Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Improvements On the Attacks On WPA/TKIP

Posted by timothy on from the feelin'-nervous dept.

olahau writes "Two weeks ago, improvements to the previously reported attack on WPA/TKIP, were presented at the NorSec Conference in Oslo, Norway. In their paper coined 'An Improved Attack on TKIP,' Finn Michael Halvorsen and Olav Haugen describe the improvements, which enable an attacker to inject larger, maliciously crafted packets into a WPA/TKIP protected network, thus opening the probabilities for new and more sophisticated attacks against the well-established wireless security protocol."

29 of 166 comments (clear)

  1. AM or FM? by MobileTatsu-NJG · · Score: 5, Funny

    New Improvements On the Attacks On WPA/TKIP

    ... in Cincinatti!!

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    1. Re:AM or FM? by natehoy · · Score: 4, Funny

      "As God is my witness, I thought packets could fly!"

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    2. Re:AM or FM? by clang_jangle · · Score: 2, Funny

      Do you like tkips?

      OMG I fucking *love* tkips!

      --
      Caveat Utilitor
    3. Re:AM or FM? by Mikkeles · · Score: 2, Informative

      They can.

      --
      Great minds think alike; fools seldom differ.
  2. Does that mean... by Monkeedude1212 · · Score: 2, Interesting

    WEP is better? Has it always been better? I used WEP for the longest time until I figured I could set my own (short & easy) password with WPA.
    Should I switch back? Not that I expect my neighbours to be leet hackers...

    But one time not too long ago I logged into my one of my neighbours unsecured network (no idea who owned it) and noticed they had a printer on the network. So I downloaded the drivers off of HP and then sent a message to their printer telling them they should secure their wireless, and a website to show them how.

    Now to you or I, this would seem like a noble act in educating people on good security measures, but everyone else (meaning not computer people) thought that this was an outright invasion of privacy and advised me "Never to attempt that kind of stunt again" (not that I'll listen to them).

    Anyways, ever since then I've had this itching feeling that someones going to break into my wireless and show me whats what in a sort of karmic irony.

    1. Re:Does that mean... by Anonymous Coward · · Score: 3, Informative

      WEP is not better. Don't use WEP.

      WPA2+AES is better.

    2. Re:Does that mean... by Anonymous Coward · · Score: 4, Insightful

      WEP is better? Has it always been better?

      Sure, keep using WEP. 128-bit WEP takes a very long time to break. Somewhere on the order of 15-30 minutes, in my experience.

    3. Re:Does that mean... by Random2 · · Score: 2, Informative

      WEP has always been less secure than WPA, especially because you can just brute-force a WEP password.

      Stick with WPA2 and you'll be alright for a while.

      --
      "Our goal each year should be to increase the number of goals we set for ourselves!"
    4. Re:Does that mean... by natehoy · · Score: 5, Informative

      no. Actually, let me rephrase that... "NO!!!!!!"

      WEP has been broken. Terribly, horribly, and completely broken. Not only are attacks possible, they are out there, and they are the data-intercept type. It's somewhat more secure than running Open and hiding your SSID, but not a lot more.

      WPA/TKIP has a vulnerability that malformed packets may be inserted in to the data stream. This opens the door for possible attacks. That does not mean attacks are currently possible, nor does it necessarily mean that data-intercept attacks will be possible near-term. You are "nearly safe" running WPA/TKIP. WPA/TKIP uses the same encryption methodologies as WPA but encrypts more data and is a lot harder to break.

      WPA/AES has, to my knowledge, no presently-known attack vector vulnerabilities. That can (and probably will) change.

      But if your gear is capable of WPA/AES, switch to that. If not, leave it as WPA/TKIP.

      And for the love of Pete, switch to a longer password with some nice scrunchy numbers, letters (upper and lower) and a few special characters. 10 total characters should do it if you use the prefix of some phrase and replace a few letters with special characters.

      Example: The Lord of the Rings is the Greatest Series Ever Written

      TLotRitGSER This is actually a decent-security password, you've got decent length, 11 characters, and some upper/lower goodness.

      Now add the concepts that it was originally actually one book, (&1b), and not about the 7 dwarves (!7d) to the end. TLotRitGSER&1b!7d

      Seriously secure password, and you're going to remember the hell out of it. Of course, it helps if you use something memorable to you.

      Then you'll never go around saying "Amazing! That's the exact same combination I have on my luggage!"

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    5. Re:Does that mean... by Andy+Dodd · · Score: 2, Informative

      If I recall correctly, WPA/TKIP was an "interim" solution intended to be more secure than WEP but compatible with most WEP hardware. As such it had to leverage some of the low-level components of WEP, of which TKIP was one of them.

      So effectively, WPA/TKIP has vulnerabilities because it inherited them from WEP.

      WPA2/AES eliminates all "WEP heritage cruft".

      --
      retrorocket.o not found, launch anyway?
    6. Re:Does that mean... by Anonymous Coward · · Score: 2, Interesting

      64-bit keys are NOT trivially brute-forceable. Even if you've got a botnet of decent computers, you're probably still looking at weeks. The attacks on WEP, real attacks on severe flaws, typically take about five minutes to produce the key.

    7. Re:Does that mean... by natehoy · · Score: 3, Interesting

      Yes, you're absolutely correct. However, the question was "now that WPA/TKIP is broken, is WEP more secure than it?"

      WPA/TKIP has vulnerabilities inherited from WEP, yes, but those vulnerabilities are still hidden behind a layer that, for now, is still protective. Trouble is, people are starting to discover larger and larger vectors for inserting attacks.

      The shields are still holding - I haven't heard of a successful data breach or DNS spoof on a WPA/TKIP (someone correct me if there is an actual working breach out there), and there are measures that can be taken (turn off QoS/WMM, update your client stack) that will close the holes.

      But only FOR NOW. Upgrading to AES is the correct answer.

      Downgrading to WEP is not the correct answer, unless the question is "What security protocol is the easiest to break?"

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    8. Re:Does that mean... by RedLeg · · Score: 5, Informative

      Did you even read the paper or take the time to understand the attack?

      I'm one of the authors of IEEE 802.11i. I did, and it's not good.

      This is a significant advance in attack technique on TKIP. Get off of TKIP as quickly as you can. NOW.

      On one hand, as the paper's authors point out, we got seven years of life out of a band-aid fix that was designed to buy us five. I'm pretty happy with that.

      On the other hand, the Beck and Tews attack opened some cracks in the walls, this latest paper wedges that crack further open by a factor of 14, and provides some practical real-world exploit scenarios. The bad guys will come up with more, trust me.

      This is bad.

      Migrate off of TKIP NOW.

      Your advice for the length of a passphrase is off as well, BTW. IEEE 802.11i CLEARLY states that a passphrase of less that 20 characters in length does not offer adequate security.

      Use a strategy to choose a LONG, STRONG passphrase. Type it into notepad. Cut and paste it wherever it needs to go to eliminate typo errors.

      Cheers.....

      Red

    9. Re:Does that mean... by jhfry · · Score: 2, Insightful

      When I set up a wifi router for someone I always simply generate a random string of letters numbers and special characters then I write it down and stick it to the router.

      I figure that you can't get more secure and its not exactly something they need to remember because they type it every day.

      --
      Sometimes the best solution is to stop wasting time looking for an easy solution.
    10. Re:Does that mean... by mrcaseyj · · Score: 2, Insightful

      Example: The Lord of the Rings is the Greatest Series Ever Written

      TLotRitGSER This is actually a decent-security password, you've got decent length, 11 characters, and some upper/lower goodness.

      I'd suggest just using the whole sentence. It would have at least as much entropy and would be more resistant to simple brute force breakage.

      And I'm considering giving up on upper case in passwords. The lower case alphabet requires about 5 bits to encode, while adding uppercase only requires one more bit. I suspect that just making the password 25% longer would be about as easy to remember, and a lot faster to type.

    11. Re:Does that mean... by Korin43 · · Score: 2, Informative

      WEP has always been less secure than WPA, especially because you can just brute-force a WEP password.

      That's not the problem. You can brute force a WPA-TKIP password if you capture the handshake as someone connects, it just takes a really long time so it's not practical to do anything except a dictionary attack (and that would still take a loooong time). The problem with WEP is that you don't need to brute force the password, you can figure it out by collecting enough data packets. The only think slowing you down is the speed of the network. To give you an idea, I downloaded the example packets from aircrack-ng (basically simulating collecting enough packets from a WEP network), and my computer cracked the password in less than 15 seconds.

    12. Re:Does that mean... by Jasonv · · Score: 2, Interesting

      And for the love of Pete, switch to a longer password with some nice scrunchy numbers, letters (upper and lower) and a few special characters. [..snip]..Seriously secure password, and you're going to remember the hell out of it. Of course, it helps if you use something memorable to you.

      Then you'll never go around saying "Amazing! That's the exact same combination I have on my luggage!"

      I have my router set up without a password, and the SSID set to "Bring beer to Apt. 243".

      Since then, I've had the pleasure of meeting a few of my neighbors and drinking beer with them.

    13. Re:Does that mean... by Sir_Lewk · · Score: 2, Informative

      The evil people you are so concerned about protecting these people from are fucking pricks like you. Abusing their network because you are afraid someone might abuse their network is so fucking hypocritical it's sickening. Not to mention someone who actually things WEP is more secure than WPA/TKIP (or secure at all) is a fucking dumbass and has no right lecturing others about security.

      tl;dr: You are a worthless piece of shit.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    14. Re:Does that mean... by bdo19 · · Score: 2, Insightful

      The people who are most likely to try to break into your internet are people you know and especially people you live and/or work with.

      This may be true, but these are NOT the people a WPA password is supposed to protect you from. If they have access to your drawer, and they intend to do your harm, your WPA password is the least of your worries. And, if they already have physical access, then they don't need your WPA password to "break into your internet" anyway.

      If we were talking about an online banking password that someone could steal from your drawer and use to empty your account, then I might agree with you (although the same idea applies, that there are probably much more dangerous things in that drawer already). But wireless network encryption is only capable of protecting against someone who doesn't already have physical access anyway. So how is it not a good choice to make that a secure password that's written down and filed away?

      Yes, people lose perspective in computer security.

  3. Does anyone know... by Lord+Ender · · Score: 3, Insightful

    Why did they invent a (well, multiple) new encryption algorithm(s) for WiFi? Any competent security specialist will tell you that using an established encryption algorithm is always the wise choice. Did the people behind WiFi simply lack competence? Not Invented Here?

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:Does anyone know... by salahx · · Score: 5, Informative

      WEP is "Wired Equivalent Privacy". It wasn't supposed to be very strong - about a secure a regular wired network. However, it wasn't known back then just HOW weak it was. As a stopgap measure, WPA PSK (TKIP) was created. Since it uses the same algorithm as WEP, (RC4), existing equipment could be easily upgraded with just a firmware/software update. A long-term solution WPA2 PSK (AES) was created as well.

      WPA-PSK (TKIP) is still far, far better than WEP by many order of magintude, but WPA2-PSK is better, and if all you wireless devices support it (in particular the Nintendo DS DOES NOT, The DSi does, but not for DS games), then that preferred.

    2. Re:Does anyone know... by tecker · · Score: 2, Insightful
      Well. This attack is used on the less robust TKIP protocol. AES is much stronger. Here is the break down (from my memory weakest to strongest):
      1. WEP
      2. WPA/TKIP
      3. WPA/AES
      4. WPA2/TKIP
      5. WPA2/AES

      WEP Came first. It was one of those "oh we need security" bits. It's about what you would have on a wired network. Yea, no, not really. Broadcast != Hardwire so that quickly began being broken. Collisions were found. Time for something stronger

      WPA came next but it was a bit advanced and all of these older machines didn't have really good processing in them and AES was a bit to intensive so the came up with WPA/TKIP. Lighter encryption but the old devices could pull it. WPA/AES came out around the same time and was stronger but the encryption had a bigger processing overhead.

      Then WPA2 (802.11i) came about with further layers and was what really should have been from the start. Backwards compatibility was a problem here and key to adoption. TKIP stayed as some machines didn't take AES very well. WPA2+AES was the real place most will tell you to be. The whole multiple things was just getting protection out there on a technology that was rapidly falling apart.

      Here is an analogy. US went to war with nearly unprotected Humvees (WEP). They worked well and they did their job. But attackers just blew right through it. So in an effort to get things locked down they welded plates of metal on the Humvee (WPA) some machines could handle more (AES) some less (TKIP). The military went back and developed a new technology similar to the quick field fix and came up with the Armored Humvee (WPA2) with good protection all around and made it standard (802.11i). Still defeatable but it can take a lot more.

      There. I'm sure it would have been easier to find a wikipedia article and link to that but I was bored.

      --
      Procrastinating life a way at a rapid rate of speed.
  4. Nothing to see, move along by sadler121 · · Score: 2, Informative

    This tells us nothing more than we knew before. Stop using WPA/TKIP and switch to WPA2/AES

    1. Re:Nothing to see, move along by glarbl_blarbl · · Score: 2, Interesting

      DD-WRT is sweet, I've been using it for a couple of years now. The best feature for me is WDS (a distributed wireless network, I use it to wirelessly bridge my house and recording studio about 75m away). Unfortunately, I found a barely-documented bug which prevents WDS from operating with WPA2-PSK/AES encryption. It tends to lose the connection and not regain it until you stand on one foot and unplug both routers while whistling "God Save the Queen". Apparently the answer is to use TKIP, so now I'm using WPA2-PSK/TKIP. I'm thinking I'll move to RADIUS eventually, once I buy a Snow Leopard Server license ;)

      --
      I use friend/foe to signal strong [dis]agreement instead of mod points. What else are f/f good for?
  5. Just in time! by AmiMoJo · · Score: 4, Interesting

    The timing of this new attack could not have been better - the day after the UK government announces they want to introduce a "three strikes" rule before disconnecting suspected file-sharers.

    I imagine this must be a massive headache for ISPs who have been shipping routers with WPA/TKIP enabled for compatibility (i.e. a lot of them). Suddenly their routers need remotely updating and they have to hope that most of their customer's wifi drivers will cope with the move to AES.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Just in time! by natehoy · · Score: 2, Informative

      Alternatively, they could simply turn off QoS/WMM and buy a little more time, since that is (currently) a requirement for this specific attack vector, according to the submitted paper.

      There are also fixes available to TKIP that could extend its life a little longer.

      But, yeah, it's time to go AES.

      Having said all that, I fear the backlash from people who have routers that are only capable of WEP and WPA/TKIP and decide WPA/TKIP is "less secure" because no one is talking about how insecure WEP is any more. Given a choice, WPA/TKIP is still the better selection of the two. As far as I know, no one has demonstrated or claimed the ability to actually compromise the datastream in WPA/TKIP, though I'm sure that's a matter of time.

      3 little pigs analogy:
      Open = living under the stars. Wolf eats you now.
      Opwn/hidden SSID = living under the stars with a wet paper towel as a shield. Wolf eats you in 2-3 seconds.
      WEP = straw house. Wolf eats you in 5 minutes.
      WPA/TKIP = wooden house with reinforcements. Wolf hasn't figured out how to eat you yet, but it's a matter of not much time before he does. Change or wolf will eat you soon.
      WPA2/AES = Sealed concrete bunker 100 feet underground. Wolf will figure out how to get into it eventually, but you're safe for a while.

      Nothing is ever permanently secured against the wolf. Eventually WPA2/AES will be broken and we'll be on to the Next Big Thing. But for now, I'd call WPA/TKIP "OK for home use, but start shopping for a router and new wireless gear, like, right now."

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  6. Re:New Improved Attacks on Obsolete Standards! by CannonballHead · · Score: 2, Interesting

    Please provide your definition "obsolete."

    Google provides disused: no longer in use; "obsolete words"

    WEP isn't even obsolete, let alone WPA. Many people still use "old" standards. Not everyone keeps up to date with the latest wireless security. Many have unsecured networks. Many use WEP just to keep off annoying neighbors. I don't know anyone that uses WPA2+AES at home. I take it back, I do know one person that does.

  7. Short information about current Wireless Hacking by zukinux · · Score: 5, Informative

    In-order to hack WEP it's quite simple today, you need to do the following :
    1) Listen to packets going through (monitor mode)
    2) Force people to send more packets using arp-replay packets or specially crafted packets
    3) Capture about 25000 packets and make an crypto analysis [the more packets you capture, more chance you'll be able to decrypt the password] about this packets to get password


    In WPA1/2 it's quite different :
    1) Listen to packets going through in monitor mode
    2) Wait un-till you capture a connection-login handshake (it's 2 packets both ways = 4 packets)
    3) After you capture packets in 2, you need to do Dictionary attack on the captured session login. If that word isn't in your dictionary, you're screwed.

    That's why a current wireless hacking methods against a strong not-in-dictionary WPA(PSK) password will be quite hard (if possible) to hack these days.

    Just so we all be cleared.

    --
    Read and Comment at my BLOG
    !!!
  8. Re:You're one of the authors? by TheRaven64 · · Score: 2, Informative

    Can we please have a way to have secure _anonymous_ WiFi access?

    You're solving the wrong problem. WiFi 'security' is single-hop security. It's for local networks. If you are using a WiFi hotspot to connect to a remote site then you have a few dozen network segments between you and the remote party that may or may not be trustworthy. If security is important, you should be using end-to-end encryption, not encryption for the first hop and then no security for the next twenty. This applies to DNS too. You should not be trusting DNS from a WiFi hotspot unless all of the servers in the chain support DNSSEC.

    The point of things like WPA is to let you use the wireless network in the same way that people have been using wired ones; publishing services that anyone with physical access to the network can use. If you can plug in a computer to the network socket, then you can access the shared printer, for example. If you have the WPA key, you can do the same. That's all that it's for, and even using it for that is trading some security for convenience.

    Oh, and most browsers let you permanently trust a self-signed certificate for a single site. That means that you will get the a notification when the certificate changes.

    --
    I am TheRaven on Soylent News