WPA-based networks can be compromised in about 15 minutes with new attack approach
Security conference that will be held in Tokyo on 12th and 13th Nov 2008 (PACSEC 2008) has already recieved a great attraction. There will be presented a security research from Martin Beck and Erik Tews as a next (not brute force), new implementation of the WPA-TKIP attack. WPA-TKIP security based on the dynamic key generation was supposed to be unbreakable.
Martin Beck and Erik Tews found new approach that allow an malicious users to decrypt limited WI-FI communications protected with WPA-TKIP (TKIP stands for Temporal Key Integrity Protocol). It's told in pre-release that attackers could also recover a special integrity checksum and send up to 7 custom packets into the network.
Nevertheless it was stressed by one of the researchers that it's not possible to recover the actual key used to protect communications. "The new attack on WPA is not a complete key recovery attack," Tews said in a pre-release. "It just allows you to decrypt packets and inject packets with custom content. But there is only a single short-term key recovered during the attack."
There was also mentioned that the countermeasures can only linger the attack, but not prevent it. "A wrong guess would cause the packet to be dropped by the access point, while a correct guess would cause a MIC failure and require the attacker to wait 60 seconds. In the case of an important type of networking data known as an Address Resolution Protocol (ARP) packet, only 14 bytes are not known. In less than 15 minutes, an encrypted ARP packet could be deciphered, including the secret MIC data", Tews said.
While the security vulnerabilities are limited, the techniques could be used in a denial-of-service (DoS) attack, the researchers stated in their pre-release. By using ARP injection to overwrite entries in the ARP table or potentially attack a local network's domain servers. The technique could also be used to channel data through a corporate firewall, they added.
Security specialists recommend to switch from WPA to WPA2 or use improved WPA security mode and disable ability to fall back to TKIP for legacy devices.
The actual details of this attack will be discussed on PASEC2008 in Tokyo next week.
Posted at 09:15AM Nov 08, 2008 by admin in Security |