By Patricia Resende / CIO Today. Updated November 06, 2008.
Two researchers have opened a new can of worms that could let hackers wreak havoc on network managers.
Erik Tews and Martin Beck say they have found a way to crack the widely used Wireless Protection Access (WPA), a standard supported by the Wi-Fi Alliance and currently used to secure wireless computer networks. The researchers say they have specifically cracked the Temporal Key Integrated Protocol (a set of algorithms used by WPA), a feat that had been considered nearly impossible.
"We were able to write up both attacks about one month ago in a research paper we submitted to WISEC 2009, which is currently under review," said Tews in an e-mail interview with us from Germany. "Very experimental implementations of these attacks are ready and available in the aircrack-ng public SVN server."
The duo took only 12 to 15 minutes to complete their feat and will share their findings at the PacSec conference in Tokyo next week. PacSec presenters focus on technical security details as they relate to current issues and best practices in information security. Their findings are shared with a multinational group of security professionals.
"We will demonstrate two attacks; one of them is a little improvement in WEP key recovery, the other one is on WPA," Tews said.
"In a nutshell, the WPA attack allows an attacker to decrypt packets with a rate of one byte plaintext per minute or a little bit more," Tews said. "For short packets, this can be 15 minutes or so. After that, you will be able to send some packets, but only seven to 15. You need to decrypt another packet to send more packets."
Researchers Due Diligence
Tews first discussed his work with a London newspaper, The Register, where he told the paper that the attack had a success probability of 50 percent with 40,000 packets and a success rate of 95 percent with 85,000 packets. Tews also said the time of the attack is about three seconds on a consumer laptop.
Cracking the standard has been in the works for some time, according to the researchers.
"I am working in the wireless network security area since the beginning of 2007. I think Martin Beck is working in this area for a longer time," Tews said.
"I think it was in the end of 2007, when Martin Beck had the idea to apply a well-known attack on WEP (named chopchop attack and invented by KoreK) to WPA protected networks. I was working on advanced attacks on WEP in this time."
The researchers have not, however, cracked the encryption keys used to secure the data that runs from a person's PC to a router.
Tews and Beck are not the only ones cracking the standard. Russian software company Elcomsoft earlier this month said it was able to crack WPA on Wi-Fi networks up to 100 times quicker by using Nvidia's recent chips. The company claims its Distributed Password Recovery product only needs a few packets intercepted to cause an attack.
Elcomsoft said it could do the same with WPA2, another standard said to be safe from an attack like the one Tews has created. The WPA2 certification is an advanced protocol, but does not work with older network cards and many companies have routers which still support WPA.
WEP Gone, WPA and WPA2 Next?
The predecessor to WPA, Wired Equivalent Privacy (WEP), is no longer widely used by businesses because of its vulnerabilities and was replaced with WPA.
The standard received much attention when T.J. Maxx and Marshalls customers were victims of a major security breech. Hackers broke into parent company TJX's database and gained access to nearly 50 million credit-card accounts because of the out-of-date WEP standard.