Wi-Fi’s WPA Encryption Is Not Broken (Yet)
The headlines on many tech sites trumpet, “WPA Encryption Broken!” Hardly. A very small area of the Wi-Fi encryption method that’s part of WPA and WPA2 is exploitable under very particular circumstances that don’t reveal your network key or allow data to be intercepted and decrypted.
The problem with the coverage of this latest academic paper (PDF), written by two Japanese researchers at Hiroshima University and Kobe University, is that the work is so darned clever – but also so darned technical – that it’s easy to misinterpret the meaning unless you’ve spent years deep in the wireless mines, hacking out understanding, like yours truly.
What the researchers discovered isn’t a generic way to crack WPA encryption – in fact, they improved on a method that German researchers revealed in November 2008 that allows just short packets of data sent from a base station to a client to be deciphered only if most of the packet’s content was already known.
This exploit works only with TKIP (Temporal Key Integrity Protocol), the only encryption method approved as part of WPA, and the older and deprecated of two methods – the other is AES-CCMP – available in WPA2. (I covered the German research for TidBITS in “A Crack in Wi-Fi Security and How To Fix It,” 2008-11-08; links in that article take you to more technical explanations.)
The German and Japanese approaches don’t reveal the network’s encryption key or passphrase. You cannot use these methods to intercept data and read the contents without having the network’s key. The crack applies only to a single packet at a time, because each packet in TKIP is encrypted with a separate key. (TKIP turns a passphrase you enter into a master key, from which several kinds of keys are used to generate keys that can change regularly.)
This exploit lets an attacker replace and rebroadcast a single packet with address association information – ARP packets that connect IP addresses with Ethernet or Wi-Fi adapters. The German academics had a 12- to 15-minute timeframe for cracking the per-packet key for these sorts of packets.
The new approach from Japan adds a physical interception stage – where an attacker has to operate a Wi-Fi relay between a base station and client – but reduces the attack duration to about a minute. The attack succeeds in cracking the per-packet key about 37 percent of the time, but an attacker can discard bad results without alarming the client’s defenses.
A falsified address association packet could be used to poison DNS, which could lead clients on the network to visit malicious sites or accept invalid security certificates. Other short packets with mostly guessable contents could be used for other nefarious purposes. (For more about such malicious uses, see “Apple Fails to Patch Critical Exploited DNS Flaw,” 2008-07-24.)
Both the old and new versions of this exploit require relatively close physical proximity; the Japanese one needs to have a client far enough away from a base station to accept an attacker’s signal as a connection to the legitimate base station.
That physical requirement makes the utility of this exploit rather small. An attacker would need to develop a particular exploit for a particular network that they could get close enough to, while not being detected. In homes, someone would likely not be able to insert a signal between your base station and your computer. In corporations, additional security measures (physical and network-based) would likely spot this attempt.
The fact is that millions of point-of-sale (cash registers) and other systems are protected by WEP, the original 802.11 encryption system that can now be broken in as little as a few seconds. And by broken, I mean the key extracted and data intercepted. This low-hanging fruit makes it unlikely that anyone will focus on TKIP cracks unless a much broader exploit is found.
TKIP was meant just as a backwards-compatible transition option, and nearly every piece of gear introduced starting in late 2002 – including all Apple products – can use a better alternative: AES-CCMP. This method, often incorrectly and generically called WPA2, was designed to avoid WEP problems, whereas TKIP was an overlay that replaced WEP on older gear that lacked the processing power or flexibility to be upgraded to AES-CCMP. (AES-CCMP stands for Advanced Encryption Standard Counter Mode with CBC-MAC (Cipher Block Chaining Message Authentication Code) Protocol, in case you wanted to know. Didn’t think so.)
(You can avoid all TKIP weaknesses by switching to AES-CCMP. I provide detailed instructions for making this change in “A Crack in Wi-Fi Security and How To Fix It,” referenced above.)
I know that it’s eye-grabbing and click-worthy to write headlines that suggest some major security element is broken. And there certainly are days in which some ordinary Internet component we all rely on turns out to have a fatal flaw – like DNS last year. However, Wi-Fi’s current encryption system remains a reasonable choice.
TKIP should have already been on its way out as a safe way to protect your network from interception; this latest research just moves TKIP even further away from being a reasonable choice.
It would be great if many people would spread around the link to good articles like this one instead of the hysteria inducing (read "page view generating") ones that are circulating on supposed news sites.
We'd certainly appreciate that as well! The URL in the address field is a permanent link.