WPA packet injection now possible

German Security researcher Erik Tews and co-researcher Martin Beck have found a way to break the Temporal Key Integrity Protocol (TKIP) key used by the Wi-Fi Protected Access (WPA) encryption standard.  This is done by tricking a WPA to send out a large amount of data, and then mathematically cracking it without using a dictionary attack.  While data remains encrypted, it is possible to perform data injection into the WPA traffic between a router and a laptop.  At this moment, WPA2, which uses Advanced Encryption Scheme, remains unaffected.

You can download their paper Practical attacks against WEP and WPA (pdf), or read more details here.

Researchers eavesdrop on wired keyboards

By using an antenna and some relatively inexpensive equipment, Researchers Sylvain Pasini and Martin Vuagnoux successfully eavesdropped on wired keyboards from a distance of 20 meters.  They did this by picking up the electronic magnetic radiation emitted from depressed keys on the keyboards, which were intercepted and interpreted.  11 different wired keyboards were subjected to four different attack methods, with all keyboards succumbing to at least one of them.  Rate of picking up the keys that were pressed was slow, though the researchers seemed confident of improving it – and the range – with better equipment.

You can read more and watch the video on the researcher’s web site here.

Triangulating rogue Wi-Fi users

If you thought that using your neighbour’s insecure Wi-Fi automatically precludes you from detection, then you might be interested to know that this is no longer the case.  ThinkSECURE has released MoocherHunter, a mobile tracking software tool for “real-time on-the-fly geo-locational of wireless moochers and hackers.”

Based on trials in residential and commercial environments with multiple tenants, a trained operator with a laptop and directional antenna was able to geo-locate a wireless moocher with a geographical positional accuracy of as little as 2 meters within half an hour.  And yes, it was developed in Singapore, and is free for end-user use.

Read more about MoocherHunter here, or download the OSWA LiveCD here.

Mifare Classic RFID compromised

If you still haven’t heard by now, Mifare Classic, the RFID technology behind the Oyster Card in London, as well as by other transit operators in Boston and the Netherlands, have been compromised.  Mifare Classic has proven secure in the past due to the use of an on-board ASIC which is used to implement a challenge/response protocol to protect against cloning.  This has now been successfully cracked.

Other than opening the transit systems based on this technology to fare cheats, the other concern is that Mifare Classic is also widely used as building access passes, with another billion cards distributed worldwide.  Essentially, an employee can have their cards cloned by bumping into that person with a portable card reader.  This can happen without the victim knowing, and has no known countermeasures at the technical level.

NXP Semiconductors has quickly announced a new version of the Mifare chip called the Mifare Plus, which features 128-bit AES encryption and is which is currently immune to cloning.  Unfortunately, older readers are not compatible to the Mifare Plus, and it remains to be seen how long institutions will take to upgrade to the new standard.

You can read more about this here and here.