News broke last week that German graduate students had uncovered and documented a verifiable flaw in Wi-Fi Protected Access (WPA), the method of encrypting a Wi-Fi connection between a computer or other device and a base station. WPA was designed to replace WEP (Wired Equivalent Privacy), a protocol that can be defeated easily using cracks that appeared starting in 2001.
WPA comes in two flavors: the earlier version is called just WPA. It was standardized in 2003 by the Wi-Fi Alliance, a trade group, and includes an updated and backwards compatible encryption standard (Temporal Key Integrity Protocol, or TKIP) that works with hardware released as long ago as 1999. The original Apple AirPort Card can be updated with firmware and drivers to handle TKIP; Mac OS X 10.3 Panther or later is required, however.
A second flavor, WPA2, was released later, with an additional, stronger encryption method; the gap was due to a delay in a standards group finishing a thorough revision of Wi-Fi's security. WPA2 handles both TKIP and the AES-CCMP protocol (you really don't want to know what that stands for).
The flaw that Erik Tews and Martin Beck have documented in a paper Tews will present in Japan next week involves a weakness in WEP that carried over into TKIP. TKIP was supposed to fix all of WEP's problems, while still working with older hardware. Beck discovered, and the students tested and documented, that it was possible to examine short packets - lumps of data containing brief network messages, for instance - and extract the encryption data without violating any of the safeguards against that had been added to TKIP.
This isn't a key crack - that is, you can't use this method to recover a TKIP key and then decrypt all traffic over a network. Rather, it's a very clever way to resend (or inject) a packet that appears valid into a network. The two researchers bypassed yet another TKIP protection using features added in Wi-Fi to ensure that data containing voice-over-IP and streaming audio or video wouldn't be overwhelmed by data that didn't need to arrive in a timely fashion.
(If you want the technical details, you can read my long article for Ars Technica, in which I interview Tews. You can also see a piece I wrote at Wi-Fi Networking News that has more technical detail than this article, but less than the Ars Technica feature.)
The good news is that this exploit is very tiny, and may be difficult for a cracker to pull off. The crack requires physical proximity, where someone can sniff your network data. It also likely won't work with corporate Wi-Fi networks that are well designed, and which change some encryption properties every few minutes.
For home networks, if you're the least bit concerned, you can modify a setting on your base station. The AES-CCMP method isn't vulnerable to this exploit, and you can choose to use only that encryption method.
For Mac users to switch to AES-CCMP, you need at least Mac OS X 10.3 Panther, an AirPort Extreme Card (available as an add-on or built-in option for every Mac starting in 2003), and any Apple Wi-Fi base station shipped in 2003 or later (such as the original AirPort Extreme Base Station). Windows and Linux systems starting in 2003 should also include AES-CCMP support or be upgradable through firmware patches. (There are some add-ons from third parties, mostly free, to allow Windows 2000 to handle AES-CCMP if the underlying hardware is also compatible.)
Macs with the original AirPort Card can't use AES-CCMP encryption; the hardware simply can't deal with it. AirPort Extreme Cards released in 2003 were built to handle what was already known would be needed. Likewise, the pre-2003 AirPort Base Stations can't use WPA at all: neither TKIP nor AES-CCMP is supported.
The iPhone and iPod touch, like all hardware shipped with a Wi-Fi label attached since November 2004, include full WPA2 support, which means they can handle both TKIP and AES-CCMP. Starting that month, the Wi-Fi Alliance required that companies support WPA2 for products that were to use the Wi-Fi name.
You can switch an Apple Wi-Fi base station to use only AES-CCMP by following these steps:
Please note that older computers that can't use WPA2's AES-CCMP to connect won't alert you to that fact. In the office I share with Jeff Carlson, we originally configured our network to use WPA2 Personal, back in 2005. This was fine, because all the computers in the office were newer. When a visitor arrived with an older Mac, we couldn't connect it to the network, but there was no specific error: just a message that it couldn't connect. We eventually figured it out and had to back off to WPA/WPA2 Personal.
You may have seen early coverage of this exploit suggesting that the TKIP key or WPA encryption was broken. It's not. This is a very interesting, very clever compromise that currently has no wide-reaching repercussions. But it's also the first wedge that's been successfully inserted into TKIP, and should help push a move to AES-CCMP by those who care about security.
Unless otherwise noted, this article is copyright © 2008 TidBITS Publishing, Inc.Published in TidBITS on 2008-11-08.
TidBITS is copyright © 2016 TidBITS Publishing Inc. Reuse governed by Creative Commons License.