New RC4 Encryption Attacks Reduces Plaintext Recovery Time

msm1267 writes: Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm. A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow an attacker to capture a victim's cookie and decrypt it in a much shorter amount of time than was previously possible. The paper "All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS," written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Re:Why are we still using RC4?

[nullchar]

Because it's in firmware that can't be [easily] upgraded?

Hooray the Internet of Things! Billions of devices that will never be upgraded.

Will it help cracking WiFi?

[rduke15]

That's all I'm really interested in. Will it make cracking the neighbor's WiFi practical again? Nobody uses WEP anymore, and almost all the routers with WPS seem to have been upgraded to prevent the very nice Reaver attack which was so cool a few years ago.

I used to get Internet access anywhere by simply cracking some nearby WiFi. Nowadays, I usually need to use my phone's data connection, which is painfully slow and not usable in other countries because of roaming charges. I keep an open WiFi at home for passersby, but nobody else seems to be doing that for me.

Re:Why are we still using RC4?

[dave420]

We already have billions of devices which will never be updated, so I fail to see why an attack on the Internet of Things is at all pertinent.