« Worst Hotels for Wi-Fi | Main | Linksys, Vonage Team on G Router with VoIP »

November 5, 2004

WPA Cracking Proof of Concept Available

By Glenn Fleishman

We warned you: short WPA passphrases could be cracked—and now the software exists: The folks who wrote tinyPEAP, a firmware replacement for two Linksys router models that has on-board RADIUS authentication using 802.1X plus PEAP, released a WPA cracking tool.

As Robert Moskowitz noted on this site a year ago, a weakness in shorter and dictionary-word-based passphrases used with Wi-Fi Protected Access render those passphrases capable of being cracked. The WPA Cracker tool is somewhat primitive, requiring that you enter the appropriate data retrieved via a packet sniffer like Ethereal. Once entered, it runs the cracking algorithms.

Remember that to crack WEP, an attacker has to gather many packets, possibly millions, but can then easily crack any key. For WPA, certain shorter or dictionary-based keys are highly crackable because an attacker can monitor a short transaction or force that transaction to occur and then perform the crack far away from the physical site.

The solution to this WPA weakness involves one of three approaches:

Choose a better passphrase: Pick passphrases that aren’t entirely comprised of dictionary words, meaning they need some random nonsense in them. “My dog has fleas”: very bad. “Mdasf;lkjadfklja;dfja;dfja;d”: very good, but hard to type in. Passphrases should be at least 20 characters.

Use randomness to choose a passphrase: A random passphrase of at least 96 bits and preferably 128 bits will defeat the cracking that Moskowitz wrote about, according to his paper. Tools like SecureEZSetup from Broadcom and AOSS (AirStation One-touch Setup System) from Buffalo are two automated ways to produce better passwords of this variety.

Use WPA Enterprise or 802.1X + WPA: Deploy enterprise-based authentication which will allow a strong WPA key to be uniquely assigned to each user. This isn’t as expensive as it once was. The TinyPEAP folks are pushing their method, but you can also turn to Interlink Networks’s LucidLink product (for on-site control), Gateway Computer’s 7000 series of access points with on-board PEAP service, and Wireless Security Corporation’s WSC Guard, available from them directly or for certain Linksys models via Linksys.

Update: Alert Slashdot readers noted that KisMAC has had a WPA cracking tool built in for several months. KisMAC is a Macintosh-only version of Kismet, a tool for monitoring and cracking wireless networks (for good and evil). Kismet itself lacks this feature. The Mac-only nature of KisMAC has most likely limited the spread of this knowledge.

Two NetworkWorldFusion writers pointed out last month KisMAC’s ability in a great overview of WPA’s weakness and the justification for adopting 802.1X plus WPA.

Posted by Glennf at November 5, 2004 12:44 PM

Categories: Security

Trackback Pings

TrackBack URL for this entry:
https://db.isbn.nu/mt3/mt-tb.pl/2704

Listed below are links to weblogs that reference WPA Cracking Proof of Concept Available:

» WPA Cracking Proof of Concept Available from Donna's SecurityFlash
[Read More]

Tracked on November 5, 2004 6:30 PM

» WPA Cracking Proof Positive! from Lockergnome's Mobile Lifestyle
Ah ha! WPA is not the cure to the WEP security for Wi-Fi devices as once thought. As it turns out, it is actually quite easy to crack WPA with the proper know how and skills. So now what? Are... [Read More]

Tracked on November 5, 2004 9:17 PM

» WPA Cracking Proof Positive! from Lockergnome's Mobile Lifestyle
Ah ha! WPA is not the cure to the WEP security for Wi-Fi devices as once thought. As it turns out, it is actually quite easy to crack WPA with the proper know how and skills. So now what? Are... [Read More]

Tracked on November 5, 2004 9:48 PM

» So now WPA has been cracked... from idunno.org
Wi-Fi network news reports the folks who wrote tinyPEAP, a firmware replacement for two Linksys router models that has on-board RADIUS authentication using 802.1X plus PEAP, released a WPA cracking tool. [Read More]

Tracked on November 6, 2004 12:36 AM

» WPA cracker from pofHQ
Avui m'he enterat a través de Wifi Networking News de la existència de WPA Cracker, que és una utilitat que realitza atacs de diccionari y força bruta contra WPA. A diferència dels atacs existents contra el protocol WEP, amb aquest atac que es real... [Read More]

Tracked on November 6, 2004 8:27 PM

» Une faille dans le WPA from Canard Wifi, premier blog francais sur les reseaux sans fil 802.11 (wi-fi ou wifi, ...)
Un coup dur pour le Wi-Fi : le WPA est facilement piratable grâce à un utilitaire fourni par les créateurs de tinyPEAP. La faille était connue depuis plus d'un an : les codes WPA utilisant des "phrases de passe" courts et des mots du... [Read More]

Tracked on November 8, 2004 12:19 AM

» WPA Cracking Proof Positive! from Lockergnome's Mobile Lifestyle
Ah ha! WPA is not the cure to the WEP security for Wi-Fi devices as once thought. As it turns out, it is actually quite easy to crack WPA with the proper know how and skills. So now what? Are... [Read More]

Tracked on November 10, 2004 1:42 PM

» WPA Cracking Proof Positive! from Lockergnome's Mobile Lifestyle
Ah ha! WPA is not the cure to the WEP security for Wi-Fi devices as once thought. As it turns out, it is actually quite easy to crack WPA with the proper know how and skills. So now what? Are... [Read More]

Tracked on November 10, 2004 1:44 PM

» Misguided media on WiFi from LUX.ET.UMBRA
Interestingly, there was an article today on WiFi on CNN. Scary how media picks up on the fact that WEP is "flawed" after at least over a year of coverage on the fact that WEP can be cracked. What's amusing... [Read More]

Tracked on November 18, 2004 7:37 AM

» Wifi van Arnhem naar Nijmegen: 29 hits. from Plein '44
[Read More]

Tracked on November 29, 2004 5:10 PM

Comments

Posted by: John at November 8, 2004 9:20 PM