WPA2 Wireless Security Crackable WIth "Relative Ease" 150
An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware."
Eh... (Score:5, Insightful)
Reads article...
Longer passwords make brute force cracking more difficult... Possible attack vector via the wireless de-authentication and re-authentication that WPA2 connections maintain for clients... With potential fast scanning and proper spoofing, an intruder could knife their way it...
Why does this feel like nothing new?
keep our wireless networks safe from hackers... (Score:3, Insightful)
How do you keep something you never had?
so? (Score:4, Insightful)
Brute force attacks compromise simple passwords?
This is news?
It's kind of silly to worry about (Score:5, Insightful)
The only reason I encrypt my wifi connections is to prevent casual wanderers from connecting to my network and sucking up bandwidth. Any data that needs securing is encrypted by the computer, not by the modem/router.
If I could get proper password protection without the encryption, I wouldn't bother encrypting the traffic. I could care less who snoops it -- so long as they're not sucking up bandwidth.
Re:MAC filtering and PSK (Score:4, Insightful)
MAC filtering does nothing useful. You're shouting your MAC from the rooftops any time you're connected to the network, so cloning it is exercise in triviality for any attacker with an IQ greater than their hat size.
Re:Expected (Score:3, Insightful)
Just when you thought you've sharpened your spear to the finest, your opponent has fortified his shield to the fullest.
Re:Expected (Score:3, Insightful)
Just use a one time pad. It's perfectly secure, even to quantum cryptography as long as the source is truly random. Creating a truly random number generator that takes advantage of quantum effects is not terribly difficult. Many modern CPUs now have this support built-in. The only weak point is how you get the one time pad to both locations and that it can only be used once. Even this is possible by having multiple pads sent via different methods and XORing them together at the destination. In order to crack it all copies would have to be intercepted and copied though additional security measures could be added to make even this difficult.
Re:It's kind of silly to worry about (Score:2, Insightful)
Uh, you're forgetting that a wifi connection is two way. If they can get onto your network, they're inside your hardware firewall. Better hope you have a good software firewall and/or that you don't have any exploitable services.
Re:Expected (Score:4, Insightful)
One-time pad truly means one-time pad however. That means a new pad for every single transmission - that's why it becomes untenable.
On the other hand, the way network encryption works is typically this:
(1) Use asymmetric encryption once to securely deliver the remote computer the key to a symmetric algorithm.
(2) Use the symmetric key for the remainder of the communication.
It's possible that RSA is compromised, or that a G.O. has the means to cracking it via an unpublished mathematical discovery, but there are other asyms out there.
Re:this is not news (Score:5, Insightful)
This forum, along with all the other times this has been discussed here on Slashdot, as well as other technical forums, provides evidence that may be one day very useful in a court of law if some copyright holder tries to prove an illegal download took place. If it took place through a wireless network, can it be proven who the recipient of the illegal download was?
We can whine and complain all we want, but if business finds it cheaper to simply include hold harmless clauses in their terms than to provide a robust product, they will do so, but in doing so, they have also removed surety of proof of download for the high and mighty MAFIAA.
The Copyright industry has spent millions of dollars to pamper Congressmen to pass law to make sure no-one can listen to a song unless terms of endearment are complied with... now they are finding out they just put a multimillion dollar lock on a cardboard door.
We do not have the money it takes to pay for Congressmen. The copyright people seem to have unlimited money. Money to hire lots of lawyers and send lots of threat letters. Those letters will be ineffective as long as we have insecure systems and no-one can prove a thing. We may have a problem with insecure systems, and the MAFIAA has a hell of a problem.
This kind of stuff gives everyone and his brother plausible deniability, which now means a total lack of accountability for online activity.