Attack on WPA refined
First introduced in November 2008, a method for cracking the Wi-Fi Protected Access (WPA) encryption standard has been refined by Japanese researchers. The attack now works with any implementation and requires far less time to succeed.
The aim of the attack is to determine the keystream for communication between the Access Point (AP) and the client – without knowledge of the original key. Further packets from the AP to the client can be decrypted with relatively little effort. With the keystream, attackers can encrypt their own packets and send them to a client, for instance to divert further traffic using falsified ARP or ICMP packets.
Originally developed by Martin Beck and Erik Tews, the method is essentially a variant of the chopchop attack, which involves reconstructing the checksum of an intercepted packet, sending the packet to an access point, and observing whether the packet is accepted by the access point. The Temporal Key Integrity Protocol (TKIP) generally used with WPA offers a variety of security measures including anti-chopchop functionality. For instance, the protocol terminates a Wi-Fi connection when more than two packets with invalid Message Integrity Check (MIC) are received by a client within 60 seconds. The TKIP Sequence Counter (TSC) also makes it more difficult to reintroduce intercepted packets, which considerably hampers chopchop and other kinds of replay attacks. If the TSC of a received packet is below the current counter, the packet is simply discarded.
Beck and Tews bypassed the limitations by adhering to the 60 second time frame and making use of the quality-of-service functions of certain WPA access points which support eight channels with eight individual TSCs. They focused the attack on the access points where QoS was enabled and found the attack took between 12 and 15 minutes to execute.
Japanese researchers Toshihiro Ohigashi and Masakatu Morii extended the Beck-Tews hack to include a Man-in-the-Middle attack so that the client no longer has a direct connection to the access point. Instead, the attacker's PC is used as a repeater, forwarding packets as required. During an attack, the attacker simply retains the client's packets and "chops" them before forwarding them to the AP. As this can no longer be classified as a replay attack, the TKIP sequence counters become ineffective in terms of protection.
What's left is the 60 second time limit for invalid message integrity checks: having changed the way they reconstruct checksums, the Japanese researchers no longer trigger MIC alerts and don't have to wait for any time-outs. Therefore, in the best case an attack can reportedly be successful within one minute – in the worst case, it is said to take four minutes. There is one snag, however: Retaining a client's packets could alert users of the attack and allow them to counter it.
Further details can be found in "A Practical Message Falsification Attack on WPA". The refined version still doesn't enable an attacker to break into a wireless network, read all of the traffic or manipulate the AP. It does show, however, that successful attacks on WPA are approaching feasibility. Security experts recommend switching to WPA2 now – most modern Wi-Fi routers already support it.