Wireless WPA Security Already Cracking — Be Sure to use SSL!

November 10th, 2008

Security researches will be outlining attacks that can break the WPA wirless security protection of wireless networks this week at the PacSec conference in Tokyo.  Erik Tews and Martin Beck will discuss how networks protected by TKIP (Temporal Key Integrity Protocol — originally called WEP2) are vulnerable to attackers being able to inject small amounts of traffic into the encrypted data stream.  This can allow attackers to:

  • Introduce denial of service conditions which can render your computer non-functional, or
  • Introduce spoofed DNS responses which can send your computer to the wrong server when you are trying to, for example, check your email

The attacks do not enable attachers to read the data being sent over the wireless network and they do not work against wireless networks protected by AES security.  However, the fact that they can send your computer to the wrong server, means that your email clients could be sending your login credentials to a hacker’s computer where it can be harvested and used to login as you and steal your identity or read your email.

What can you do to protect yourself?

First, if you have control over your wireless network, you should configure it to use AES WPA security and not TKIP (and certainly not WEP).

Second, when you are connecting to your email or WebMail over the Internet, you should always use a connection protected by SSL or TLS (How Does Secure Socket Layer (SSL or TLS) Work?)  Use of SSL or TLS will:

  • ensure that you data cannot be eavesdropped upon if you are connected through a wireless network that is compromised.  The WPA security protocols cannot yet be compromised in any way that allows attackers to read your traffic; however, WEP can, and it is always possible that WPA will be shown to be vulnerable to this in the future.
  • help protect you from being redirected to a hacker’s server by a DNS poisoning attack.  If such an attack would happen, you would get a warning from your email program or web browser that either the security certificate in use on the email server is issued by an untrusted vendor, or that the “domain name” in the certificate doesn’t match the domain you are trying to connect to. These are both big red flags that you are possibly connecting to a server that you should not be.  If you cancel your connection when you get that warning, then your username and password will not have been given away and you can look into the source of the problem — be it merely a configuration issue or an actual attack.

For more information on this WPA vulnerability, please see Cracking the WPA Security Standard in eWeek.