A New Wi-Fi Exploit, Limited But Clever

eggboard writes "Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His 'Enhanced TKIP Michael Attacks' still don't allow extraction of a key, and are limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he's figured out how to put in large payloads, and to extract data sent from an access point to a client — all without cracking the network key. The attack requires proximity to sniff and inject data, but it's another crack in the older key standard (TKIP) that no one with serious security interests should still be using." Here is Beck's paper (PDF) describing the new attacks.

SSID

[getNewNickName]

Re: wi-fi security, what's to stop someone from creating a hotspot with the same SSID and just wait for the user to provide their credentials when they try to re-login? The average user will probably just go ahead and re-enter their password. No need for breaking any encryption, just a bit of social engineering.

Re:Very Limited

[eggboard]

That's not as limited as it sounds. There are perhaps hundreds of millions of routers running versions of embedded Linux, and WMM/802.11e may be enabled by default on many of those!

Re:TKIP and CCMP

[eggboard]

That comment is halfway between troll and truth.

That only works for short passwords using dictionary words and common alternatives--typically eight characters or fewer. Yes, you can get precomputed dictionaries for common SSIDs, and you can even use a new service to do some computation.

However, move to 9 characters of random text (&fa^g_!80) and a unique SSID ("My little pony's network"), and all bets are off to computing the result in anything like a usable period of time.

TKIP and AES-CCMP remain strong for long, strong passwords, long being 10 or more characters, but 12 to 20 is best.