WPA2 Wireless Security Crackable WIth "Relative Ease" 150
An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware."
this is not news (Score:5, Interesting)
This sounds like the classic de-auth, handshake capture, then brute force attack.
It's still a bitch to crack without G.O. resources. Moxie has a service that will try for you...
Re: (Score:1)
Re: (Score:1)
That you are ignorant of a method's widespread use and common knowledge, does not serve as legitimate cause for you to project that ignorance onto others. This "hack" has been known for some time, arguably since the creation of the protocol, since it is central to the functionality of said protocol. The only development of any note is how much easier it has become in the interim to brute-force passwords, given advancements in CPU/GPU processing power/techniques.
Re: (Score:2)
Yeah, exactly. Nothing to see here. Show it to me happening in real time with common easily obtainable equipment and maybe then you'll get my attention. But not with a lot of maybe's, perhaps, and coulds.
Re: (Score:2)
The problem is that most people use crap passwords. Too short, only alphanumeric with no special characters, a combination of dictionary words or common phrases etc. A GPU and a good dictionary can crack the majority of passwords in use today.
What we need to do is get away from passwords. WPS isn't so good but some routers support NFC for key exchange now, which seems ideal. If the attacker is within 2cm of the router already you have bigger problems.
Re: (Score:3)
A combination of dictionary words can be a strong password. [xkcd.com] This does require a large password field, but WPA 2 seems to support 64 characters so that's covered.
A random set of dictionary words is easy to remember for a human and difficult to guess for a computer.
We need to get away from insane password rules.
1. A max length of below 32 characters is bullshit. Instead, set a minimum length of 16 characters and advise to use a few random words.
2. Requiring non-alpahnumeric characters seems safe, but it move
Re: (Score:2)
A combination of dictionary words can be a strong password.
Not any more: http://arstechnica.com/securit... [arstechnica.com]
Combinator attacks will chew through any random combination of dictionary words pretty quickly. Length is irrelevant, only the number of words matters and typically it is quite low. In the XKCD example you linked to it is just four. For once XKCD gave out shockingly bad advice.
Re: (Score:2)
"Not any more" doesn't apply. It's no more difficult to do brute-force dictionary attacks than it has been.
However, brute-forcing a "correct horse battery staple" password (Munroe apparently was thinking of random selection from a 2K-word dictionary) does involve an average of 2^43 attempts, something over 8 trillion (best/worst case is double that). At a million tries per second, it would take well over a week. At a billion tries per second, that would take more than two hours. That's not about to s
Re: (Score:2)
Re:this is not news (Score:5, Insightful)
This forum, along with all the other times this has been discussed here on Slashdot, as well as other technical forums, provides evidence that may be one day very useful in a court of law if some copyright holder tries to prove an illegal download took place. If it took place through a wireless network, can it be proven who the recipient of the illegal download was?
We can whine and complain all we want, but if business finds it cheaper to simply include hold harmless clauses in their terms than to provide a robust product, they will do so, but in doing so, they have also removed surety of proof of download for the high and mighty MAFIAA.
The Copyright industry has spent millions of dollars to pamper Congressmen to pass law to make sure no-one can listen to a song unless terms of endearment are complied with... now they are finding out they just put a multimillion dollar lock on a cardboard door.
We do not have the money it takes to pay for Congressmen. The copyright people seem to have unlimited money. Money to hire lots of lawyers and send lots of threat letters. Those letters will be ineffective as long as we have insecure systems and no-one can prove a thing. We may have a problem with insecure systems, and the MAFIAA has a hell of a problem.
This kind of stuff gives everyone and his brother plausible deniability, which now means a total lack of accountability for online activity.
Re: (Score:2)
Why are you asking me? You know damn well where my papers are.
Re: (Score:1)
Re:Expected (Score:5, Informative)
Once quantum computing fully arrives, I guess encryption will be mostly moot.
Bad guess [wikipedia.org]
Re: (Score:3, Insightful)
Just when you thought you've sharpened your spear to the finest, your opponent has fortified his shield to the fullest.
Re: (Score:2)
OTP FTW
Re: (Score:3, Insightful)
Just use a one time pad. It's perfectly secure, even to quantum cryptography as long as the source is truly random. Creating a truly random number generator that takes advantage of quantum effects is not terribly difficult. Many modern CPUs now have this support built-in. The only weak point is how you get the one time pad to both locations and that it can only be used once. Even this is possible by having multiple pads sent via different methods and XORing them together at the destination. In order to crac
Re:Expected (Score:4, Insightful)
One-time pad truly means one-time pad however. That means a new pad for every single transmission - that's why it becomes untenable.
On the other hand, the way network encryption works is typically this:
(1) Use asymmetric encryption once to securely deliver the remote computer the key to a symmetric algorithm.
(2) Use the symmetric key for the remainder of the communication.
It's possible that RSA is compromised, or that a G.O. has the means to cracking it via an unpublished mathematical discovery, but there are other asyms out there.
Re: (Score:1)
One type pads can work for some things. maybe companies will send you a credit card sized device containing gigibytes of random pad data that you can use to communicate with that company.
Re: (Score:3)
I can imagine a VPN server with a rack of slots for those (Probably just read-only USB mass storage interface). Give one to the VPN, one to the person going on their trip or working at home. You'd need to send out a new key every now and again, but if a key is good for a couple of months (Doable) then it becomes quite reasonable.
Re: (Score:1)
And then just like a password attack, someone cracks their database and dumps all the OTP data and you're no longer secure.
Re: (Score:2)
And as stated, is no more invulnerable to remote attacks than password data (which has already been shown to be frequently all too easily accessible).
The OTP data must be accessible to the service you're connecting to which in turn is open to attacking from the outside. OTPs are not special when you use them with online services that aren't fully hardened.
In fact, I don't think it would be hard to argue that the traditional randomly-generated key system protected by public keys is in fact more secure becau
Re: (Score:1)
Call me paranoid, but I don't think it would be safe to assume the 3 letter agencies haven't already co-opted the design of the modern CPU random number generators.
Re: (Score:2)
I think it's unlikely. When news of FreeBSD not trusing Intel's random number generator I decided to look at the RTL of one of the CPUs my employer makes which is optimized for security applications. The random number generator works exactly as the documentation says it does using the jitter of 125 of 128 ring oscillators [wikipedia.org] feeding into a SHA1 engine with other unique inputs.
Re: (Score:1)
Re: (Score:2)
Cavium OCTEON series of CPUs. http://www.cavium.com/OCTEON-I... [cavium.com]
Re: (Score:1)
Re: (Score:3)
They're not designed for systems but for embedded devices like firewalls, VPNs, routers, NAS, etc. They're expensive and have some very nice engines in them as well, such as the gzip engine that's 100 times as fast as software implementations, hardware pattern matching (regex) engines and content addressable memory support for firewalls and anti-virus, RAID engines for NAS to do RAID 5/6 calculations in hardware, encryption and hashing instructions, not to mention built-in support for 10 and 40Gbps Ethernet
Re: Expected (Score:1)
"moot", you keep using that work like that. It doesn't mean what you think it does.
Eh... (Score:5, Insightful)
Reads article...
Longer passwords make brute force cracking more difficult... Possible attack vector via the wireless de-authentication and re-authentication that WPA2 connections maintain for clients... With potential fast scanning and proper spoofing, an intruder could knife their way it...
Why does this feel like nothing new?
Re: (Score:2)
It could be fixed by upgrading the software used by routers and by client devices, but 1) everyone has to agree on an updated standard and 2) how are they going to do the upgrade for Android-based cellphones? (Easy to do on an Apple iOS device--just run an update to iOS itself.)
Re: Eh... (Score:2)
Re: (Score:2)
That's what I said about Number 1--everyone has to agree on a new variant of the WPA standard. That could take a while. Meanwhile, I use a 16 alphanumeric character randomized password that will be still very hard to crack by brute force.
Re: (Score:2)
Call it WPA 3 (or WPA 2.5 if you don't feel the change warrants a major number change) and treat it like any other system.
If not all of your devices support WPA 3 you set the router to WPA 2 and "hope" nobody hacks you (not really hoping. It isn't an issue in most home applications).
keep our wireless networks safe from hackers... (Score:3, Insightful)
How do you keep something you never had?
Re: (Score:1)
We don't have wireless networks?
Re: (Score:2)
No, we never had hackers. Duh.
Re:MAC filtering and PSK (Score:4, Insightful)
MAC filtering does nothing useful. You're shouting your MAC from the rooftops any time you're connected to the network, so cloning it is exercise in triviality for any attacker with an IQ greater than their hat size.
Re:MAC filtering and PSK (Score:5, Funny)
Ooops. I'm going to have to get a smaller hat.
Re: (Score:2)
Re: (Score:2)
MAC filtering should only be used as a herd immunity measure: people who don't update their AV are less likely to find it easier to spoof an existing MAC address than they find it to register in a captive portal and download their updates before they are allowed in.
it's bad enough with regular passwords (Score:2)
I already have to tell friends and family to use a alphanumeric password not based on a dictionary word - I was helping a friend find out why her wireless charges were so high, and using backtrack and some basic documentation - (knowing almost nothing about wireless security) - I was able to find out her wireless password based on the fact she was using a regular word in my dictionary list
wireless = never safe
Re: (Score:3)
You think that's bad? Wait until you run across the issue where your ISP doesn't even both to set up basic passwords on your wireless hub. [dslreports.com]
Re: (Score:2)
You think that's bad? Wait until you run across the issue where your ISP doesn't even both to set up basic passwords on your wireless hub. [dslreports.com]
Ok, now I'm curious!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Except it doesn't, quite. Horizon problem: A is in range of the AP, B is in range of the AP, A and B are not in range of each other. If A sends a broadcast frame the AP will relay it so B can recieve it, but it doesn't do that for unicast packets for which it knows the recipient MAC address is on the wired side.
Re: (Score:2)
Heck, some ISPs probably still distribute wireless APs that only support WEP.
Re: (Score:3)
You insensitive clod! You just blabbed my password. Now I'll have to change it to capacitor mule wrong nail.
Oh wait ...
Re: (Score:1)
A moderate-length (24+ chars) phrase will be way more secure than your random pattern of letters, numbers and characters, PLUS it's FAR easier to remember, thereby reducing the odds that the super-secure gobbledy-gook you forced them to invent wont just get written down on a piece of paper and stuck to the refrigerator door for every passer-by to read...
Oblig XKCD [xkcd.com]
-AC
Re: (Score:1)
For a system where finding a written-down password is as difficult or easy for an attacker as getting physical access to the network, creating a long truly random password and writing it down really isn't such a bad idea. On the other hand, a phrase which is comprised of dictionary words, chosen by a human and "moderate length" according to your definition does not have enough entropy. Researchers found human-chosen four-word passphrases to have only about 20 bits of entropy. That's far less than a truly ra
EAP? (Score:2)
Re:EAP? (Score:5, Interesting)
Can't tell what exactly the paper is about due to a paywall and the fact that the article was written by someone not very techincal.
EAP-TTLS, as long as you are validating the server certificate, is pretty safe. Safer with a locally managed CA and installed client cert, but at least as safe as the web browsing you'll be doing on it after connecting anyway. The safety advantage to WPA-Enterprise over WPA-PSK is mainly due to the fact that you don't have to distribute the same easily-cloned PSK to every client. In addition, if installing and validating client certificates (not the usual mode for EAP-TTLS) they can be locked to specific user accounts. For keeping out the riff-raff they can be locked to MAC addresses as well but that only serves to ban the amateurs.
Re:EAP? (Score:5, Interesting)
I understand this is about recovering the PSK. This would mean that authentication using a certificate, such as EAP-TTLS is still safe. Correct?
I would say in practice "enterprise" password authentication via TLS (PEAP-* and TTLS-*) is the least secure authentication method for the simple reason virtually no client is configured properly to validate both certificate and identity.
The end result TLS is effectively subject to MITM attack for the overwhelming majority of clients...leaving squishy inner PEAP/TTLS authentication protocol (all completely worthless)
In my view EAP-TLS with mutual certificate authentication is still the most secure authentication option available.
Stanford's SRP protocol would be awesome to protect WPA passwords I believe it could be implemented with minimal changes to existing TLS stacks ... simply do TLS-SRP via EAP-TLS EAP method instead of the cert auth ... you get secure password authentication without the offline attack vector, or having to implement a new EAP method from scratch.
Re: (Score:2)
You mean that clients do not check proper certificate signature by the CA?
Re: (Score:3)
You mean that clients do not check proper certificate signature by the CA?
The main problem is not so much CA validation but lack of a global namespace.
When I type https://www.securesite.com/ [securesite.com] into my browser the only certificates my browser accepts are the ones explicitly for www.securesite.com... certs for www.someothersite.com don't work.
With EAP authentication no such check is done automatically by default. To be secure the client must explicitly select a CA **AND** certificate identity (e.g. www.securesite.com) ... otherwise you might well be presented with a valid certificat
Re: (Score:2)
Attackers after all can buy SSL certs the same as you or I.
But AFAIK, there is no preloaded CA for EAP. You install only the CA of your organization, which narrows the opportunities to have a valid certificate.
But indeed if someone steals any certificate you signed with the installed CA, an attack is possible. That advocates for using a sub-CA, or a dedicated CA just for EAP.
Re: (Score:2)
I believe the problem is that the interface for this and the way warnings are handled is just horrible and inconsistent between clients.
For example, android requires yout to set a passcode in order to store the public certificate. That's right you need to lock your device so nobody can get access to that PUBLIC key. duh. Clearly you should have a passcode for a private key, but not a public one. I"m not sure if this has been straitened out or not. Also it's often not clear if you can say the equival
Re: (Score:2)
But AFAIK, there is no preloaded CA for EAP. You install only the CA of your organization, which narrows the opportunities to have a valid certificate.
Depends on your security requirements. Most OSes trust anything in the OS default trsuted CAs which includes most major CAs. If you're satisfied with the integrity of all the CAs in that list, you can buy a RADIUS server-side cert form them and the clients will trust it.
The problem comes in making sure the self-service user checks the box to perform the validation and also types in the expected owner name. By default most OSes do not validate this information so anyone with a stolen priate key from a CA-
Re: (Score:2)
Re: (Score:2)
Importantly, this is also where we get into that root cert problem for companies that people complained about in a recent /. story because a lot of companies just use their own internal CA to authenticate the certs for both users and wireless devices which requires installing their root CAs on the machines and trusting them.
Re: (Score:2)
In my view EAP-TLS with mutual certificate authentication is still the most secure authentication option available.
You;re half right, but EAP-TLS doesn't have a password/account component, just the cert, so you are missing an authentication factor. If you're going through the trouble of actually making sure clients are running a secure supplicant to the point of making users add a client cert and a local CA trustpoint, just secure the settings on the TTLS/PEAP client and ban OSes like android that don't validate. Turn on verification of the client-side cert if you like, too.
Re: (Score:2)
You;re half right, but EAP-TLS doesn't have a password/account component, just the cert, so you are missing an authentication factor.
Clients can ask user to provide a password to access/decrypt private key required to authenticate client to server. The "account" component is client identity (e.g. name of public key)
If you're going through the trouble of actually making sure clients are running a secure supplicant to the point of making users add a client cert and a local CA trustpoint
I've been pushing vendors for 10+ years for a usable solution and they don't seem to care.
All most people want is passwords without all the worry about brute force attacks. Users and Operators alike don't want to deal with certs at all ..there is no *good* reason they should have to.
Re: (Score:2)
WPA2 keeps the neighbors from eating mah bandwich?
Try "it keeps people from injecting exploits into your computer by impersonating web servers." Be glad you enabled it.
Re: (Score:2)
No, that's SSL.
Re: (Score:2)
Because SSL on Open WiFi is fool proof....
He was correct. While you are also correct, you failed to see the attack vector. If the network is not secure, your SSL may not be effective, at least not for all users.
Re: (Score:3)
SSL is designed to operate over insecure networks. That's the idea.
Re: (Score:2)
Try to have an effective browsing experience with port 80 blocked.
Re: (Score:2)
WPA2 keeps the neighbors from eating mah bandwich?
Try "it keeps people from injecting exploits into your computer by impersonating web servers." Be glad you enabled it.
How about "it keeps you from being hauled off to jail by some really mean feds because someone used your wireless to download kiddie porn"? *That* most people can easily understand.
so? (Score:4, Insightful)
Brute force attacks compromise simple passwords?
This is news?
It's kind of silly to worry about (Score:5, Insightful)
The only reason I encrypt my wifi connections is to prevent casual wanderers from connecting to my network and sucking up bandwidth. Any data that needs securing is encrypted by the computer, not by the modem/router.
If I could get proper password protection without the encryption, I wouldn't bother encrypting the traffic. I could care less who snoops it -- so long as they're not sucking up bandwidth.
Re: (Score:2, Insightful)
Uh, you're forgetting that a wifi connection is two way. If they can get onto your network, they're inside your hardware firewall. Better hope you have a good software firewall and/or that you don't have any exploitable services.
Re: (Score:3)
Re: (Score:3)
That's why security is not a boolean. If you regard it as black-and-white, it'll drive you nuts.
Be thankful you can at least whittle the trust issues down to things like switch vendors.
Re: (Score:2)
Wireless Access Points = Hacker Access Points (Score:2)
What has limited the attack number in WPA-PSK? (Score:2)
What has limited the attack number in WPA-PSK? That's the question I have after reading all the data that is freely available. From what I know and can gather about this, the researchers found a way to reduce the amount of brute forcing required to guess the key in WPA-PSK. They used something in the de-auth and probably re-auth after that to gather information about the key to do so.
Paywalling this information is a bad thing. Either do a full disclosure, or keep it secret and notify all vendors that are
Re: (Score:2, Informative)
Nobody knows what they did, because their paper is paywalled. From afar, it looks like the a compilation of standard attack methods. The WLAN standard uses unencrypted deauthentication packets, which enables an attacker to kick anyone from the network without knowing the network's encryption key. This can be used in a denial-of-service fashion, where the attacker continously deauths everyone, so that nobody can use the network. Or it can be used once on the victim: The victim will automatically reconnect to
Encrypted Management Frames (Score:2, Informative)
It's called 802.11w and introduces encryption on management frames (so de-auth attack is out), this problem is solved. It's up to vendors/developers to implement it.
Werid (Score:2)
Relative Ease compared to What? (Score:4, Informative)
TFAbstract says that WPA2 can be cracked with brute force search, and that long passwords are more secure than short ones. Looking up the home pages of these internationally renowned researchers http://www.brunel.ac.uk/bbs/pe... [brunel.ac.uk] http://issel.ee.auth.gr/people... [ee.auth.gr] http://www.research.lancs.ac.u... [lancs.ac.uk] reveals that these three claim no other security-focused publications. But perhaps I'm too quick to judge. Somebody pay the man and read their paper. Or is this the two-step get-rich-quick scheme?: - (1) Publish Paywalled Article Exposing Security Holes in Commonly-Used Security Protocol (2) Profit! (PPAESHiCUSP-P)