Recently two German researchers presented their findings on cracking the WPA encryption method at the PacSec security conference in Tokyo. I know this sounds like the set up to an Abbott and Costello routine, but it’s not. Its also not as serious and as dire as the researchers or the conference that announced the findings make it out to be.
If you’ve ever set up a wi-fi network at your home or place of business, you will have heard the acronyms before. WPA, WEP, AES, TKIP, A-E-I-O-U, WPA2… (the last set are vowels not encryption methods, I’m just making sure you’re awake) If you have been paying attention prior to this, you will have been aware that WEP was cracked roughly 15 minutes after it was adopted as the standard. Ironically WEP stands for Wired Equivalent Privacy. You gotta love that the powers that be stuck with the original name. Most wireless routers and other wi-fi devices kept it within their feature set for compatibility with older devices. If you’re saying to yourself- “that sounds like what I’m using”, stop reading now and just unplug your router.
Many people used WEP because of the lack of choices they had to make. Setting it up was simple: Check the box, put in a passkey
and they were up and running. WPA presented them with other options: TKIP or AES. WPA + TKIP was only considered secure for
a little while longer than WEP, as flaws were discovered that permits an attacker to transmit 7-15 packets of the attacker’s
choice on the network. It’s this very flaw that the aforementioned German researchers exploited to decrypt WPA traffic.
That’s the background in a nutshell, but what does it really mean? I’m going to break the current going-on into 2 issues: the technical and social.
The technical side of things is in this rare instance the easiest to tackle. TKIP is not secure. If you’re concerned about the privacy of your wireless configuration do the following things: Change your SSID, and don’t broadcast it. The attack the researchers performed used a known SSID. Not broadcasting that is one more hurdle someone would have to get over in order to use this attack.
Change from TKIP to AES and use a long, complex pass key. The researchers again targeted WPA using only TKIP. This isn’t a vulnerability in WPA or WPA2 using AES.
That’s it. Ironically these steps have been the common advice from the security community for implementing a Wi-Fi for a number of years, which brings me to the other side of the coin, and where I get to pull out the old soapbox.
The announcement wasn’t really doom and gloom on the part of the researchers. They themselves note that this isn’t a silver bullet that breaks all wi-fi, just WPA implemented with TKIP. The press releases were published by PacSec, and only in the final paragraphs did they note the limitations of the attack. Press releases make headlines, and headlines mean more people in the seats of your conference. Security bloggers and “hacker” websites ran with the press releases and did their best to stir up the issue. Not all announcements like this are hype, not even this one, but information security decisions shouldn’t be driven by headlines. Take the time and do the research based on the actual papers submitted, not the press releases.
