Feds Hack Wireless Network in 3 Minutes 501
xs3 writes At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys. This article will be a general overview of the procedures used by the FBI team.."
Already acting slow... (Score:5, Informative)
Assembled, for your pleasure:
-------
Title: The Feds can own your WLAN too
Introduction
Millions of wireless access points are spread across the US and the world. About 70% percent of these access points are unprotected--wide open to access by anyone who happens to drive by. The other 30% are protected by WEP (Wired Equivalent Privacy) and a small handful are protected by the new WPA (Wi-Fi Protected Access) standard.
At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys.
This article will be a general overview of the procedures used by the FBI team. A future article will give step-by-step instructions on how to replicate the attack.
WEP Cracking - The Next Generation
WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.
Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text.
Traditionally, cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets--a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key.
Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!"
On with the Show
Before we get into the steps that the FBI used to break WEP, it should be noted there are numerous ways of hacking into a wireless network. The FBI team used publicly available tools and emphasized that they are demonstrating an attack that many other people are capable of performing. On the other hand, breaking the WEP key may not necessarily give an attacker complete access to a wireless network. There could also be other protection mechanisms such as VPNs or proxy servers to deal with.
For the demonstration, Special Agent Bickers brought in a NETGEAR wireless access point and assigned it a SSID of NETGEARWEP. He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers.
Note that normally, you have to find wireless networks before you can crack them. The two wireless scanning tools of choice are Netstumbler for Windows or Kismet for Linux. Since the other WEP cracking tools are mainly Linux-based, most people find it easier to stick with Kismet, so they don't have to switch between Windows and Linux.
Another FBI agent started Kismet and immediately found the NETGEARWEP access point. Just for fun, a third agent used his laptop and ran FakeAP, a program that confuses scanning programs by putting up fake access points.
Attack!
After a target WLAN is found, the next step is to start capturing packets and convert th
Re:Tongue, Meet Cheek (Score:1, Informative)
> the FBI is mistrust and fear, not confidence and respect.
I can't tell if you're being sarcastic or not. Perhaps you're an American and have therefore been brainwashed into not looking too hard at what the FBI, CIA etc have been up to for the last 30 years! How about you give the books "hegemony or survival" or "understanding power" by Noam Chomsky a couple of evenings of your time?
Re:Not too surprising (Score:5, Informative)
They didn't do a dictionary attack. What they did was use aircrack that uses a statistical method to crack the key. You need lots and lots of packets and they got those using void/deauth and a replay attack. It's all in the article.
Also, you also only need one packet to brute force a key.
Re:Countermeasures & Conclusion (Score:5, Informative)
The page you snipped this from is cached here:
http://66.102.7.104/search?q=cache:ChC8gBE_LsEJ:w
Re:Not too surprising (Score:5, Informative)
But so far I have "He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers." which makes me wonder if they actually used a dictionary attack...
Finally loaded the 4th page. Apparently they knocked an authorized user off the AP repeatedly and collected the resulting flood of reauthentication packets, plus used packet replay attacks to get the AP to respond to replayed ARP requests (apparently they are easy to spot in a pcap dump despite encryption). This gave them all the IVs they needed to crack the key.
You are joking right? (Score:4, Informative)
OK, just in case you seriously don't know, MAC addresses are not encrypted, so it is dead simple to sniff traffic to find valid MAC addresses and then change the MAC address of the hacking box to the valid MAC address (usually during a time when that machine is not actually connected). I've heard that this is a good way to gain access at pay to play locations like Starbucks
Also keep in mind that MAC filtering only prevents someone from joining the network, you can still sniff at will at the packets.
Re:Countermeasures & Conclusion (Score:4, Informative)
1) Install a OpenBSD [openbsd.org] after plugging in a wireless card that can be used in hostap mode.
2) Install OpenVPN [openvpn.net] (that has a nice Windows client), and generate server and client certificates. There are howto and scripts for this.
3) Configure the built-in OpenBSD packet filter [openbsd.org] to only accept connections to/from OpenVPN ports on the wireless NIC.
4) Show war drivers the finger.
Re:Encryption is now useless (Score:4, Informative)
No one in their right mind makes absolute statements. Yes, I know. This sentence is a paradox. Or is it?
The number of bits is not the problem. The (a) problem with WEP is that it contains weaknesses which allow shortcuts that take less time than an exhaustive search of the keyspace would take. The effective strength of 128 bit WEP is regarded as much weaker than 128 bit AES encryption.
Re:Tongue, Meet Cheek (Score:5, Informative)
At least we "geeks" have not been so foolish as to forget history. The FBI *earned* the mistrust and fear that we, and other people who haven't already been brainwashed [democratic...ground.com] yet. The story of COINTELPRO [cointel.org] is a case in point. There are many other similarly creepy programs that they've embarked on in their history, and since the Patriot act has practically removed the checks on their authority that once existed, there is more reason than ever to be mistrustful and fearful of them.
WEP is dead (Score:3, Informative)
Re:WEP = weak (Score:3, Informative)
Re:takes me longer than 3 minutes (Score:3, Informative)
Re:WPA is just as 'weak' against Brute Force (Score:1, Informative)
WPA is much better since it uses for example changing session keys. The FBI took advantage of this WEP disadvantage to crack keys, they cannot do this with WPA.
Re:Not too surprising (Score:5, Informative)
I always click on the printer-friendly format. That usually gives you the article and pictures on one continuous page.
Re:Watch the FBI take credit for somebody else's w (Score:5, Informative)
1. Where in the article does it say the FBI developed the attacks? Did you RTFA?
2. For the IDS comment, I did state that it is NOT a stealthy attack. Not stealthy = IDS will pick it up.
3. You weren't at the talk, and it shows. They did give credit (a LOT of credit) to KoreK and Devine, but I didn't put it in the article. So you can blame me for it.
Re:Not too surprising (Score:2, Informative)
Or you could use someone's handy-dandy Random Password Generator and come up with something you'll actually remember.
When it comes to passwords that tend to be set and forget for a while or only entered once for the lifetime of any given password, I would prefer to take advantage of the full key space.
For passwords that require daily entering by myself, I prefer 9-11 character random alphanumerics. At the moment I'm using about 5 different ones like this and remember them all.
I guess it depends on what you're protecting and how paranoid you are.
Re:WPA is just as 'weak' against Brute Force (Score:3, Informative)
Yes. But I can also tell you, a hardware RNG is overkill for these purposes. There is easily enough randomness available through
If you really, really want a hardware RNG, go for a Soekris card [soekris.com] or a C3 processor [via.com.tw], or make your own RNG [willware.net] (integrating that would be tougher, though).
Ignorant Question but I need to know (Score:3, Informative)
APG (Score:1, Informative)
That way you don't have to trust an external third party for your random password. Keep it all on your local machine.
Re:Not too surprising (Score:4, Informative)
Re:WPA is just as 'weak' against Brute Force (Score:2, Informative)
That being said, skimming the slashdot responses it wasn't WEP's weakness but the weakness of the text to key algorithm in this case.
As far as dictionary best passwords go, it can be phrased more simply as reducing the cardinality of the keyspace. It doesn't matter how you reduce it, it is just the end result that the total keyspace is smaller allowing an easier search.
That being said I'm not willing to say that dictionary based passwords are completely useless in all cases. They are a very bad idea, and make things orders of mangnitudes easier, but in some cases they might be adequate for low levels of security. It just depends on how long the system needs to remain secure and the cost of that security being violated..
Re:Ignorant Question but I need to know (Score:2, Informative)
Re:Tongue, Meet Cheek (Score:3, Informative)
Re:Not too surprising (Score:3, Informative)
Maybe in this case, where you can download the source etc, his suspicion was unnecessary, but the reason why people ever get in security problems is exactly by _not_ thinking like him. Especially in this case: I would NEVER let my password leak out in such a foolish way as letting it be generated by an (unchecked) on-line source. Best way to let someone else know your password before you even do.
Re:If encryption does not include the MAC address (Score:2, Informative)
Re:Cointelpro grew out of the Klan crushing (Score:3, Informative)
If that's true (which I am uncertain), then this is the ultimate example of "turnabout is fair play." As everyone knows COINTELPRO then set its sights on Martin Luther King, the Black Panthers, and American leftist and civil rights advocacy organizations. Apparently they even covertly funneled aid to the Klan and other similar groups later on under the condition that they limit their activities to COINTELPRO targets.
Either way, it was an ugly business, and a part of American history that everyone would do well to remember, especially as America begins its slide into fascism post-September 11th.