Forgot your password?
typodupeerror
Wireless Networking Security Hardware

WPA Encryption Cracked In 60 Seconds 322

Posted by timothy
from the nicholas-cage-has-an-alibi dept.
carusoj writes "Computer scientists in Japan say they've developed a way to break the WPA encryption system used in wireless routers in about one minute. Last November, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level. The earlier attack worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm."
This discussion has been archived. No new comments can be posted.

WPA Encryption Cracked In 60 Seconds

Comments Filter:
  • Cool (Score:2, Funny)

    by el_tedward (1612093)
    So we'll be able to get more free wireless now?
    • Re:Cool (Score:5, Insightful)

      by MooseMuffin (799896) on Thursday August 27, 2009 @02:42PM (#29220513)
      You'll be able to provide more free wireless too!
      • Re:Cool (Score:4, Funny)

        by godrik (1287354) on Thursday August 27, 2009 @02:54PM (#29220719)
        My wireless network is kept open. I prefer to be sure that it is not safe than believe it is :) BTW, I call it ParasiteNet. :)
        • Re:Cool (Score:4, Interesting)

          by Lumpy (12016) on Thursday August 27, 2009 @02:59PM (#29220807) Homepage

          I do the same but I have a coovaAP set up for the roaming to snag free WiFi near my home.

          Keeps people out of my junk, and I can limit what they can do.

        • Re:Cool (Score:4, Funny)

          by Chapter80 (926879) on Thursday August 27, 2009 @03:37PM (#29221433)

          I prefer to be sure that it is not safe than believe it is :)

          "I'm safe. My secure wireless router is no where near Japan. There's no way they can pick up signals from me."

          (This came from a guy who would only buy American electronics, because he really didn't want to watch Japanese game shows and doesn't speak Japanese, Thai. or Korean.)

      • But what if I want to provide free AND secure wireless in a user friendly way? What about the people who want to provide free wifi that doesn't allow users to eavesdrop on each other's traffic?

        WiFi security is pretty dismal.

        There's nothing at the level of https - where users can have confidential connections without messing about too much - no need even for "username and password".

        With WiFi, either users have zero security, or they have to enter a username and password (and possibly jump through other hoops
  • A return to the old wardriving days of yore?

  • by tacarat (696339) on Thursday August 27, 2009 @02:45PM (#29220569) Journal
    TFA lists AES. I'm curious what else is considered useful. Anybody using hacked routers to run tomato and the like are very welcome to discuss their security thoughts.
    • by Hijacked Public (999535) on Thursday August 27, 2009 @02:49PM (#29220617)

      This list [dd-wrt.com] is still accurate, if you apply the comment on #4 up to #5 as well.

      And run DD-WRT.

    • by v1 (525388) on Thursday August 27, 2009 @02:51PM (#29220677) Homepage Journal

      It's probably not so much a matter of what base crypto they're using (a la AES, SHA, etc) but how they're implementing the key exchange when negotiating the connection. Implement good crypto wrong and you open the door. Initial negotiations between parties is a tricky, multistep affair for good security, to prevent MITM.

      • by Vancorps (746090)

        There's no mention of how this interacts with 802.1x authentication. For my WIFI network it's WPA with TKIP, but then you have to authenticate before you can talk which requires a certificate be installed on the machine. I have a group policy which grants all domain computers a key which they can't export. It's hard to tell if this extra step makes my wifi world a safer place or if they can just sniff that too.

        Of course enough devices support WPA2 with AES now that I can probably switch the private wifi ov

    • by Mad Merlin (837387) on Thursday August 27, 2009 @02:52PM (#29220683) Homepage

      Wired ethernet. Not only is it vastly more secure, it's also an order of magnitude or two faster than wireless.

      • by ColdWetDog (752185) on Thursday August 27, 2009 @02:57PM (#29220773) Homepage

        Wired ethernet. Not only is it vastly more secure, it's also an order of magnitude or two faster than wireless.

        No wireless? Lame.

      • by Desler (1608317)

        Not only is it vastly more secure, it's also an order of magnitude or two faster than wireless.

        Really? Please show me this consumer-available wired ethernet that runs at 10 gigabit.

        • by pantherace (165052) on Thursday August 27, 2009 @03:04PM (#29220883)
          I challenge you to show me a consumer available wireless that actually runs at 1 gigabit.
        • Re: (Score:3, Informative)

          by Cyner (267154)
          SMC SMC10GPCIE-XFP 10Gbps Ethernet Card, available at NewEgg [newegg.com]
      • "Wired ethernet. Not only is it vastly more secure, it's also an order of magnitude or two faster than wireless."

        I know! It makes you wonder what reason someone would have for prefering wireless, doesn't it. I mean, I can't think of a single advantage; can you?

        For those with Aspergers or other difficulties picking up on these kind of things, I am being completely, 100%, totally, absolutely facetious ;-)

        • by epine (68316)

          For those with Aspergers or other difficulties picking up on these kind of things, I am being completely, 100%, totally, absolutely facetious ;-)

          Fortunately, it's easy to multitask facetiousness sitting outside on the desk with your laptop and a parasol in your drink.

          Few of the reasons for wireless involve a sustained effort to get some real work done, unless your portable setup involves dual displays at eye level with the keyboard at elbow level.

          For a lot of people a wireless router is the indoor complement of taking your textbooks on a beach vacation, for those who can't handle being 100% certain which one they're doing.

          • by epine (68316)

            s/desk/deck

            My turlexia is acting up again: replacing current words with prospective future words.

    • by SJ2000 (1128057)
      Article:

      Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm.

  • I'm safe. (Score:5, Funny)

    by rawls (1462507) on Thursday August 27, 2009 @02:48PM (#29220603) Homepage
    Lucky for me, I use WEP, so I'm safe.
  • by simp (25997) on Thursday August 27, 2009 @02:48PM (#29220613)

    The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7? Sometimes a bit of obscurity can go a long way. Good luck trying to sniff my shielded network cables. Yes, I've heard the tempest stories but I'm jumping to the conclusion that those techniques are only available to big $$ governements institutions and are not used by the random drive-by hacker (yet..)

    • by vadim_t (324782)

      The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7?

      Well, yeah. That's the whole point of protocols like SSL, and tools like GPG. Though they're not magical and you need to pay attention and not blindly click "Ok" to every self-signed cert.

      Yes, I've heard the tempest stories but I'm jumping to the conclusion that those techniques are only available to big $$ governements institutions and are not used by the random drive-by hacker (ye

    • by Nerdfest (867930)
      You can reduce risk by changing keys regularly, although it's not really necessary for your average wireless user.
    • by ChrisMounce (1096567) on Thursday August 27, 2009 @03:09PM (#29220971)
      I'm not sure if you're calling shielded cables an example of security through obscurity, but if you did, they're not.

      Knowing exactly how your cables are shielded doesn't help me snoop on anything passing through those cables.
    • Re: (Score:3, Insightful)

      by Lord Ender (156273)

      That's not a very intelligent question. Obviously, OTP can be secure in the long term for any definition of long term. Public key cryptography has always been secure, and probably will be until really really good quantum computers are developed. Symmetric key crypto is as secure as ever, and there's no indication this will change soon. Some cryptographic hash algorithms are less useful today, but most are still more than good enough.

      So, yes, crypto can certainly be "secure" in the long term. Protocols with

      • by JoshuaZ (1134087)
        We don't know this at all. The relevant issue is whether P=NP. The question roughly asks whether there are problems whose solutions can be verified quickly but cannot have solutions found quickly. No one knows although most people who have thought about it suspect that P is not NP so fundamentally secure encryption is possible by classical means. But someone might find a really clever way of reducing NP problems tomorrow and it would all break down. Note that having quantum computers doesn't necessarily m
        • by Lord Ender (156273) on Thursday August 27, 2009 @03:27PM (#29221251) Homepage

          Actually, it is a mathematical fact that OTP is perfectly unbreakable. P=NP doesn't enter into it.

          • Actually, it is a mathematical fact that OTP is perfectly unbreakable. P=NP doesn't enter into it.

            Only with sufficiently good random number generation.

            • True, but for practical purposes, it doesn't even have to be random. It just has to be unpredictable to your attacker ;-)

          • by JoshuaZ (1134087) on Thursday August 27, 2009 @04:24PM (#29222293) Homepage
            The original question was "The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7?" Presumably then you eventually run out of one time pads. OTP is secure iff you have either a shared source of randomness or have some other secure channel to transmit the material. And if you have a shared source of randomness you need then to have that source somehow secure. There are good reasons we don't use one time pads on a daily basis.
            • by zlexiss (14056)

              So, you use your last OTP encoding to transfer the new set of pads securely?

              • Re: (Score:3, Informative)

                by JoshuaZ (1134087)
                Doesn't work. You can't transmit this way more bits than your pad started with. So you end up with just as many bits worth of shared random data that you started with.
            • Fun fact: In one of Vernor Vinge's books, all crypto is cracked, so one of the big-money industries is in shipping OTP datasets across the universe. How cool is that?

    • Re: (Score:3, Informative)

      by Chris Burke (6130)

      The question is can anything be secure in the long term if an attacker can monitor the conversation between alice and bob 24/7?

      Yes. It's a basic assumption in communication security that your communication medium is insecure and can be monitored or modified at will by an attacker.

      You can design an authentication/key exchange protocol so that the only way to access the data is to break the encryption algorithm, or via social engineering.

      You can design an encryption algorithm so that it cannot be broken excep

    • Re: (Score:2, Informative)

      by xianthax (963773)

      "Shielded Network Cables"

      have virtually no impact on emissions from the cable, and do have no impact if your equipment doesn't have shielded connectors which is unlikely, a shield that is not properly grounded will create higher emissions and increase external noise pickup. Shielding on Ethernet cables is to limit noise going into the wire, and is only effective at lower frequencies, its mostly for keeping 50/60Hz mains noise off the wires.

      You could install ferrites on the cable to limit common mode noise

  • by JSBiff (87824) on Thursday August 27, 2009 @02:56PM (#29220759) Journal

    So, does this mean it's time to start working on whatever the replacement will be for WPA2? WPA is broken. . . but at least we can use WPA2 (for now). I'm guessing WPA2 will someday be broken, so we need to have something to replace it which has not (yet) been broken. Seems like wireless security rests on a never-ending game of move the goal, before the goal is reached (where the 'goal' for crackers is to crack the 'current' security protocol).

    Although, thinking about this more, it makes me wonder - does anyone ever 'record' encrypted traffic from targets of interest, in the hopes that, maybe right now they can't crack it, but maybe in 2 or 3 years, they'll be able to crack it, and if they have a 'recording' of the cyphertext, which they can later decrypt, they can get possibly interesting info/data (data could very easily still be useful and interesting 3 or 5 years from now, particularly things like state/corporate secrets, but even more mundane info like people's social security numbers, answers to online password 'reset' security questions, etc).

    I suppose that if I could think of it, someone else already has, and already is doing it.

    So, from that standpoint, even if the security researchers stay 'ahead' of the blackhats, the blackhats can still get useful info within a relatively useful amount of time. Just because you've upgraded to WPA2 or WPA+AES, doesn't mean you're completely protected, if someone snagged encrypted traffic in the past which was 'secured' by TKIP.

    • Re: (Score:2, Informative)

      by arndawg (1468629)
      That's why if you have really important information going through the wireless. You either A) Use a VPN tunnel or B) Don't use wireless.
      • by JSBiff (87824)

        Are you *positive* that the VPN connection is uncrackable? If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data. If the VPN system is so secure, why aren't we using it for the wireless connection? That is, make the wireless network a VPN using the same algorithms you use for your VPN?

        • by NitroWolf (72977) on Thursday August 27, 2009 @03:13PM (#29221041)

          Are you *positive* that the VPN connection is uncrackable? If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data. If the VPN system is so secure, why aren't we using it for the wireless connection? That is, make the wireless network a VPN using the same algorithms you use for your VPN?

          While I am not commenting on the security or lack of security in a VPN connection, I believe I can answer this. The simple fact is, most routers can't handle the encryption load of a full blown VPN, especially one with multiple users. Even dedicated routers that are made to handle this can only handle 5 or 10 at a time until you start plopping down the big bucks for the serious VPN routers.

          So using VPN level of encryption on a home router is not going to happen until processing power is increased dramatically on the cheap CPUs they use.

        • by mcrbids (148650) on Thursday August 27, 2009 @03:59PM (#29221813) Journal

          Are you *positive* that the VPN connection is uncrackable?

          No, and nobody ever is. Which is why security protocols are so conservatively deployed. Protocols are proposed and analyzed by lots of people who are (hopefully) much smarter than you or I. Protocols that withstand years of this scrutiny and review are slowly trusted more and more (EG: SSL) over other protocols that get picked apart. (like WEP)

          If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data.

          This whole paragraph makes no sense at all, and makes it clear that you do not understand encryption, especially dual-key cryptography. Please RTFM.

          If the VPN system is so secure, why aren't we using it for the wireless connection? That is, make the wireless network a VPN using the same algorithms you use for your VPN?

          WEP, WPA, and AES are protocols that logically establish a sort of Virtual Private Network on otherwise public radio waves. The main difference between these protocols and a true VPN is that they aren't layered on top of IP, like a VPN, but are instead layered on the datagram protocol of the radio signal itself. The problem is that WEP was quickly implemented and was never really peer reviewed. Thus, it had numerous flaws that were discovered very quickly.

          From a security standpoint, WEP is sort of like locking your ground-floor window. It allows you to announce your intention of privacy, but it's quite easily compromised by somebody with the digital equivalent of the nearest rock.

          • by JSBiff (87824)

            If it's going over wireless, then if someone is recording the cyphertext, they will be able to recover the VPN cyphertext out of the WPA cyphertext. If they then know of a way to recover the 'cleartext' from the VPN cyphertext, then you are still leaking your data.

            This whole paragraph makes no sense at all, and makes it clear that you do not understand encryption, especially dual-key cryptography. Please RTFM.

            Perhaps you just didn't understand the paragraph. The post I was responding to suggested layering a

        • I route my OpenVPN traffic through an SSH port forward routed through an OpenVPN connection routed through an SSH port forwarded connection routed through an OpenVPN connection routed through an SSH port forwarded connection routed through an OpenVPN connection routed through an SSH port forwarded connection routed through an OpenVPN connection routed through an SSH port forwarded connection routed through an OpenVPN connection routed WEP.

        • by gad_zuki! (70830)

          >If they then know of a way to recover the 'cleartext' from the VPN cyphertext

          Thats quite a jump. I'd like to see some cites that IPSEC cracking is this easy. The idea behind VPN is that, yes, your potential attackers can see all the cyphertext they want, but cannot decypher or compromise the tunnel (outside a DDOS).

    • by Nerdfest (867930)
      I believe TKIP is used for key exchange. Upgrade to WPA/AES or WPA2 /AES and change your keys.
    • by owlstead (636356)

      Don't forget that both WEP and WPA/TKIP are using proprietary algorithms and stream ciphers. Using proprietary crypto has always been a bad thing, and using it with a stream cipher is worse. WEP/WPA failing so fast does not mean that WPA2 using the much safer AES standard (in a security proven mode) should fail as fast.

      If you look at the Wikipedia site you can quickly see that TKIP was implemented for easy upgrades of WEP. Seems they took it a bit too easy.

      • Don't forget that both WEP and WPA/TKIP are using proprietary algorithms and stream ciphers. Using proprietary crypto has always been a bad thing, and using it with a stream cipher is worse.

        The real problem with proprietary ciphers is that they are usually secret black boxes. RC4 may be proprietary but it is no more secret than say, CSS. The difference is CSS was revealed to be crap where RC4, even after it was "outed" was found to be pretty decent for its time. I definitely agree that proprietary ciphers that aren't open for review shouldn't be trusted for anything, but that's really not relevant to problems with RC4 in WEP/WPA. RC4 had a good run but is showing its age, so it's time to move

    • by smellsofbikes (890263) on Thursday August 27, 2009 @03:58PM (#29221789) Journal

      Although, thinking about this more, it makes me wonder - does anyone ever 'record' encrypted traffic from targets of interest, in the hopes that, maybe right now they can't crack it, but maybe in 2 or 3 years, they'll be able to crack it, and if they have a 'recording' of the cyphertext, which they can later decrypt, they can get possibly interesting info/data (data could very easily still be useful and interesting 3 or 5 years from now, particularly things like state/corporate secrets, but even more mundane info like people's social security numbers, answers to online password 'reset' security questions, etc).

      One of the parts of Neal Stephenson's "Cryptonomicon" I enjoyed the most was when one character sent another character a message encoded with, as I recall, 4096-bit security, and the character receiving it, while his computer was decoding it, went through the mental gymnastics of comparing the speed of prime factoring algorithms, taking into account Moore's Law and how many new computers were coming online, to conclude that whatever was in the message, it was meant to stay secret for at least 40 years, as opposed to the sender's usual 10 year threshold, making the recipient particularly nervous about the contents.

    • by Darinbob (1142669)
      We knew WPA was broken when it was released. It was inconvenient to wait for better IEEE security standards, so the WPA standardized on what was already implemented (which was still much better than what was out there). Ie, convenience trumps security, because wireless is all about convenience. WPA2 isn't that much better in this regard.
  • yep.... (Score:2, Funny)

    by Em Emalb (452530)

    That's why I don't even bother with passwords on my wireless at ... Hello Friends! Please to hand over your credit and debit card informations at this time, I am thanking you not a lot. My name is Desmund Boutrous-Boutrous Gali Johnson IV and I have some news of the not so happy sort. Your uncle, and my business mentor and/or friend, McGuyver has been known to be passed away at this time going forth.

    Please to send me monies by any means as possible soonest.

    Wamerst thoughts and heated Regards, BBGIV

    (that'

  • As usual (Score:5, Informative)

    by trifish (826353) on Thursday August 27, 2009 @03:03PM (#29220873)

    And the most important piece of information comes at the very end of the summary (just not to diminish the sensation or prevent FUD):

    They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm.

  • It wasn't broken (Score:5, Informative)

    by mx_mx_mx (1625481) on Thursday August 27, 2009 @03:06PM (#29220919)
    They have just found a way to decrypt a packet using the WEP chopchop algorithm. Master key can't still be recovered. Move along, this isn't news
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      They've found a way to decrypt TINY packets only a few bytes long (like ARP) and inject fake ones of the same length.

      So no real traffic sniffing, and definitely no WPA key recovery.

      I cant see really how this would be a useful tool in aircrack as you have no way of doing anything else with the network!

  • Wireless Routers (Score:2, Informative)

    by Wowlapalooza (1339989)

    Minor nitpick with the article: WPA is a general wireless security protocol[1] which isn't limited to wireless routers. Regular APs (Access Points) use it, as of course do wireless clients.

    [1] Actually, to nitpick myself, WPA isn't even technically a protocol, it's a certification program which confirms that particular devices implement the IEEE 802.11i standard

  • I sense a Jerry Bruckheimer movie staring Angelina Jolie. its gone in 60 seconds meets hackers.
  • After spending some time working with crappy home routers, I've decided encryption isn't worth the hassle. If I want to ensure my communication isn't intercepted by a hostile third party, I'll use a wire instead. If I want to limit access to the internet, I'll use a MAC ACL instead. The routers aren't hefty enough to deal with anything more than light surfing with encryption active.

    • Re: (Score:2, Insightful)

      by krenaud (1058876)

      What? A 7 year old Linksys WRT54G can handle 24-30Mbps with AES encryption, current versions are even faster, and if you choose wisely you can find 80-90Mbps home routers from Dlink/Netgear today.

      These routers are more than adequate for more than "light surfing".

      • by Sj0 (472011)

        Sure, it can handle it, but it can't handle it well. Connections start bugging out and eventually you end up with problems.

        Horribly engineered devices, consumer wireless routers.

        I was having continuous problems doing simple things like trying to watch streaming video with my old dl-514 with any sort of encryption enabled. Multiple firmwares didn't resolve the problem completely, so I tried removing encryption and using access control lists to prevent casual unauthorized use. Right away I found a much more s

    • by slyborg (524607)

      Trivial on a lot of platforms to MAC spoof, so your ACL won't do anything for you security-wise against anybody that knows what they're doing.

  • by AmigaHeretic (991368) on Thursday August 27, 2009 @03:56PM (#29221737) Journal
    I don't know why people insist on using WEP, WPA, WPA2, etc..

    I just made my SSID "Logon for only $3.99 per minute"

    Haven't ever seen my neighbors log on even once.

    _
  • Not new (Score:5, Informative)

    by MobyDisk (75490) on Thursday August 27, 2009 @04:00PM (#29221835) Homepage

    TKIP was fundamentally broken, by design. We knew that. TKIP was invented as an intermediate encryption that could run on the same hardware that WEP ran on. It allowed router manufacturers to use something better than WEP without having to beef-up their hardware. It worked well, and bought several years before it was completely broken. Anyone who has a router using TKIP bought at a bad time, and is stuck with something that's only a little better than WEP. The solution is to buy a router that supports WPA2, which has real AES encryption.

    • by azrider (918631) on Thursday August 27, 2009 @04:30PM (#29222409)

      TKIP was fundamentally broken, by design. We knew that. TKIP was invented as an intermediate encryption that could run on the same hardware that WEP ran on.

      TKIP (Timed Key Interchange Protocol, for those who don't know) does have a weak spot. This is that the new key is sent out from the access point on a regular basis. Cisco's implementation (supported by most companies that supply 802.11a equipment) makes two changes. One is that the time value set is a maximum value (the key change interval is actually random). The other is that the new key is sent via the encrypted session. You therefore have to have cracked the old key to receive the new key.

      It will be interesting to see if that is discussed when the paper is presented.

2.4 statute miles of surgical tubing at Yale U. = 1 I.V.League

Working...