A New Wi-Fi Exploit, Limited But Clever 77
eggboard writes "Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His 'Enhanced TKIP Michael Attacks' still don't allow extraction of a key, and are limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he's figured out how to put in large payloads, and to extract data sent from an access point to a client — all without cracking the network key. The attack requires proximity to sniff and inject data, but it's another crack in the older key standard (TKIP) that no one with serious security interests should still be using." Here is Beck's paper (PDF) describing the new attacks.
Very Limited (Score:4, Informative)
From TFA:
As with the previous attack, a lot of stars have to be in alignment. The biggest requirement is that TKIP has be the key type, not AES-CCMP. An attacker has to be proximate to sniff traffic and inject packets. The router has to be running Linux, like many Wi-Fi routers do. The router doesn't need to be compromised; there's a particular Wi-Fi packet sequence that's more predictable, and thus easier to use in the attack. Network QoS (802.11e/WMM) needs to be enabled as well.
Re:Use a MAC address filter (Score:5, Informative)
Hiding your SSID can actually be detrimental...
If your SSID is open, then your machine can see its broadcasts and connect to it... If the SSID is hidden, then your machine has to probe for it by name.. Meaning that if your machine is away from its usual location, you can see what network its looking for...
If the SSID is hidden, then someone trying to break into it just needs to sniff traffic for a while to get the SSID anyway.
Re:Use a MAC address filter (Score:2, Informative)
Actually, I'd suggest to use both. If one fails, you still have the other.
Re:Use a MAC address filter (Score:4, Informative)
Re:SSID (Score:3, Informative)
Because the password is never sent during the 4-way handshake.
I'm not talking about stealing the password from an existing connection. More simply just using the same SSID and waiting for the user to accidentally connect to the rogue router. Most users will gladly re-enter their credentials again.
When a client connects to a WEP or WPA access point, there is a four-way challenge-response handshake:
1. The client station sends an authentication request to the Access Point.
2. The Access Point sends back a clear-text challenge.
3. The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request.
4. The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response.
So pretending to be their wireless access point or even sniffing the exchange won't reveal the passphrase.
Now if you pretend to be their access point and don't request authentication, then they may very well connect to you and never be the wiser. Then assuming you provide internet access, you are free to sniff or alter their data streams.
I suppose its possible to pretend to be their access-point, and pass along the pieces of the handshake to the real access point. That would make you a man-in-the-middle, but that doesn't buy you anything more than just sniffing the traffic out of the air.
Re:TKIP and CCMP (Score:3, Informative)
1. If you're having trouble with WPA2, it's an implementation issue. There's no reason that WPA2 shouldn't work as well or better than WPA. In some silicon, AES-CCMP encryption can work faster than TKIP. Check for firmware upgrades on adapters and APs.
2. TKIP keys cannot be extracted by any known methods. Short TKIP and AES-CCMP passphrased-based keys are vulnerable to brute-force dictionary attacks, typically based on precomputed common SSIDs. A key of 10 or more characters is probably fine; 20 random characters is beyond computation in this universe. 63 is just silly.
3. The TKIP exploits are particular to AES-CCMP and don't recover the key, nor does any particular key length prevent the exploit. The exploits rely on a set of givens (such as 802.11e/WMM being available and enabled on a router), but this latest exploit that I link to uses the integrity checksum to extract a packet delivered to a client in the right circumstances.
4. This attack could be weaponized, but it's a proximity attack, so the yield is very very low in such attacks.