Cafe Latte and AP-less WEP cracking

During the ToorCon 9 conference-where security experts get together with the hacking community to discuss new vulnerabilities-security researcher Viviek Ramachandran demonstrated an innovative technique used to compromise networks encrypted with WEP. I can just hear the comments "old news, nobody uses that anymore." Surprisingly, WEP is still used by many businesses due to legacy applications and devices such as portable scanners. The recent data breach at TJX Companies is a prime example of this.

Nevertheless there is a new twist this time with the attack venue being the wireless client not the network's controlling AP. This affords the attacker many more opportunities, since direct network intervention is not required. According to this October 17, 2007 article in Yahoo News, Ramachandran's technique called Cafe Latte consists of the following steps.

  1. First, a Cafe Latte loaded notebook begins advertising for other Wi-Fi notebooks in the area and attempts to determine if a responding notebook has ever attached to a WEP encrypted Wi-Fi network.
  2. If so the attacking notebook then tries to resolve the SSID of that network and the WEP keystream.
  3. Next, using ARP requests in a unique way, the attacking notebook can determine the IP address by the eventual response from the attacked computer when an ARP request with the correct IP address is sent.
  4. Knowing the IP address, the attacking notebook will then send out a flood of ARP queries for that IP address. The computer being attacked is required by ARP to respond to the requests, allowing the attacker to eventually get enough "interesting IV's" to determine the WEP key.
  5. The attacker then can either sniff traffic from computers attached to the WEP encrypted network or attempt to gain access to the network directly.

Jon Ellch a well known Wi-Fi security expert-author of Hacking Exposed Wireless-made some interesting comments in the article that I agree with. I also feel that this attack venue is not a casual one. It takes considerable upfront research, such as determining if the network under scrutiny is indeed using WEP. Another complicated step is locating an individual with an attackable computer in a setting where Cafe Latte can do its thing. Still, if the target is lucrative enough, this attack may just be the approach that works. Which I why I reiterate the importance of turning wireless network adapters off when they're not being used, especially now since there's more at stake than just the individual computers.

Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and as a network field engineer for the past 12 years. Current wireless certifications include the CWNA and CWSP.