WPA2 Wireless Security Crackable WIth "Relative Ease"

An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware."

this is not news

This sounds like the classic de-auth, handshake capture, then brute force attack.

It's still a bitch to crack without G.O. resources. Moxie has a service that will try for you...

Re:this is not news

[chriscappuccio]

Gee, you're right. Everyone in the world is so black and white, so easy to understand, how could anyone not ever realize this before!?!

Re:this is not news

I'm trying to understand the reason this kind of thing is posted so often.

1) It's obvious that the point of view is so extreme nobody would mistake it for someone's real thought process.
2) It's a pretty terrible troll. I rarely see anyone reply.
3) It never gets modded up. It's AC anyway so who cares.

Any insight?

Re:this is not news

Interesting that you could come to the conclusion that this is obvious only six minutes after the story was posted.

Re:this is not news

Every troll has to start somewhere and blatantly racist stuff is the easiest to think up. Still, this is still one step up above copy-pasting GNAA spam, which isn't so much trolling as just flooding.

Re:this is not news

Obviously you don't understand how security works. It's simple protocol manipulation and math, if we good hackers stop looking for vulnerabilities and reporting them when found. Then the bad hackers will find them and exploit them all they want with no fixed in sight. You will be living in a world of false security, well more so than you are now.

Re:this is not news

Or we can just gas all hackers, "security experts", and programmers and be done with it.

Re:this is not news

[anubi]

I think of it as this way. We know our stuff is getting snooped and hacked into. Its high time EVERYBODY knows this stuff is NOT private.

This forum, along with all the other times this has been discussed here on Slashdot, as well as other technical forums, provides evidence that may be one day very useful in a court of law if some copyright holder tries to prove an illegal download took place. If it took place through a wireless network, can it be proven who the recipient of the illegal download was?

We can whine and complain all we want, but if business finds it cheaper to simply include hold harmless clauses in their terms than to provide a robust product, they will do so, but in doing so, they have also removed surety of proof of download for the high and mighty MAFIAA.

The Copyright industry has spent millions of dollars to pamper Congressmen to pass law to make sure no-one can listen to a song unless terms of endearment are complied with... now they are finding out they just put a multimillion dollar lock on a cardboard door.

We do not have the money it takes to pay for Congressmen. The copyright people seem to have unlimited money. Money to hire lots of lawyers and send lots of threat letters. Those letters will be ineffective as long as we have insecure systems and no-one can prove a thing. We may have a problem with insecure systems, and the MAFIAA has a hell of a problem.

This kind of stuff gives everyone and his brother plausible deniability, which now means a total lack of accountability for online activity.

Re:this is not news

What's G.O mean?

Re:this is not news

[SuperTechnoNerd]

Does this mean I don't have to lock the doors on my house when I go out anymore?

Re:this is not news

That you are ignorant of a method's widespread use and common knowledge, does not serve as legitimate cause for you to project that ignorance onto others. This "hack" has been known for some time, arguably since the creation of the protocol, since it is central to the functionality of said protocol. The only development of any note is how much easier it has become in the interim to brute-force passwords, given advancements in CPU/GPU processing power/techniques.

Re:this is not news

Government Organization

Re:this is not news

Actually, the going rate is $2000 per representative.

Re:this is not news

[WillyWanker]

Yeah, exactly. Nothing to see here. Show it to me happening in real time with common easily obtainable equipment and maybe then you'll get my attention. But not with a lot of maybe's, perhaps, and coulds.

Re:this is not news

Interesting that you could come to the conclusion that this is obvious only six minutes after the story was posted.

Some readers, such as myself, preview all of the submissions prior to any of them being accepted. Sometimes one of those readers, perhaps the grandparent, may write in an editor a response to a submission with a subject they're particularly interested in that has a high probability of being accepted. If so, it's a simple matter of c/p; otherwise, it's an unknown journal entry.

It isn't a prerequisite, but it's one practical use for a member's Slashdot journal.

Re:this is not news

[AmiMoJo]

The problem is that most people use crap passwords. Too short, only alphanumeric with no special characters, a combination of dictionary words or common phrases etc. A GPU and a good dictionary can crack the majority of passwords in use today.

What we need to do is get away from passwords. WPS isn't so good but some routers support NFC for key exchange now, which seems ideal. If the attacker is within 2cm of the router already you have bigger problems.

Re: this is not news

To elaborate, all of the things described in this paper have been in the aircrack suite for 10 years - deauthing to get handshakes and bruteforcing the key has been the standard for attacking WPA since WPA was released. Download Kali Linux and have a play, it's easy to get a handshake but hard to guess a key if it's not in your wordlist

Re:this is not news

[Neil+Boekend]

A combination of dictionary words can be a strong password. This does require a large password field, but WPA 2 seems to support 64 characters so that's covered.
A random set of dictionary words is easy to remember for a human and difficult to guess for a computer.
We need to get away from insane password rules.
1. A max length of below 32 characters is bullshit. Instead, set a minimum length of 16 characters and advise to use a few random words.
2. Requiring non-alpahnumeric characters seems safe, but it moves the passwords away from words, thus it moves it to a less useful password style. Besides, the attacker knows this rule. So he'll try a dictionary attack with o's replaced with zeroes and stuff like that.
3. ...
4. Profit. Or at least less losses from theft.

Face it. Most password rules do not create passwords that are easy to remember. They create passwords that are relatively easy to brute-force.

Re:this is not news

[AmiMoJo]

A combination of dictionary words can be a strong password.

Not any more: http://arstechnica.com/securit...

Combinator attacks will chew through any random combination of dictionary words pretty quickly. Length is irrelevant, only the number of words matters and typically it is quite low. In the XKCD example you linked to it is just four. For once XKCD gave out shockingly bad advice.

Re:this is not news

Even by skimming the article posted it is pretty clear since the article uses the word De-auth.... multiple times throughout. The article also clearly indicates that even though this method is effective is still requires "the right tools" and the right hardware to do it quickly. So unless there is a new scanning technique or a new series of steps taken this is old news re-hashing itself.

Re:this is not news

[david_thornley]

"Not any more" doesn't apply. It's no more difficult to do brute-force dictionary attacks than it has been.

However, brute-forcing a "correct horse battery staple" password (Munroe apparently was thinking of random selection from a 2K-word dictionary) does involve an average of 2^43 attempts, something over 8 trillion (best/worst case is double that). At a million tries per second, it would take well over a week. At a billion tries per second, that would take more than two hours. That's not about to stop somebody serious who's specifically targeting you, but somebody who's snarfed a hashed password list and is looking for quick passwords for accounts is very unlikely to take the resources. (Your bank or credit card company has had their password list copied by an intruder, and they're savvy enough to keep the hashes. The crackers are going to harvest the easy passwords and what they can get. Unless they have some particular reason to target you, they'll be content with the passwords that take up a few seconds each.)

It's better than the long uncommon word followed by a digit with some letters replaced by l33t-speak equivalents that Munroe uses for comparisons. It's easier to remember than anything else I've seen that's comparably easy to memorize. (Quotations are longer and relatively easy to memorize, but crackers specifically look for them, also, and there's not enough of them for security.) It's also easily extendable. Add two words. It's significantly harder to memorize now, but it increases time to crack by about four million, and that is enough to stop most enemies.

Re:this is not news

[TheRealLifeboy]

AC is such a pathetic louse with a small wheenie... And brain damaged too.

Re:this is not news

My bank limits passwords to 10 characters, and they don't allow certain special characters. I have to wonder whether they're actually storing the damn things in plain text and have to disallow % and _ to prevent SQL injection from passwords.

Expected

[FuzzMaster]

Every encryption scheme will fall at some point. Once quantum computing fully arrives, I guess encryption will be mostly moot.

Re:Expected

Be more of a condescending prick. Your comment has some merit, but you ruined it by being an asshole.

Re:Expected

[skids]

Once quantum computing fully arrives, I guess encryption will be mostly moot.

Bad guess

Re:Expected

[ComputersKai]

Not when encryption methods that make use of quantum computing power come, like a permanently stalemated arms race.

Just when you thought you've sharpened your spear to the finest, your opponent has fortified his shield to the fullest.

Re:Expected

[dickens]

OTP FTW

Re:Expected

[AaronW]

Just use a one time pad. It's perfectly secure, even to quantum cryptography as long as the source is truly random. Creating a truly random number generator that takes advantage of quantum effects is not terribly difficult. Many modern CPUs now have this support built-in. The only weak point is how you get the one time pad to both locations and that it can only be used once. Even this is possible by having multiple pads sent via different methods and XORing them together at the destination. In order to crack it all copies would have to be intercepted and copied though additional security measures could be added to make even this difficult.

Re:Expected

One-time pad truly means one-time pad however. That means a new pad for every single transmission - that's why it becomes untenable.

On the other hand, the way network encryption works is typically this:
(1) Use asymmetric encryption once to securely deliver the remote computer the key to a symmetric algorithm.
(2) Use the symmetric key for the remainder of the communication.

It's possible that RSA is compromised, or that a G.O. has the means to cracking it via an unpublished mathematical discovery, but there are other asyms out there.

Re:Expected

One type pads can work for some things. maybe companies will send you a credit card sized device containing gigibytes of random pad data that you can use to communicate with that company.

Re:Expected

[SuricouRaven]

I can imagine a VPN server with a rack of slots for those (Probably just read-only USB mass storage interface). Give one to the VPN, one to the person going on their trip or working at home. You'd need to send out a new key every now and again, but if a key is good for a couple of months (Doable) then it becomes quite reasonable.

Re: Expected

"moot", you keep using that work like that. It doesn't mean what you think it does.

Re:Expected

[MikeBabcock]

And then just like a password attack, someone cracks their database and dumps all the OTP data and you're no longer secure.

Re:Expected

Once quantum computing fully arrives, I guess encryption will be mostly moot.

Yeah, if you live in a fantasy land where quantum computing is magic.

Re:Expected

OTP quickly becomes enormous, just as big as what you're communicating. So dumping all the data may take time and be made impractical / secured by hardware.

If you don't need perfect secure communication, you could probably use it more than once and even make schemes that reuses it randomly so it's hard to decode anything without the proper data and synchronization.

OTP requires massive storage, but that also a benefit once you have it.

Re:Expected

If you had a brain of your own, you would not repeat false statements of a Mr Schneier.

Here is a hint; NZ and the OTP cipher. Now, stop being a lazy guy and research SOMETHING BY YOURSELF.

Hint 2: Life and death of Admiral Isoroku Yamamoto. And his fleet. RESEARCH.

Dismissed, corporal.

Re:Expected

[fizzer06]

Creating a truly random number generator that takes advantage of quantum effects is not terribly difficult. Many modern CPUs now have this support built-in.

Call me paranoid, but I don't think it would be safe to assume the 3 letter agencies haven't already co-opted the design of the modern CPU random number generators.

Re:Expected

[AaronW]

I think it's unlikely. When news of FreeBSD not trusing Intel's random number generator I decided to look at the RTL of one of the CPUs my employer makes which is optimized for security applications. The random number generator works exactly as the documentation says it does using the jitter of 125 of 128 ring oscillators feeding into a SHA1 engine with other unique inputs.

Re:Expected

[MikeBabcock]

And as stated, is no more invulnerable to remote attacks than password data (which has already been shown to be frequently all too easily accessible).

The OTP data must be accessible to the service you're connecting to which in turn is open to attacking from the outside. OTPs are not special when you use them with online services that aren't fully hardened.

In fact, I don't think it would be hard to argue that the traditional randomly-generated key system protected by public keys is in fact more secure because of its lack of replayability when properly implemented.

Re:Expected

[fizzer06]

Would you please identify the CPU?

Re:Expected

[AaronW]

Cavium OCTEON series of CPUs. http://www.cavium.com/OCTEON-I...

Re:Expected

[fizzer06]

That's very impressive. What do those cost? I wonder how much to build a basic system around that chip.

Re:Expected

[AaronW]

They're not designed for systems but for embedded devices like firewalls, VPNs, routers, NAS, etc. They're expensive and have some very nice engines in them as well, such as the gzip engine that's 100 times as fast as software implementations, hardware pattern matching (regex) engines and content addressable memory support for firewalls and anti-virus, RAID engines for NAS to do RAID 5/6 calculations in hardware, encryption and hashing instructions, not to mention built-in support for 10 and 40Gbps Ethernet with a lot of packet acceleration. The chip of course will run Linux (Debian) and applications that run directly on top of the cores without an OS underneath for bare metal performance. The single threaded performance is a fair bit lower than an X86 based system which is why there are so many cores running in parallel. There's also a lot of special support for synchronization between the cores and various atomic instructions that have been added.

While it is fully compatible with standard 64-bit MIPS there are a lot of additional instructions since MIPS allows you to do that (ARM does not allow manufacturers to add custom instructions).

Eh...

Reads article...

Longer passwords make brute force cracking more difficult... Possible attack vector via the wireless de-authentication and re-authentication that WPA2 connections maintain for clients... With potential fast scanning and proper spoofing, an intruder could knife their way it...

Why does this feel like nothing new?

Re:Eh...

[MtViewGuy]

It could be fixed by upgrading the software used by routers and by client devices, but 1) everyone has to agree on an updated standard and 2) how are they going to do the upgrade for Android-based cellphones? (Easy to do on an Apple iOS device--just run an update to iOS itself.)

Re:Eh...

Um... exactly the same way? I've done many OS updates to Android devices, rooted and otherwise. Do you honestly think everyone is still running Android 1.0? Sure, some carriers may choose not to update outdated hardware, but at least they have options. How would you suggest updating a gen1 iPhone? A 3G device, then? And that's assuming Apple would even go there, rather than pushing you to a new device... but at least you could rely on the community to pick up the slack and write appropriate drivers, right? No?

Gee... I guess you're kinda full of shit, huh?

Re: Eh...

[a-zarkon!]

It undoubtedly will be fixed with adoption of an enhancement to the existing protocol or an entirely new protocol. We saw that with the evolution from WEP to WPA to WPA2. The challenges are that this will take time for a fix and new standard to be determined and the processing capability of the currently deployed wireless infrastructure. There is a fair likelihood that today's access point will not have enough horsepower to efficiently process the next generation authentication and encryption protocol. This means that there is a period of time where a known exploitable vulnerability exists and there is no fix available (time to determine the short and longer term fix + time for everyone to move to the new infrastructure supporting the new standard.) This is how it has always been with wireless, and probably how it always will be. It is similar to anti biotics, eventually resistant bacteria become prevalent, diminishing effectiveness and spurring the need to find new drugs. If we are smart, we have already been working quietly on WPA v3 and this will be announced shortly and adopted quickly when we reach the point that WPA 2 is demonstrably capable of being compromised by a savvy motivated individual vs. a govt funded team. In the meantime VPN always has been and remains a viable option for wireless security.

Re: Eh...

[MtViewGuy]

That's what I said about Number 1--everyone has to agree on a new variant of the WPA standard. That could take a while. Meanwhile, I use a 16 alphanumeric character randomized password that will be still very hard to crack by brute force.

Re:Eh...

[Neil+Boekend]

Call it WPA 3 (or WPA 2.5 if you don't feel the change warrants a major number change) and treat it like any other system.
If not all of your devices support WPA 3 you set the router to WPA 2 and "hope" nobody hacks you (not really hoping. It isn't an issue in most home applications).

keep our wireless networks safe from hackers...

[fustakrakich]

How do you keep something you never had?

Re:keep our wireless networks safe from hackers...

We don't have wireless networks?

Re:keep our wireless networks safe from hackers...

[Larryish]

No, we never had hackers. Duh.

MAC filtering and PSK

[roman_mir]

At least use MAC filtering and Pre Shared Keys together with WPA2, this will lower the probability of a successful attack happening.

Re:MAC filtering and PSK

[compro01]

MAC filtering does nothing useful. You're shouting your MAC from the rooftops any time you're connected to the network, so cloning it is exercise in triviality for any attacker with an IQ greater than their hat size.

Re:MAC filtering and PSK

[Concerned+Onlooker]

Ooops. I'm going to have to get a smaller hat.

Re:MAC filtering and PSK

[koinu]

MAC filtering even lowers security. Some lazy crackers might have not changed their MAC when they are attacking and it could be easier to identify them next time. When they are spoofing MACs they use your own MACs which they see on your network. You basically (could) lose information about the attackers. And this is bad.

Re:MAC filtering and PSK

MAC filtering does nothing useful. You're shouting your MAC from the rooftops any time you're connected to the network, so cloning it is exercise in triviality for any attacker with an IQ greater than their hat size.

So then most attackers will be stopped. Got it, thanks!

Re:MAC filtering and PSK

That is not quite correct. With the proper setup you only send out a non-encrypted mac field once and only once. Thus the original reason why attacks that break association were created.

Re:MAC filtering and PSK

[skids]

MAC filtering should only be used as a herd immunity measure: people who don't update their AV are less likely to find it easier to spoof an existing MAC address than they find it to register in a captive portal and download their updates before they are allowed in.

it's bad enough with regular passwords

[ruebarb]

I already have to tell friends and family to use a alphanumeric password not based on a dictionary word - I was helping a friend find out why her wireless charges were so high, and using backtrack and some basic documentation - (knowing almost nothing about wireless security) - I was able to find out her wireless password based on the fact she was using a regular word in my dictionary list

wireless = never safe

Re:it's bad enough with regular passwords

[Mashiki]

You think that's bad? Wait until you run across the issue where your ISP doesn't even both to set up basic passwords on your wireless hub.

Re:it's bad enough with regular passwords

Alphanumerics are last century. Use a long passphrase. Might I suggest battery horse correct staple?

Re:it's bad enough with regular passwords

[fnj]

Use a long passphrase. Might I suggest battery horse correct staple?

You insensitive clod! You just blabbed my password. Now I'll have to change it to capacitor mule wrong nail.

Oh wait ...

Re:it's bad enough with regular passwords

Oh wait ...

Wait for what?

Re:it's bad enough with regular passwords

She's such a breeder!

Re:it's bad enough with regular passwords

Wait for him to change his password before you log in...

Re:it's bad enough with regular passwords

A moderate-length (24+ chars) phrase will be way more secure than your random pattern of letters, numbers and characters, PLUS it's FAR easier to remember, thereby reducing the odds that the super-secure gobbledy-gook you forced them to invent wont just get written down on a piece of paper and stuck to the refrigerator door for every passer-by to read...

Oblig XKCD

-AC

Re:it's bad enough with regular passwords

Obligatory: Randall Munroe, self portrait of a cunt.

Re:it's bad enough with regular passwords

[DarwinSurvivor]

You think that's bad? Wait until you run across the issue where your ISP doesn't even both to set up basic passwords on your wireless hub.

Ok, now I'm curious!

Re:it's bad enough with regular passwords

[jones_supa]

Well, as a network segment, wireless looks like a hub (all traffic reaches all clients).

Re:it's bad enough with regular passwords

[DarwinSurvivor]

touché

Re:it's bad enough with regular passwords

[SuricouRaven]

Except it doesn't, quite. Horizon problem: A is in range of the AP, B is in range of the AP, A and B are not in range of each other. If A sends a broadcast frame the AP will relay it so B can recieve it, but it doesn't do that for unicast packets for which it knows the recipient MAC address is on the wired side.

Re:it's bad enough with regular passwords

For a system where finding a written-down password is as difficult or easy for an attacker as getting physical access to the network, creating a long truly random password and writing it down really isn't such a bad idea. On the other hand, a phrase which is comprised of dictionary words, chosen by a human and "moderate length" according to your definition does not have enough entropy. Researchers found human-chosen four-word passphrases to have only about 20 bits of entropy. That's far less than a truly random 8 character password (which is also not sufficient).

Re:it's bad enough with regular passwords

[Rich0]

Heck, some ISPs probably still distribute wireless APs that only support WEP.

Re:it's bad enough with regular passwords

How much entropy for the four word phrase where the words are separated by a non alphanumeric char. I'm also guessing that the entropy estimate assumed constant case.

I think that My+fouR-Random-wordS are going to be a darned sight easier to remember and use than another 20 char randomly generated passphrase and have nearly as much entropy.

Re: it's bad enough with regular passwords

~2.6 bits of real entropy per semi-English character, plus/minus 2 or 3 bits for the whole thing. YMMV, but that's a reasonable estimate.

Re:it's bad enough with regular passwords

I use wordkey (my own work) to create passphrases. From the source you will see each word contains 12-bits of entropy (there are 2**12 words in the dictionary), so a random 4 word password has 48 bits of entropy (use wordkey -l 5, length is in bytes of entropy) when both the dictionary and schedule is known (I suggest regenerating your own dictionary with mkwords.pl if you're going to use it).

The prebuilt dictionary in the github is less than ideal for memorisation as it includes plurals and similar words. I mean to improve it by using some kind of phonetic distance algorithm to create a maximally spaced dictionary, but I just haven't got round to it.

A 128-bit entropy passphrase (again, with the dictionary and schedule known), equivalent to the complexity of AES-CCMP used by default in WPA2 is 11 words long, easy enough for me to memorise, though others might struggle.

Also if the dictionary is not known to the adversary, say it is regenerated (mkwords.pl does not use strong RNG, could be improved), the entropy is quite a bit higher, as the attacker has to assume all 38619 words (in my /usr/share/dict/words) are in play, making the complexity of a four word passphrase nearly 61 bits, and requiring only 9 words for complexity equal to that of AES-CCMP (ignoring any known reductions of AES-CCMP).

I don't know if WPA2-PSK utilises a large-n rounds challenge, but a good passphrase authentication system requires the authenticatee to compute some variable large-n number of rounds of some transform over the PSK, with each handshake, so that the cost of each handshake is reasonable for valid authenticatees but serves to render rainbow tables ineffective and bruteforce attacks infeasible. Where this is not possible, for example in HDD encryption, it is still possible to use a unique static large-n with each ciphertext so that a rainbow table computed against one ciphertext is usable only against that single ciphertext, or to devise a scheme whereby the exact large-n is computed as a function of both the encrypted volume key and the supplied PSK.

-puddingpimp

EAP?

[manu0601]

I understand this is about recovering the PSK. This would mean that authentication using a certificate, such as EAP-TTLS is still safe. Correct?

Re:EAP?

[skids]

Can't tell what exactly the paper is about due to a paywall and the fact that the article was written by someone not very techincal.

EAP-TTLS, as long as you are validating the server certificate, is pretty safe. Safer with a locally managed CA and installed client cert, but at least as safe as the web browsing you'll be doing on it after connecting anyway. The safety advantage to WPA-Enterprise over WPA-PSK is mainly due to the fact that you don't have to distribute the same easily-cloned PSK to every client. In addition, if installing and validating client certificates (not the usual mode for EAP-TTLS) they can be locked to specific user accounts. For keeping out the riff-raff they can be locked to MAC addresses as well but that only serves to ban the amateurs.

Re:EAP?

[WaffleMonster]

I understand this is about recovering the PSK. This would mean that authentication using a certificate, such as EAP-TTLS is still safe. Correct?

I would say in practice "enterprise" password authentication via TLS (PEAP-* and TTLS-*) is the least secure authentication method for the simple reason virtually no client is configured properly to validate both certificate and identity.

The end result TLS is effectively subject to MITM attack for the overwhelming majority of clients...leaving squishy inner PEAP/TTLS authentication protocol (all completely worthless)

In my view EAP-TLS with mutual certificate authentication is still the most secure authentication option available.

Stanford's SRP protocol would be awesome to protect WPA passwords I believe it could be implemented with minimal changes to existing TLS stacks ... simply do TLS-SRP via EAP-TLS EAP method instead of the cert auth ... you get secure password authentication without the offline attack vector, or having to implement a new EAP method from scratch.

Re:EAP?

[manu0601]

You mean that clients do not check proper certificate signature by the CA?

Re:EAP?

not by default
  and especially not with a self signed cert on your radius server(s)

Re:EAP?

[WaffleMonster]

You mean that clients do not check proper certificate signature by the CA?

The main problem is not so much CA validation but lack of a global namespace.

When I type https://www.securesite.com/ into my browser the only certificates my browser accepts are the ones explicitly for www.securesite.com... certs for www.someothersite.com don't work.

With EAP authentication no such check is done automatically by default. To be secure the client must explicitly select a CA **AND** certificate identity (e.g. www.securesite.com) ... otherwise you might well be presented with a valid certificate.... yet you won't know if it is one legitimately assigned to an attacker. Attackers after all can buy SSL certs the same as you or I.

In too many cases the extra work is simply asking too much of the user... some mobile clients are not even able to provide necessary configuration options to secure it.

Re:EAP?

The fact of the matter is that IEEE 802.11i (now part of mainstream 802.11) does not specify or require a particular EAP method. The only requirement is that the EAP method supply keying material.

The two in common use are in common use today because they are the two that were (are?) supported in the Microsoft supplicant, originally in Windows XP.

Other commercial plugins exist to supplement those two, and there is nothing preventing implementation of the protocol you mention, again, as long as it produces keying material. There is also a need for the Authentication Server to support it, as the STA (commonly called the client) and the AS (Authentication Server) have to share the protocol (EAP Method). The AP simply passes it through, and accepts the keying material, which becomes the PMK (Pairwise Master Key).

In the most common enterprise environment, i.e. one running on MS servers with AD, all of this can integrate into the AD, and if the enterprise has gone to the trouble to deploy client certs for the authentication of their users at Windows login time, they can be used for the wireless setup as well, all transparent to the user.

Few enterprises are operating at that level in my experience.

Cheers....

Re:EAP?

[MikeBabcock]

Importantly, this is also where we get into that root cert problem for companies that people complained about in a recent /. story because a lot of companies just use their own internal CA to authenticate the certs for both users and wireless devices which requires installing their root CAs on the machines and trusting them.

Re:EAP?

[manu0601]

Attackers after all can buy SSL certs the same as you or I.

But AFAIK, there is no preloaded CA for EAP. You install only the CA of your organization, which narrows the opportunities to have a valid certificate.

But indeed if someone steals any certificate you signed with the installed CA, an attack is possible. That advocates for using a sub-CA, or a dedicated CA just for EAP.

Re:EAP?

[Xylantiel]

I believe the problem is that the interface for this and the way warnings are handled is just horrible and inconsistent between clients.

For example, android requires yout to set a passcode in order to store the public certificate. That's right you need to lock your device so nobody can get access to that PUBLIC key. duh. Clearly you should have a passcode for a private key, but not a public one. I"m not sure if this has been straitened out or not. Also it's often not clear if you can say the equivalent of "trust the current certificate, and warn me if the network tries to give a different one". It typically asks you to manually load the certificate that the server can easily send to the client.

This doesn't even mention that generally the cert will be signed in a way that it can be verified through the same trust chain the web browser uses. While this isn't optimal, it's pretty decent in practice and could easily be implemented as an option.

Re: EAP?

On Android? Dead-even 50/50 odds the developer neutralized CA-validation, in no small part because older versions of Android made it hard/impossible to import a self-signed cert into the trust store used by HttpClient, so developers just short-circuited validation... then left it that way. It's an example of how decisions made to improve one aspect of security can perversely end up making it worse. Naive end users were protected against being socially-engineered into installing an attacker's certificate, but everyone suffered insidiously-broken SSL as an uinintended result when developers disabled CA-validation to get around it.

Re:EAP?

[skids]

In my view EAP-TLS with mutual certificate authentication is still the most secure authentication option available.

You;re half right, but EAP-TLS doesn't have a password/account component, just the cert, so you are missing an authentication factor. If you're going through the trouble of actually making sure clients are running a secure supplicant to the point of making users add a client cert and a local CA trustpoint, just secure the settings on the TTLS/PEAP client and ban OSes like android that don't validate. Turn on verification of the client-side cert if you like, too.

Re:EAP?

[skids]

But AFAIK, there is no preloaded CA for EAP. You install only the CA of your organization, which narrows the opportunities to have a valid certificate.

Depends on your security requirements. Most OSes trust anything in the OS default trsuted CAs which includes most major CAs. If you're satisfied with the integrity of all the CAs in that list, you can buy a RADIUS server-side cert form them and the clients will trust it.

The problem comes in making sure the self-service user checks the box to perform the validation and also types in the expected owner name. By default most OSes do not validate this information so anyone with a stolen priate key from a CA-certified website can pose as your RADIUS server.

Now, for most OSes other than Android, this vulnerability only exists the first time a user connects to the network (or again whenever they delete the network manually) because the OS then takes the certificate it found and assumes it valid, but then will not accept any other certificate.

Android is a total slut about this and never validates, and the phone would have to be rooted just to be able to turn on validation. Word has it the newest version at least contains hooks that would allow a supplicant configurator to turn on validation, but I have yet to see an android that lets me type in an owner name. When even Apple is doing a better job at security than you, hang your head in shame.

Re:EAP?

[manu0601]

If one device has commercial CA configured, and it does not check the CN, this means that any certificate obtained from a valid CA can be used to highjack EAP. It looks like a rather severe vulnerability.

Re:EAP?

[WaffleMonster]

You;re half right, but EAP-TLS doesn't have a password/account component, just the cert, so you are missing an authentication factor.

Clients can ask user to provide a password to access/decrypt private key required to authenticate client to server. The "account" component is client identity (e.g. name of public key)

If you're going through the trouble of actually making sure clients are running a secure supplicant to the point of making users add a client cert and a local CA trustpoint

I've been pushing vendors for 10+ years for a usable solution and they don't seem to care.

All most people want is passwords without all the worry about brute force attacks. Users and Operators alike don't want to deal with certs at all ..there is no *good* reason they should have to.

why crack my Wi-Fi

So you can read this totally unencrypted message I just posted? I don't know why I even enabled WPA2, I expect it was the default setting. WPA2 keeps the neighbors from eating mah bandwich?

Re:why crack my Wi-Fi

[skids]

WPA2 keeps the neighbors from eating mah bandwich?

Try "it keeps people from injecting exploits into your computer by impersonating web servers." Be glad you enabled it.

Re:why crack my Wi-Fi

Gladness enabled! I'm so happy now.

Re:why crack my Wi-Fi

[MikeBabcock]

No, that's SSL.

Re:why crack my Wi-Fi

[davidhoude]

Because SSL on Open WiFi is fool proof....

He was correct. While you are also correct, you failed to see the attack vector. If the network is not secure, your SSL may not be effective, at least not for all users.

Re:why crack my Wi-Fi

[SuricouRaven]

SSL is designed to operate over insecure networks. That's the idea.

Re:why crack my Wi-Fi

[Lloyd_Bryant]

WPA2 keeps the neighbors from eating mah bandwich?

Try "it keeps people from injecting exploits into your computer by impersonating web servers." Be glad you enabled it.

How about "it keeps you from being hauled off to jail by some really mean feds because someone used your wireless to download kiddie porn"? *That* most people can easily understand.

Re:why crack my Wi-Fi

[skids]

Try to have an effective browsing experience with port 80 blocked.

so?

[the_Bionic_lemming]

Brute force attacks compromise simple passwords?

This is news?

Known for years

This attack has been known for years. Am I missing something? How is this \news\ ?

It's kind of silly to worry about

[msobkow]

The only reason I encrypt my wifi connections is to prevent casual wanderers from connecting to my network and sucking up bandwidth. Any data that needs securing is encrypted by the computer, not by the modem/router.

If I could get proper password protection without the encryption, I wouldn't bother encrypting the traffic. I could care less who snoops it -- so long as they're not sucking up bandwidth.

Re: It's kind of silly to worry about

Google "dsploit"

Re:It's kind of silly to worry about

Uh, you're forgetting that a wifi connection is two way. If they can get onto your network, they're inside your hardware firewall. Better hope you have a good software firewall and/or that you don't have any exploitable services.

Re:It's kind of silly to worry about

All my lap warmers have software firewalls set to deny all. I don't run any servers on wireless, the uplink isn't reliable enough.

Re:It's kind of silly to worry about

[DarwinSurvivor]

That still won't protect you from arp poisoning, DNS redirects (or direct forging), SSL Stripping, the list goes on.

Re:It's kind of silly to worry about

Oh no! Not ARP poisoning! I think I'll switch back to wired Ethernet and unmanaged switches, those are the safest. But no, how can I be sure I can trust the firmware in an unmanaged switch? There could be malware in there, rewriting my precious packets! Oh no!

At some point you just have to say FUCK IT.

Re:It's kind of silly to worry about

One of the software firewalls I use has a option to secure the ARP cache on the system and prevent poisoning. I have never tested if it works thought.

Wouldn't SNORT/Suricata be able to detect ARP poisoning?

Re:It's kind of silly to worry about

[Burz]

That's why security is not a boolean. If you regard it as black-and-white, it'll drive you nuts.

Be thankful you can at least whittle the trust issues down to things like switch vendors.

Re:It's kind of silly to worry about

[DarwinSurvivor]

If you do a blanket arp attack (like sending ALL traffic through you or trying to knock out the arp table), but if you target 2 specific systems it can become more difficult to detect (though not impossible).

Re:It's kind of silly to worry about

"they're inside your hardware firewall"

Seriously? you sound like the clueless pseudoscience of Hollywood movies.

I have no idea what you are talking about. A firewall has a very specific meaning: a stateful DFA which makes routing policy decisions by matching incoming packets against a ruleset and previously seen packets (where the stateful comes in).

Wireless Access Points = Hacker Access Points

[millertym]

If you are even the slightest bit concerned with the security of data on your network, isolate wireless completely from your secure data. In my very unscientific estimate it seems 90%+ of the usefulness of wireless is for just basic internet access for executive types anyhow who don't need to be checking production data.

Probably no science here...

Its behind a cowards pay wall. THe link at the bottom is for the fraud article about the Wi-Fi virus that can magically infect all computers and wireless routers. Man do I love not having to expose "research" to public scrutiny.... What a cushy life.

NSA says fuck off

NSA says we'll hack whatever we want fuck you citizen

and where are your papers....

Re:NSA says fuck off

NSA says we'll hack whatever we want fuck you citizen

and where are your papers....

errr.. don't remember.. I don't suppose you could give me a hint please Mister Agent sir.

Re:NSA says fuck off

[Phreakiture]

Why are you asking me? You know damn well where my papers are.

Re:NSA says fuck off

Cops have all of your information in their database but they still require you to show your ID...

Re:NSA says fuck off

That is a tactic to make people forget all the COMINT shit. It works in different variants like a breeze. The most important variant is called Fernmelde-Geheimnis here. Works again and again, though illogical.

Backdoored

If anyone can find a backdoor it will be three Greek guys.

What has limited the attack number in WPA-PSK?

[dutchwhizzman]

What has limited the attack number in WPA-PSK? That's the question I have after reading all the data that is freely available. From what I know and can gather about this, the researchers found a way to reduce the amount of brute forcing required to guess the key in WPA-PSK. They used something in the de-auth and probably re-auth after that to gather information about the key to do so.

Paywalling this information is a bad thing. Either do a full disclosure, or keep it secret and notify all vendors that are vulnerable. What we have now is Fear, Uncertainty and Doubt. The result will be that the bad guys will find out how it's done and implement a practical attack that we don't know how to detect or defend against. Alternatively, a white-hat will find out or pay for the article and publish it. That will probably result in the white-hat getting sued for leaking the information in the article. Regardless what will happen, this is probably the worst way to tell the world of a security vulnerability in a product used world wide by over a billion people.

Universities should stop requiring publication in papers that aren't free to read, or free to publish in. The quality of the paper is of secondary importance to the magazine if people have to pay to get published. The reach to people for which the research is relevant is limited if the audience has to pay for reading the article. In my opinion, requiring at least three positive peer reviews from other universities or something similar, would be a much better way to make sure that research is up to standards and relevant than a short list of places that will publicise a paper. Reviewing papers from other universities should be part of the mandatory tasks students have to fulfil in order to be allowed to write their own paper.

Re:What has limited the attack number in WPA-PSK?

Nobody knows what they did, because their paper is paywalled. From afar, it looks like the a compilation of standard attack methods. The WLAN standard uses unencrypted deauthentication packets, which enables an attacker to kick anyone from the network without knowing the network's encryption key. This can be used in a denial-of-service fashion, where the attacker continously deauths everyone, so that nobody can use the network. Or it can be used once on the victim: The victim will automatically reconnect to the network, which gives the attacker an opportunity to capture the handshake which includes the key negotiation. The attacker can then use this recording to perform an offline brute force attack to find the key. If the attacker guesses the key, he's in.

Without using deauth, the attacker would just have to wait until the victim connects to the network on its own. That's not going to stop a determined attacker, i.e. one who attempts a brute force attack on WPA-PSK.

Long story short: If that's it (I don't see any hint that it's not), then a sufficiently random pre-shared-key prevents a successful attack.

Giving up on security

Maybe the harder we try to secure the harder "they" try to circumvent it. I hardly think you have such sophistication in attempts to break into home WiFi. This really is more about sensitive business related networks. Which in my opinion is a problem anyway using any kind of wireless connection. Maybe the point is that any wireless connection should be considered more vulnerable then a wired one?

Encrypted Management Frames

It's called 802.11w and introduces encryption on management frames (so de-auth attack is out), this problem is solved. It's up to vendors/developers to implement it.

Re:Encrypted Management Frames

Unless RF jamming is employed requiring the client to reconnect.

funny thing about security is it always applies

So you start with a bational campaign and a computer database of those people and somehow months later the ones getting gassed are those who supported the idea. Weird eh?

Gawd

Who would have thought a pre-shared key scheme could be so difficult to make secure? Pre-shared key? There's 90% of the sodding work done for you.

Werid

[jon3k]

This article is a really takes a really roundabout way to tell you computers are getting faster...

Relative Ease compared to What?

[craighansen]

TFAbstract says that WPA2 can be cracked with brute force search, and that long passwords are more secure than short ones. Looking up the home pages of these internationally renowned researchers http://www.brunel.ac.uk/bbs/pe... http://issel.ee.auth.gr/people... http://www.research.lancs.ac.u... reveals that these three claim no other security-focused publications. But perhaps I'm too quick to judge. Somebody pay the man and read their paper. Or is this the two-step get-rich-quick scheme?: - (1) Publish Paywalled Article Exposing Security Holes in Commonly-Used Security Protocol (2) Profit! (PPAESHiCUSP-P)

Re:Relative Ease compared to What?

I have read the full paper, I think it's a scam. To crack WPA2 with strong passwords, they propose a dictionary attack of 95^63 records.
Which is of course totally stupid, and impossible to do within a reasonable time...

Meh.

Having a wireless network amounts to giving those in close proximity physical access to your infrastructure. Try to protect it as you may, it's still physical access (more or less) and will be breached at some point. Simply cordon off your wifi so that when it is inevitably breached there is little value to the person who has breached it (a lot of work for little payout). As an absolute rule, my computer connects to an SSL VPN any time it's connected to wireless (at work, home or on the road).

Encrypted Management Frames plus DHE

What they should also do is add a DHE exchange as well. As it currently stands, by sniffing the handshake, the only part that is missing is the PMK. Once you brute that, you can get all traffic. Instead they should use the current process to encrypt the parts of a DHE exchange and use that to encrypt the PTK. It would not only make brute forcing much harder, it would also make the results of which basically useless for traffic captured in the past.

Re:Encrypted Management Frames plus DHE

No it wouldn't! You could still used the dynamical analysis on RQK to decrypt that in a timing change attack!

802.11w and SAE, FFS.

1) everyone has to agree on an updated standard

It's called 802.11w-2009. 2009 as in "Five fucking Years Old". Part of the updated 802.11-2012 standard. Supported by most modern OS under the condition that the fucking wireless drivers support it. It protects against fucking deauth frames and spoofed broadcast frames by signing them.

http://en.wikipedia.org/wiki/IEEE_802.11w-2009

It does not protect the initial connection though. For that, there this little thing called "Simultaneous Authentication of Equals" that got out somewhere in 2011 initially for 802.11s, that promises unbruteforcable authentication based on eliptic curve cryptography. But unless you only use Linux AP and clients, you can fuck off before you will be able to use it, and it need to be fuckingly audited serously to know if it is actually secure.

If someone whats the paper to read

http://www.inderscience.com/storage/f212115103871469.pdf

This paper is ridiculous!

The "renowned researchers" just learn how to user aircrack-ng and published this piece of shit as a super new hacking technique... and thanks to slashdot to hipe this shit.

Unpawalled

I emailed one of the authors and they sent me the PDF, which I as the anonymous coward I am uploaded here: https://anonfiles.com/file/f6933309e8b215470e015ce2427e239d

pdf out on the internet

I read the discussion about this paper on reddit, and saw someone post a link to the pdf on their homepage. I am not posting the link to the pdf of this article, but merely pointing out that this dude on reddit posted it on his/her homepage at http://pastebin.com/aKMWbgq2