WEP cracker takes swing at WPA

 

Gallery

By Matthew Sparkes

Posted on 7 Nov 2008 at 10:30

Researchers have hacked the WPA wireless security protocol and "opened the box on a whole new hacker playground", say the organisers of a security conference.

Security researcher Erik Tews will demonstrate a partial hack of the WPA protocol at the upcoming PacSec conference, showing how the new attack can read data sent between a router and a PC. It is thought the hack also allows counterfeit data to be sent back to the PC, paving the way for phishing and malicious attacks.

Previous attacks involved using a dictionary to try every possible password in a brute-force attack, a method which can take an extremely long time. However, this new approach is much faster, and is being called the first practical attack against WPA.

The attack is yet to be detailed in full but involves a "mathematical breakthrough" to reduce the computational requirements of breaking the algorithm. Once the approach is demonstrated in public, Tews intends to write it up as an academic paper. Once the details are in the public domain it is only a matter of time before software to implement the attack is released.

In fact, elements of the attack have already been released in the tkiptun-ng tool which forms part of the Aircrack-ng wireless network testing package.

"This tool is able to inject a few frames in a WPA TKIP network with QoS," says the software's website.

WPA was created as a response to the discovery of security vulnerabilities in the previously popular WEP standard. Should WPA be fully cracked, it is likely that security conscious users will switch to WPA2. This protocol's CCMP algorithm is still considered secure by researchers.

WEP was first cracked in 2001, but Tews later developed a new approach that reduced the time taken to get into the average network to less than two minutes.