InfoWorld has a write-up on an upcoming Toorcon presentation by Vivek Ramachandran and Md Sohail Ahmad: The AirTight Networks researchers have developed an attack they call Caffe Latte; it uses a laptop's attempts to connect to WEP-protected networks as the jimmy that lets the cracker into a position to force the laptop to issue tens of thousands of WEP-encrypted ARP requests, which are used to crack the network key. Caffe Latte lets the attacker then act as a man in the middle, providing Internet access from another network while examining the victim's computer or installing payloads. This attack can be used anywhere: while whiling away your time at a cafe, you could be cracked, hence the fancy name.
Update: Astute readers noted that this specific attack first appeared on Darknet.org.uk as Wep0ff in January 2007. I'm not sure from the InfoWorld article whether there are any differences between that tool and the Toorcon presentation. Another update: See comments; Ramachandran says their attack is different, and the full details will be revealed at the conference.
The application of this attack is interesting, because although the article and Ramachandran/Ahmad's Toorcon description talk about business use of WEP, actual WEP use by corporations is pretty limited. Most companies of any scale are using some form of 802.1X or other credential-based logins which can't be subverted by this attack. Companies in retail and logistics are apparently the most vulnerable, because early Wi-Fi built into retail point-of-sale systems and scanners used in warehouses are still in wide use, and can only support WEP. If a cracker can associate the cracked key with a company by scanning the victim's hard drive or using other intrusion tools, then they can go to that company and enter their network at will, too. That's what led to the TJ Maxx/Marshall's parent company break in.
The broader implications are that if you ever attached to a WEP-protected network and stored the key, your laptop is now vulnerable to this attack. This may lead people to turn their Wi-Fi radio off when not actively attached to a network when out in public. (It's a good idea for reducing battery drain, too, of course.) The researchers are using an older form of WEP attack, it seems like, as they suggest it could take up to 30 minutes to break the WEP key in this manner; other researchers revealed a method that works in as little as under two minutes back in April.
The vulnerabilities exposed by this attack arise because the IP ranges associated with Wi-Fi networks are often considered trusted networks by firewall software. Most firewall software requires that you agree or disagree that a particular network range represented by a Wi-Fi network that you connect to is trusted or untrusted. I suspect most users add the network to their trusted category when they connect to a network, assuming it to be safe--maybe the case when it's a home network. Which means that popular private addressing ranges starting with 10.0 or 192.168 are already approved in your firewall. With the attacker managing to appear to your computer like a WEP network it's already joined, they may not be blocked from probing for the many weaknesses typically found on most Windows computers through outdated software and drivers.
"I'm not sure from the InfoWorld article whether there are any differences between that tool and the Toorcon presentation." ----
We were not aware that such a tool existed. We had a look at the link you have added above. The tool WEPoff uses Fragmentation attacks to break the key from a client. We use an absolutely different technique which we will disclose at Toorcon this weekend. As the full details of the attack were not revealed in the InfoWorld article, some readers might have been confused.
Thanks,
Vivek
Airtight Networks
Wow not sure what is scarier a researcher that never has seen the attack or tool before, or a wireless security company that has never seen the tool or attack before. The WEP attack that has been been documented about stealing the key for the Client, with wep0ff uses a IPv6 Stack, sounds like this attack just puts an AP up, so it will try to connect, using the same as a regular wep crack, but you go to admit the article, and the tool description, sound very very very similar.
Hope we see a tool release, unlike defcon :(
My question is now you have the key, how do you track down the AP. Follow the user to the office or Home?
Think it would be easier to get arrested for stalking than wifi crimes :)
G'day