InfoWorld has a write-up on an upcoming Toorcon presentation by Vivek Ramachandran and Md Sohail Ahmad: The AirTight Networks researchers have developed an attack they call Caffe Latte; it uses a laptop's attempts to connect to WEP-protected networks as the jimmy that lets the cracker into a position to force the laptop to issue tens of thousands of WEP-encrypted ARP requests, which are used to crack the network key. Caffe Latte lets the attacker then act as a man in the middle, providing Internet access from another network while examining the victim's computer or installing payloads. This attack can be used anywhere: while whiling away your time at a cafe, you could be cracked, hence the fancy name.

Update: Astute readers noted that this specific attack first appeared on Darknet.org.uk as Wep0ff in January 2007. I'm not sure from the InfoWorld article whether there are any differences between that tool and the Toorcon presentation. Another update: See comments; Ramachandran says their attack is different, and the full details will be revealed at the conference.

The application of this attack is interesting, because although the article and Ramachandran/Ahmad's Toorcon description talk about business use of WEP, actual WEP use by corporations is pretty limited. Most companies of any scale are using some form of 802.1X or other credential-based logins which can't be subverted by this attack. Companies in retail and logistics are apparently the most vulnerable, because early Wi-Fi built into retail point-of-sale systems and scanners used in warehouses are still in wide use, and can only support WEP. If a cracker can associate the cracked key with a company by scanning the victim's hard drive or using other intrusion tools, then they can go to that company and enter their network at will, too. That's what led to the TJ Maxx/Marshall's parent company break in.

The broader implications are that if you ever attached to a WEP-protected network and stored the key, your laptop is now vulnerable to this attack. This may lead people to turn their Wi-Fi radio off when not actively attached to a network when out in public. (It's a good idea for reducing battery drain, too, of course.) The researchers are using an older form of WEP attack, it seems like, as they suggest it could take up to 30 minutes to break the WEP key in this manner; other researchers revealed a method that works in as little as under two minutes back in April.

The vulnerabilities exposed by this attack arise because the IP ranges associated with Wi-Fi networks are often considered trusted networks by firewall software. Most firewall software requires that you agree or disagree that a particular network range represented by a Wi-Fi network that you connect to is trusted or untrusted. I suspect most users add the network to their trusted category when they connect to a network, assuming it to be safe--maybe the case when it's a home network. Which means that popular private addressing ranges starting with 10.0 or 192.168 are already approved in your firewall. With the attacker managing to appear to your computer like a WEP network it's already joined, they may not be blocked from probing for the many weaknesses typically found on most Windows computers through outdated software and drivers.