Wi-Fi

WPA/WPA2 encryption: A possible workaround

It seems using WPA or WPA2 is not as secure as we would like to believe. It's not the end of the world, but important enough to learn what's going on.

It seems using WPA or WPA2 is not as secure as we would like to believe. It's not the end of the world, but important enough to learn what's going on.

----------------------------------------------------------------------------------------

It's that time of year. Black Hat and Defcon are upon us and security gurus are anxious to tell the world about their research. Not sure why, but WPA/WPA2 Wi-Fi encryption is getting a lot of attention this year. For example, TechRepublic's Chad Perrin wrote a piece about Moxie Marlinspike's new WPA Cracker.

Hole196

A possible WPA2 vulnerability is being aired at this year's Defcon and Black Hat conventions. AirTight's Md Sohail Ahmad is giving a presentation called WPA Too! The demonstration is about the newly-found Hole196 exploit. Strange name, I know. It's based on a note found on page 196 of the IEEE 802.11 Revised Standard published in 2007. The note at the bottom of the page provided Mr. Ahmad the clues he needed. It reads:

"Pairwise key support with TKIP or CCMP allows a receiving STA to detect MAC address spoofing and data forgery. The RSNA architecture binds the transmit and receive addresses to the pairwise key. If an attacker creates an MPDU with the spoofed TA, then the decapsulation procedure at the receiver will generate an error. GTKs do not have this property."

What does that mean?

Obviously, the people at AirTight are keeping tight-lipped about the exploit until after the presentations. Still, a few experts have come forward offering opinions as to what it all means. The main clue is the sentence:

"GTKs do not have this property."

The GTK or Group Temporal Key according to my CWSP study guide is used to encrypt all broadcast and multicast transmissions between the access point and multiple client stations. Glenn Fleishman of Wi-Fi Net News feels the Hole196 exploit will be used by malicious insiders leveraging the fact that errors are not detected when using GTKs:

"It points strongly to a way in which a malicious client could exploit this and create spoofed broadcast or multicast packets appearing to come from the transmitting address of the access point that other clients would receive. Those spoofed packets would have the advantage of coming across the same trusted network, and could contain malicious payloads and attacks."

Need to be inside

Everything I have read stresses that this exploit requires the attacker to be an authenticated user on the Wi-Fi network. That means WPA/WPA2 networks are still secure from attackers that do not have access credentials.

So it's an inside job. That should be less worrisome, right? Maybe not, according to the 2010 CyberSecurity Watch Survey, insiders accounted for 26 percent of all cybercrime. To make matters worse, a majority of the survey respondents agreed that insider incidents cost more to fix than external attacks.

What is possible

Okay, it's a problem. But what can a determined insider actually do? As Mr. Fleishman pointed out, the attacker could leverage some vulnerability and download malware onto unsuspecting computers. What's more likely though, is the stealing of sensitive data and PII.

Why is that? Up until now, individual users associated with a WPA2 Enterprise Wi-Fi network could not access Wi-Fi traffic belonging to other users. That's an important distinction. When using WPA2 Personal (preshared key), any authorized member of the network can sniff all in-range traffic. Mr. Fleishman points out why WPA2 Enterprise (802.1X with TKIP/AES-CCMP) is different:

"With the 802.1X mechanism used in WPA/WPA2 Enterprise, each user after authentication receives unique keying material that renders his or her data opaque."

It seems that's not necessarily true any longer. AirTight mentions:

"Unlike the TJX breach where data was stolen over unsecured Wi-Fi, this finding is concerning because organizations are relying on WPA2 for its strong encryption and authentication. Since there is no fallback in the 802.11 standard to address this hole, AirTight felt it was important to raise awareness around it."

Moreover, AirTight mentions that the exploit is not overly complex and uses available software tools:

"The Hole196 vulnerability can be practically exploited using existing open source software as the basis. And the footprint of such insider attacks is limited to the air, making them among the stealthiest of insider attacks known requiring no key cracking and no brute force."

Is there a solution?

Not knowing the exact details of the exploit make it difficult to develop solutions for Hole196. It appears the standard needs to be changed and firmware adjusted so a client station will not accept unverified GTKs from other client stations.

For now, if there is any concern, the best solution is to use a VPN tunnel within the encrypted-802.11 session. If an attacker is monitoring, all they would see is gibberish.

Road warriors beware

I see where Hole196 would be disconcerting to enterprise IT-security types. Disgruntled employees or anyone with network access could cause all sorts of problems. Some of which could result in financial hardship as described in a post by TechRepublic's Mark Underwood.

Still, I'm more concerned about what Hole196 might mean to road warriors or anyone using public WPA2-secured Wi-Fi networks. It's taken a long time to spread the word about the consequence of using open Wi-Fi networks. Now we have to start worrying about accessing WPA/WPA2 networks that we assumed were safe.

Here's an example. Recently, I stayed at a hotel offering secure Wi-Fi; which is unusual, but appreciated. One evening, while in the process of creating a web-site password, Chrome opened a message (Unencrypted Password Warning), alerting me that information was going to be sent unencrypted.

I stopped right there. Without the warning, I would have unknowingly sent the password in the clear. That's a problem. An unencrypted password traveling across the Internet is bad enough. Now with Hole196, my password could have been captured on what I assumed to be a secure portion of the route.

Final thoughts

I realize details about the Hole196 exploit are sketchy at this time and using VPN technology as a solution may seem a bit over the top. But, "better safe than sorry" is one saying that still makes sense.

AirTight has mentioned there will be a public Webcast about Hole196 on August 4 at 1100 PDT. If you are interested here is the link to register. I also plan to update this post as more information becomes available.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

22 comments
~doolittle~
~doolittle~

I admit, I was quite concerned until I read this. I have not enabled my router wireless until I got one that supported wpa2 recently (the Verizon / Actiontec one, much improved over my old outdated one). Now we have enabled all our iphone / itouch / wii devices along with all the laptops (that support wpa2). Another warm-and-fuzzy, I was surprised to see the Cisco/Linksys Ex000 series router offers private AND public wpa2 networks (2 seperate keys), where the public will not see your local lan that has file/print sharing enabled. It's a great feature for family / friends who visit and want to get online, I always recommend it now. The one pitfall, is the short key it provides I assume for convenience - that had to be replaced with the brute-force "cloud" crackers out there that exist nowadays. cheers

Ocie3
Ocie3

Moxie Marlinspike's WPA Cracker web site will crack the password of a ZIP file as well as crack passwords for WPA/WPA2 wireless AP. So I submitted a PKWare PKZip file which contains an encrypted file. IIRC, the file was not encrypted before it was compressed, but by PKZip, which created the output .ZIP. The price went from $17 to $68 and the time from 20 minutes to 2 hours, because, the site said that cracking the password of a compressed file that contains only one file is "more time consuming". Paying that much is not worth the content of that particular file, assuming that the WPA Cracker does crack the password. Currently, I am using [i]PKWare for Windows version 9[/i]. It is possible to have [i](1)[/i] a password that must be entered to view the list of files which are in the compressed file (it includes the filenames and other data about them), and [i](2)[/i] another password which must be entered to extract the files which it contains and/or to add files to the compressed file. The respective passwords can be either the same or different. I have no idea whether WPA Cracker can handle that situation, and I don't have the budget to find out from experience.

SarcasmDoesn'tReadWell
SarcasmDoesn'tReadWell

Will this mean the attacker can view my SSL Traffic with my Bank? Let's say if I am at a hotel doing online banking?

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I think that road warriors should consider all non-corporate WiFi traffic to be unprotected because to get individual session encryption requires enterprise authentication services which are not normally going to be provided even if the access point is using WPA/WPA2. Bill

john.veldhuis
john.veldhuis

So I placed our companies access points on the outside of our company network, and require VPN to access it.

Michael Kassner
Michael Kassner

It appears there is an exploit that allows WPA2-encrypted 802.1X Wi-Fi traffic to be captured.

Michael Horowitz
Michael Horowitz

WPA2 is not, in and of itself, secure. You need to opt to CCMP rather than TKIP. If you go for TKIP, its as secure as WPA. CCMP may be called AES. On top of this, you need a good password. Even wpa2-ccmp is subject to a brute force dictionary attack.

Michael Kassner
Michael Kassner

Make sure to keep the router up-to-date. There is a vulnerability in those that is being readily exploited.

Michael Kassner
Michael Kassner

It seems you may want to post this on Chad's post about WPA Cracker.

Michael Kassner
Michael Kassner

I will try to keep up on the Defcon presentation and post here about it.

Michael Kassner
Michael Kassner

With regards to this exploit. When it comes to SSL/TLS, when the session starts is critical. Some web sites do not implement it correctly.

Michael Kassner
Michael Kassner

Except that I have seen some locations that did use WPA2 Enterprise. I was surprised, but they felt it was a good way to go, technically and legally. That said, I pretty much always use a site like MegaProxy when I am on the road. The example I gave in the post was one time where I was lax and in a hurry.

mckinnej
mckinnej

is to use a wired connection if one is available. I realize lots of public places are wireless only since they are so easy to deploy, but many hotels, especially big ones, have connection ports in every room. Use them and a VPN too if you can. I think wireless sacrifices too much for the sake of convenience. Wired connections are typically more secure and faster to boot. I always choose to plug in if the option is there.

Ocie3
Ocie3

I can see why you asked. I probably had your article and Chad's article opened on adjacent tabs, and posted my message in reply to yours although it does seem as though it should be in reply to his. But I think that I accessed the WPA Cracker web site by using the link in your article, which I read after reading Chad's. I did not know that it also offered cracking .ZIP file passwords until I read the FAQ on WPA Cracker (that capability is not mentioned in either article). But I had to bail during the process of setting the job up when the web site reported the cost and time as so much more than the original expected cost. So I probably returned to your article from whence I came. FWIW, I will post a copy in the discussion of Chad's article. I doubt that it will draw much response.

Matthew G. Davidson
Matthew G. Davidson

This is the main reason why I can not wait for CryptoLink (https://www.grc.com/stevegibson.htm) to be released by GRC.com. VPN is the safest way to use Wireless Networks and currently HotSpot VPN does do a decent job of securing Wireless Network Traffic.

Neon Samurai
Neon Samurai

I already clicked when I saw Michael's response. Been using ssh for VPN out from untrusted networks for years now. So far, this is just a MITM from an already authenticated client. Encrypt your own traffic and your good.

Michael Kassner
Michael Kassner

VPN or a SSL proxy at least. I do that regardless of wired or wireless. One never knows what is happening to your traffic, even on a wire.

JCitizen
JCitizen

as I've done that, probably more than once here on TR! [_]3

Michael Kassner
Michael Kassner

I have been following Mr. Gibson since he was a writer for InfoWorld. Lots of great advice.

Michael Kassner
Michael Kassner

Is the complexity and inconvenience using this approach causes the normal user.

Editor's Picks