Computer researchers in Japan have developed a way to crack through WPA (Wi-Fi Protected Access) encryption in about one minute. While the ability to crack through WPA isn't really news, the speed at which it can be hacked has now essentially been increased by 12 to 15 times.
The masterminds behind the new attack, Toshihiro Ohigashi and Masakatu Morii, plan to discuss further details at a technical conference taking place Sept. 25 in Hiroshima, Japan.
Last November, WPA was successfully broken by researchers Martin Beck and Erik Tews. This attack worked on a smaller range of wireless devices, but took almost fifteen minutes to work.
Luckily, both attacks only work on WPA using the TKIP (Temporal Key Integrity Protocol) algorithm. This means that WPA using AES (Advanced Encryption Standard) and WPA2 are still secure; at least for now.
Unfortunately, wireless encryption has a long history of security issues. The Wired Equivalent Privacy (WEP) system, released in 1997, was decoded only a few years later and is not even considered secure by IT Professionals. TKIPed WPA can now join WEP in the Hall of Shame.
While wireless network users have long been encouraged to use WPA2 since its introduction in March of 2006, some people running older equipment may not be able to support the newer encryption. I have switched my home network to WPA with AES instead of WPA2 since my parents' legacy machines simply don't support the newer technology. You can switch the type of WPA encryption in your router's security settings.
As with any security system, people will eventually figure out a way around it. This only emphasizes the point that information security professionals need to keep improving themselves just like the bad guys are.
Based on what you had to do with the legacy system, what do you think this will mean on a corporate level? Do you anticipate that the ease of cracking this will have big impacts on companies running wireless networks, or that they are already ahead of the problem?
ReplyDeleteSince solutions have been around since 2006, it's not like the wireless technology was caught with its pants down. The ease of implementing the AES encryption or switching to WPA2 makes this less of a problem, and more of an awareness thing. Its showing us that security professionals can't sit on their laurels.
ReplyDeleteWould this impact companies? Not really.
In a worst case scenario, corporate would need to replace their wireless routers if they were purchased before 2006. Otherwise, it's a simple change in the router and client settings from one encryption to the next.
I decided to play around with WPA Radius since I had heard that WPA Pre-Shared Keys was vulnerable. I got it working for Linux on my laptop and wrote about it in my own blog back when:
ReplyDeletehttp://davenjudy.org/davesBlog/node/20
At some point my wife wanted to be able to use her laptop in a part of our house that didn't have a wired network outlet so I got Radius authentication working for Windows XP Pro on her laptop and XP Home on my laptop. That process is described in this post:
http://davenjudy.org/davesBlog/node/43
Cheers,
Dave