Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

WPA Wi-fi Cracked (but it's not as bad as you think... yet)

Published: 2008-11-06
Last Updated: 2008-11-06 17:34:24 UTC
by Joel Esler (Version: 4)
4 comment(s)

I saw this on a couple news sites this morning, and it's security related, so I think it's important to throw it up on the Diary for today. 

Looks like WPA (one of the methods of encrypting Wi-Fi sessions, oh yes, and I *did* just link to Wikipedia.) has been compromised. TKIP keys have been hackable via Dictionary attack for a little while now, but this attack is NOT a dictionary attack. Oh yeah, and it's pretty quick too. (12-15 minutes according to the article I read).

Why do I say that it's not as bad as you think?  The researchers (named in the above article) still haven't gotten access to the actual data that is being transferred.  They just cracked the TKIP key.  But that's step 1.

So, we all know that WEP isn't really the best thing in the world (read: don't use it), WPA apparently isn't much better.  WPA2 is still uncracked as of now (as far as I know!), so ensure you are using it, if you are running Wireless networks.

Not only do you want a pre-shared key in between your computer and the access point, but you also want after-connection verification of some type if possible.  Perhaps a splash page where you have to enter your username and password to authenticate?  Perhaps some kind of 3rd party token, a la, RSA key?  How about a VPN connection?

So, the take away from this is, if you are using WEP (wow, you are?) or WPA, please move to WPA2. 

(Interesting fact -- You know what doesn't support WPA2?  Xbox360.  So what?  It's just a game console right?  How about what you enter in on the Xbox360 in order to buy an Xboxlive subscription?  How about, your credit card number?  I am sure there are plenty more devices that don't support WPA2, it was just an interesting observation.  Windows does, why doesn't the Xbox360?)

-- Joel Esler

Keywords: Wireless
4 comment(s)
Diary Archives