Researchers Crack WPA Wi-Fi Encryption 311
narramissic writes "Researchers Erik Tews and Martin Beck 'have just opened the box on a whole new hacker playground, says Dragos Ruiu, organizer of the PacSec conference. At the conference, Tews will show how he was able to partially crack WPA encryption in order to read data being sent from a router to a laptop. To do this, Tews and Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes. They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack. 'Its just the starting point,' said Ruiu."
Is it just me... (Score:5, Insightful)
or is anything worth protecting worth using CAT5 on?
Most banks and government institutions don't use WIFI because of the security vulnerabilities. Granted CAT5 doesn't have have security to access (like wifi tkip/aes key), but it is physically secure, which is at the same level of security as the physical machines themselves.
I find WIFI performance and coverage to be dodgy at best. It's an absolute pain to support.
Re:WPA2 is NOT broken (Score:2, Insightful)
Re:WPA2 is NOT broken (Score:3, Insightful)
Re:WPA2 is NOT broken (Score:4, Insightful)
Although, if you really have data you're concerned about keeping safe, you should (a) use a wired network, (b) use IPSEC, or (c) both.
Yep. I'm getting some remodeling done on my house right now. Some of my friends think I'm weird because I'm pulling cat5e around the house when everything I use is already working find with WPA2. (Tivo, PS3, etc..). It's only a matter of time before someone breaks WPA2, but by then I plan to have turned wireless off.
Re:WPA2 is NOT broken (Score:4, Insightful)
It never ceases to amaze me that people want to trust wireless devices for secure purposes, anything that is sent through the air can be captured and worked on. But are wired solutions really anymore secure? I mean can't packets that go out still be captured and worked on?
Using a wired connection over a wireless connection MINIMIZES the number of people who can look at the packets.
After all sending data wirelessly gives anyone in the wireless device's area a chance to catch the packets as well as anyone that would normally have a shot on it via wired connection.
You're still going to hit a router somewhere and be wired back in eventually, anyway.
Wireless is foremost a technology of convenience rather than security.
Re:Meh (Score:1, Insightful)
Captain Obvious strikes again!
Re:WPA2 is NOT broken (Score:5, Insightful)
I have a hard time seeing the point of this, and the rationale behind other similar moves. Here's why:
Firstly, advances in computing power and security research are always going to result in security schemes being broken, but these broken security mechanisms will always be replaced and improved. Provided you keep up to date with current security practices, and as a Slashdot reader, I assume you can and will, you're really not in any danger at all.
Further, there's numerous other security options you can enable both at the wireless level and the network level to further protect your network, alongside good security practices with existing WPA2 (e.g. maximum length WPA key consisting of random characters and numbers). For example, MAC Address whitelisting, a strong password on the AP, and enabling AP configuration changes to occur only through wired connections. A half decent wireless AP should expose all of these options.
This is more than enough to deter all but the most dedicated hacker. I'm not going to pull random statistics out of my behind, but I would wager that only a ridiculously tiny amount of wireless intrusions are done by experienced hackers, and experienced hackers tend to have an agenda beyond "leeching your tubes". The above security options, if all enabled and correctly configured (as in my home network) goes above and beyond what is required to stop the casual or even experienced war driver in their tracks.
But let's say that somehow, they do manage to break your wireless security. Well, if your network is properly set up, they now have another round of security to get through that should be even tougher. Here, digital signing and encryption of all network communications between Windows machines on the domain is required by policy, no exceptions. This is one example of many.
If someone out there is really willing to go to all that effort to break into your HOME network and access your personal data, you have VERY serious problems. From a corporate network perspective, of course, things might be entirely different.
Bottom line: I have a hard time seeing the point of abandoning wireless due to security concerns in home networks, as a properly secured wireless network and home network will easily defeat all but the most determined and skilled hackers.
And finally, why did you buy into wireless at all in the first place if you were so concerned about security? Everyone knew that WEP was rubbish before it was even cracked (which didn't take long). WPA was a vast improvement over WEP, but even it had its flaws, and this was also well known among those concerned. I find it strange that you're getting out of wireless now, when a look at the whole picture shows that wireless security has improved immensely since the initial takeup of wireless. The real problem is people not moving to these new security setups, and staying with WEP or worse.
Re:Meh (Score:3, Insightful)
What you say is true, but you make it sound like obtaining physical access is trivial. In many cases it's not. On the other hand, obtaining unauthorized access to wireless networks is easy, cheap, and relatively safe (as in risk-free).
BTW, CAPTCHA -- "burglars".
Re:WPA2 is NOT broken (Score:5, Insightful)
Some of my friends think I'm weird because I'm pulling cat5e around the house when everything I use is already working find with WPA2.
You are weird if you're doing that because of security concerns. Here's a hint: no one cares about your wireless network. No, really, they don't.
That said, given how flakey wireless can be, running cable is only sensible, particularly given it makes it easy to run additional telephones, etc, as well.
Re:WPA2 is NOT broken (Score:1, Insightful)
What, is your town out of cat6?
Re:WPA2 is NOT broken (Score:3, Insightful)
You are weird if you're doing that because of security concerns. Here's a hint: no one cares about your wireless network. No, really, they don't.
Joe the Pedo cares a lot about getting free untraceable internet access. I care a lot about not getting my house raided because someone abused my network.
Re:Who uses TKIP instead of AES? (Score:3, Insightful)
What's also funny is that my router gives me better throughput with WPA/AES than WEP.
I've just figured that the router probably has a seperate chip to offload AES while WEP is done in the CPU, slowing stuff down.
Re:WPA2 is NOT broken (Score:3, Insightful)
Re:WPA2 is NOT broken (Score:2, Insightful)
Joe the Pedo cares a lot about getting free untraceable internet access. I care a lot about not getting my house raided because someone abused my network.
Can you reference a single incident where such a raid has taken place? On a lark I decided to Google around for such an incident and couldn't find a single damned thing.
Given the hundreds of thousands -- perhaps millions -- of wireless devices in operation in homes across the U.S., the lack of any such raid seems to suggest your fear is either overblown or based on paranoia.
Re:WPA2 is NOT broken (Score:3, Insightful)
It's not a double standard. I'm not using fear of pedophiles to justify not sharing my wifi, I'm using fear of the government to justify not sharing my wifi. That I think is entirely appropriate here. The FBI can, and does, raid people for nothing more than clicking on an URL. That's not paranoia, that's a fact.