November 10th, 2008

Wireless WPA Security Already Cracking — Be Sure to use SSL!

Security researches will be outlining attacks that can break the WPA wirless security protection of wireless networks this week at the PacSec conference in Tokyo.  Erik Tews and Martin Beck will discuss how networks protected by TKIP (Temporal Key Integrity Protocol — originally called WEP2) are vulnerable to attackers being able to inject small amounts of traffic into the encrypted data stream.  This can allow attackers to:

  • Introduce denial of service conditions which can render your computer non-functional, or
  • Introduce spoofed DNS responses which can send your computer to the wrong server when you are trying to, for example, check your email

The attacks do not enable attachers to read the data being sent over the wireless network and they do not work against wireless networks protected by AES security.  However, the fact that they can send your computer to the wrong server, means that your email clients could be sending your login credentials to a hacker’s computer where it can be harvested and used to login as you and steal your identity or read your email.

What can you do to protect yourself?

First, if you have control over your wireless network, you should configure it to use AES WPA security and not TKIP (and certainly not WEP).

Second, when you are connecting to your email or WebMail over the Internet, you should always use a connection protected by SSL or TLS (How Does Secure Socket Layer (SSL or TLS) Work?)  Use of SSL or TLS will:

  • ensure that you data cannot be eavesdropped upon if you are connected through a wireless network that is compromised.  The WPA security protocols cannot yet be compromised in any way that allows attackers to read your traffic; however, WEP can, and it is always possible that WPA will be shown to be vulnerable to this in the future.
  • help protect you from being redirected to a hacker’s server by a DNS poisoning attack.  If such an attack would happen, you would get a warning from your email program or web browser that either the security certificate in use on the email server is issued by an untrusted vendor, or that the “domain name” in the certificate doesn’t match the domain you are trying to connect to. These are both big red flags that you are possibly connecting to a server that you should not be.  If you cancel your connection when you get that warning, then your username and password will not have been given away and you can look into the source of the problem — be it merely a configuration issue or an actual attack.

For more information on this WPA vulnerability, please see Cracking the WPA Security Standard in eWeek.

2 Responses to “Wireless WPA Security Already Cracking — Be Sure to use SSL!”

  1. 256-bit AES Encryption for SSL and TLS: Maximal Security | LuxSci FYI Says:

    […] There are many alternative ciphers that can be used in SSL and TLS.  The "next most secure" cipher that is commonly used is "128-bit RC4".  This is a very fast cipher, but is subject to many different types of attacks.  For example, on reason WEP wireless encryption is so poor is the way that it uses RC4 encryption.  Even WPA wireless security which uses RC4 is showing signs of stress. […]

  2. Protect Your Passwords from Theft | LuxSci FYI Says:

    […] You should always use connections encrypted using SSL or TLS, so no one can eavesdrop on you.  This is especially true in public places, like wifi hot spots. […]

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.