Print 52 comment(s) - last by glennpratt.. on Dec 4 at 1:15 AM

Bring your laptop, leave your dictionary

A pair of security researchers claim to have partially cracked WPA encryption, with an attack that takes around 15 minutes.

The technique relies on an undisclosed “mathematical breakthrough,” say researchers Erik Tews and Martin Beck, and breaks the Temporal Key Integrity Protocol (TKIP) key used to encrypt data between a wireless router and its clients. Currently, the attack works only one way: data traveling from the access point to its clients is vulnerable, while data traveling in the opposite direction is not.

The only other known, effective attack against a WPA connection relies on computationally-intensive dictionary attacks, which involves testing wireless data against an extremely large list of educated guesses until one of them successfully decrypts the data in question.

Tews and Beck’s attack lowers these requirements considerably, allowing anyone with the knowledge, a laptop, and 15 minutes of time the ability to listen in on one side of a WPA-encrypted wireless connection.

CNet notes that Tews is no stranger to wireless hacking, as he also co-authored a 2007 paper (PDF) discussing how to crack a 104-bit WEP key in 60 seconds.

The duo will reveal their findings at next week’s Tokyo, Japan-based PacSec security conference in a presentation titled, “Gone in 900 Seconds, Some Crypto Issues with WPA”.

According to PC World, some of the pair’s research already is already appearing in wireless security tools.

Companies and internet users looking to keep their wireless networks secure will have to upgrade to WPA2 now, says PacSec organizer Dragos Ruiu.

“Everybody has been saying, 'Go to WPA because WEP is broken,'” he said. “This is a break in WPA.”

While it is too early to tell how the WPA attack will be exploited by criminal organizations, many companies are still in the process of transitioning to WPA from weaker standards like WEP, or no encryption at all. Hackers hit one such company, T.J. Maxx, in January 2007 from secured WEP access points; they ran off with one of the largest credit-card hauls in history and caused more than $200 million in damage.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Best encription?
By Hare on 11/7/2008 10:55:40 AM , Rating: 3
No it doesn't. Changing your MAC address is trivial and you can find out legitimate mac addresses just by listening to the traffic.

Feel free to google.

RE: Best encription?
By GaryJohnson on 11/8/2008 8:50:45 AM , Rating: 2
You need an authenticated client to find a MAC address right? So if your AP is low traffic, say there's only ever an authenticated client for a few hours a week, mac filtering can be pretty effective.

RE: Best encription?
By Lugaidster on 11/19/2008 8:45:33 PM , Rating: 2
Still, MAC address filtering only prevents the DHCP server to give you an IP address, but if you had one you'd be connected already. So if you setup your IP address manually you are set to go.

Since most routers give you addresses of the type 192.168.x.y all you need to do is guess "x" which would be 1/254 (since number 255 is reserved) and since most routers give you 192.168.[0-11].y addresses most likely you'll have network address in 12 attempts.

Ofcourse you'd still need to find the gateway address and the DNS server address, but since we are talking about residential routers most likely they'll be both the same and both be at 192.168.x.1.

So yeah, MAC addr. filtering pretty much sucks, except that only about 1% of the people on Earth know this. So to prevent those naggy newbies trying to steal internet access it is pretty good.

"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay
Related Articles

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki