Via PC World, WPA, the encryption standard present on all wireless devices made in the last five years or earlier, has reportedly been proven insecure. Security researchers Erik Tews and Martin Beck will present their findings at the PacSec conference in Tokyo next week, and publish them later in an academic journal. Unlike previous WPA cracking techniques, this one is more sophisticated than a simple dictionary attack and can break the security in 12-15 minutes.
To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a "mathematical breakthrough," that lets them crack WPA much more quickly than any previous attempt, Ruiu said.
The article mentions that WPA2, a succeeding standard supported by most modern devices, is still secure. Provided, of course, that that a secure password is used. WEP, the original standard of wifi encryption, was found to have inherit weaknesses back in 2001 that made it crackable in mere minutes. Seven years later, it's still common to see WEP running on 10-20% of access points. Sometimes WEP is the only security available to legacy devices, but I suspect most of these networks are simply misconfigured. WEP is better than no security at all, but won't stop an attacker that's even vaguely determined.
What are these hackers doing publishing a wireless crack technique? The right and honourable thing. If a flaw is widespread, it is better that all affected parties be made aware, rather than leaving the knowledge only in the underground of elite malicious crackers (or pricey security consultants). Obscurity is not security, and full disclosure improves security in a similar way to how open source improves software.
A few tips for better wireless security:
- Check your wireless router's configuration to ensure it's security is set to WPA2/AES. WPA/TKIP is what has been broken here. If this isn't available in your router, check for firmware upgrades or consider upgrading your hardware.
- Choose a secure wifi password of good length, mixed case, numbers, and punctuation.
- Turn off guest or anonymous access for file shares on the wireless network.
- For secure websites, ensure you're accessing them via https://. This gives an extra level of encryption.
- Have some free time and want to see how hard it is to crack your own encryption? The open source Aircrack-ng program includes most common methods of wifi cracking including this new found WPA crack. It's intended for advanced users, and may not work with your wireless card.