ABC News
November 6, 2008 12:37 PM PST

WPA wireless encryption cracked

Posted by Robert Vamosi
  • Font size
  • Print

Researchers have found a method of cracking a key encryption feature used in securing wireless systems that doesn't require trying a large number of possibilities. Details will be discussed at the sixth annual PacSec conference in Tokyo next week.

According to PCWorld, researchers Erik Tews and Martin Beck have found a way to crack the Temporal Key Integrity Protocol (TKIP) key, used by Wi-Fi Protected Access (WPA). Moreover, they can do so in about 15 minutes. The crack apparently only works for data aimed at a Wi-Fi adapter; they have not cracked the encryption keys used to secure data that goes from the PC to the router

TKIP has been known to be vulnerable when using a high volume of educated guesses, or what's called a dictionary attack. The methods to be described by Tews and Beck do not use a dictionary attack. Apparently their attack uses a flood of data from the WPA router combined with a mathematical trick that cracks the encryption.

Some elements of the crack have already been added to Beck's Aircrack-ng Wi-Fi encryption hacking tool used by penetration testers and others.

Tews is no stranger to cracking Wi-Fi encryption. In 2007, he broke 104-bit WEP (Wired Equivalent Privacy) (PDF) in 2007. WEP was used by TJX Corp. to secure wireless cash register transmissions from its stores but criminals were able to exploit weaknesses in its encryption to commit the largest data breach in U.S. history.

Given that WEP and WPA are not secure, experts recommend using WPA2 when securing wireless networks.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Erik Tews,

Martin Beck,

Temporal Key Integrity Protocol,

TKIP,

Wi-Fi Protected Access,

WPA,

PacSec

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Add a Comment (Log in or register) 6 comments
by sythara November 6, 2008 12:58 PM PST
This is news? Really?
Reply to this comment
by Lerianis November 6, 2008 1:17 PM PST
Yeah, it is, because WPA was supposed to be 'uncrackable'. I wonder how long it will be until WPA2 (which I use for my computers) is cracked.
by Hernys November 6, 2008 4:16 PM PST
WPA2 was never supposed to be "uncrackable", neither was WPA nor WEP, nor any security protocol (other than those designed by Oracle ;-). They were just supposed to be "robust". WEP was ill designed (didn't respect neither the process nor the technologies needed to make something robust) and cracking it took mere weeks. And the cracks are so effective that it is now equivalent to no security.
WPA stood for years and even now the cracks are partial, so it is clearly a much better design. Also, the current cracks are only to the TKIP version, which is aimed at simple scenarios where high security is not a goal. For more robust implementations you can dismiss TKIP and go with AES, though it is more difficult to deploy.
Yes, WPA will be completely cracked one day, and so will WPA2. Hopefully, we'll have an even better standard widespread by the time this happens.
by bob1xxxx November 6, 2008 2:37 PM PST
Nothing is uncrackable , with enough time and a determined enemy/hacker anything is crackable with time. That why governments have long know that as soon as you come out with the latest and greatest encryption code ,you got to start work immediately on the next one because nothing lasts for every in the realm of securing data.
Reply to this comment
by kinghotep November 8, 2008 6:54 PM PST
Uhh really?

"experts recommend using WPA2 when securing wireless networks"

I think you meant to say 802.1x not WPA2. Either that or your experts really aren't experts.
Reply to this comment
by dltrue2 November 10, 2008 10:49 PM PST
Safe combinations, locks and security related algorythims, all do one thing - keep honest people honest. If one who wishes to keep thier prized posessions and networks secure, then change the appropriate encryption algorythim often. I can say that anybody/organization with enough time and resources (- money) can crack any security if given enough of an opportunity (Mafiosos, China, Isreal ...). This can happen at any level - especially when the return significantly outweighs the investment. Probably the easiest thing one can do is change their current "key" regularly - more frequently if compromise is suspected. DOD has done a relatively good job with this - especially where sensitive information is involved.
Reply to this comment
advertisement
Click Here

In the news now

Yahoo's Decker strong contender for CEO

Sources say the president of the embattled Internet search pioneer has been through two rounds of interviews with the board.


Gadget extravaganza in Las Vegas

CES 2009 is in full swing. Highlights so far include Palm's WebOS and Pre device, Microsoft's Windows 7 beta, and much more.


About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET