authorised MAC addresses assumes that you do not trust the encryption (or there is none). If you assume the encryption is broken, you assume anyone can listen to the network and intercept any and all MAC addresses being transmitted (in [nearly?] every single packet).

Other protocols available

[azrider]

TKIP was fundamentally broken, by design. We knew that. TKIP was invented as an intermediate encryption that could run on the same hardware that WEP ran on.

TKIP (Timed Key Interchange Protocol, for those who don't know) does have a weak spot. This is that the new key is sent out from the access point on a regular basis. Cisco's implementation (supported by most companies that supply 802.11a equipment) makes two changes. One is that the time value set is a maximum value (the key change interval is actually random). The other is that the new key is sent via the encrypted session. You therefore have to have cracked the old key to receive the new key.

It will be interesting to see if that is discussed when the paper is presented.

Re:How about free secure wireless?

[oatworm]

Ah - the "If you want to outrun a bear, the key is not to outrun the bear - it's to outrun the person behind you" principle. That sort of wisdom ranks up there with, "Women are like square roots - if they're under 16, you should do them in your head."

Take that however you will.

Re:How about free secure wireless?

That's borderline retarded. The security isn't worth a damn and those who bypass it won't even be traceable via their MAC address, because you made them imitate your computer.