Kitz Forum
Computer Software => Security => Topic started by: guest on November 11, 2008, 02:44:17 AM
-
There's some evidence emerging that WPA encryption using the TKIP (temporal key integrity protocol) cipher is vulnerable to cracking within a very short timescale (15 minutes). Aircrack-ng seems to have the relevant code already added. Full details will apparently be revealed at PacSec, but as Aircrack-ng is already capable of brute-forcing TKIP then there's no point in waiting for these details.
I'd recommend that if any of you use WPA-PSK with the TKIP cipher then you immediately change this to use the AES cipher - this is commonly referred to as WPA2.
WPA-PSK using TKIP must now be considered as vulnerable to cracking as the discredited WEP standard which it superseded.
-
Thanks for the hint rizla. Done.
-
While I use WPA-PSK with TKIP at present I also secure my WiFi by allowing only approved mac addresses to connect, so unless the mac is listed in my router no-one gets in. How do others view this, is this secure enough? My problem is that I dont think my laptop W-Fi card supports other than TKIP at least I cannot find an option to change it and it does not have WPA2 listed either.
-
Spoofing a MAC address is easy and is in fact no security at all as the MAC address is broadcast during the initial connection phase.
Sorry.
The risk of your network being cracked if you use TKIP is minimal at present but it does have to be considered vulnerable now.
-
Thanks for the heads-up rizla.
@broadstairs - I think if someone really wants to get in and is determined enough they will do.
As rizla says MAC addresses can be spoofed.
Rizla will no doubt correct me if Im wrong, but they would have to be scanning at exactly the right time.
Its an extra layer of protection and tbh my attitude is that it makes life a lot harder for the opportunist type casual wanna be hacker. If presented with a choice of home networks hes going to take the easier option and more likely to move on for an easier target... so I use MAC filtering too.
-
Yes I agree so until I can change to WPA2 I'll leave well alone, especially as there is an unsecured WiFi near me with apparently no security at all.
-
kitz, you don't have to "scan" at all, simply record the traffic using one of the many tools available, so it's not as if it requires any effort really.
http://uk.youtube.com/watch?v=a2MWwOAgoHw demonstrates how simple it is to do using OSX
http://www.youtube.com/watch?v=ZJ_r8jfyyvw for Windows XP/2003
In short, MAC address filtering doesn't work if the person trying to access your network has the intelligence to google for MAC address spoofing :)
-
I totally agree that MAC filtering doesn't provide any real security, but I also wouldn't turn it off.
One thing to consider is that, if the hacker sniffs your network for a working MAC address and then within a few minutes 'steals' it, then it is very likely that you will quickly notice misbehaviour in the device which is the real owner of the MAC address that he stole. So, at least you may have an hint that somebody is up to no good. Even if you don't twig what's happened, you'd be likely to reset your router to 'fix' the problem, which isn't ideal for the hacker.
The validity of my argument depends on how many MAC addresses are in your filter list, and how quickly you'd be likely to notice if one was getting abused. If the hacker sniffed your network in the evening for MAC addresses for example, and then returned in daytime (when you're out) to use them, you'd not notice. But - a bit like the argument for house burglar alarms - isn't more likely that the casual hacker would just look for an easier target in the house next door (with no MAC filter)?
Also, I only refer to the 'casual' hacker who's hoping to find a free Internet connection, maybe to download something nasty. The more determined industrial spy will make more effort. But then the determined industrial spy might use other tactics anyway, like sweet-talking disgruntled ex-employees to disclose the security keys or, if that fails, bribing the IT dept with big buckets of cash. Sorry if I've just raised the hopes of any IT administrators, I doubt whether it happens very often.
-
And another thing about MAC spoofing.... Don't worry, I'll shut up in a minute :)
Mac addresses have a bit that specifies whether they're locally administered, or globally unique, differentiated by a bit in the top byte. The reason the chip-makers allow you to change it is so that you can use locally administered values. There is no valid reason however for changing a MAC address to one that's meant to be globally unique.
Two big 'IF's occur to me...
1) IF the chip makers enforced the MAC editing in their firmware such that edited addresses always have the 'locally administered bit set (most don't).
and...
2) IF the router manufacturers provided a tickbox for a rule saying "no locally administered MACs allowed" (do any?), then MAC filtering would be a lot more powerful.
-
Good point about two identical MACs - it'd probably freeze the router solid as the ARP table filled up with spurious entries.
Thing is though that if someone is going to crack an encrypted network then they'd have to record quite a bit of traffic to start with, so they'd see all the MACs in use and the times they were in use. Most, if not all, encrypted home networks are of no interest to crackers but security by obscurity isn't security.
/me used to hammer that phrase home to company execs. Didn't do much good though :(
-
Too complicated for a company exec, rizla... the phrase makes sense, you can't sell anything to management by saying something that actually makes sense ;)
-
15minutes to crack WPA that was probably using linux whilst injecting IV's. When I tried to test my WEP in XP it took a day to collect the required 1,000,000 IV's and SLM MAC spoofing is pretty difficult if you don't know what your doing and you can ruin a good wi-fi card if you try it ;)
-
This article contained in URL http://www.h-online.com/news/Security-experts-reveal-details-of-WPA-hack--/111922 is the best description of the problem that I have read so far.
It seems that only traffic from AP to client is vulnerable and such attacks appear to have limited specialised value to attackers, especially with home networks, so I am losing no sleep. No one is actually going to be able to hijack my internet access. My passphrase is 63 random characters (from https://www.grc.com/passwords.htm) which will defy brute force dictionary attacks for the duration of the remaining life of the solar system.
-
Those should be pretty safe :D
However, the difficulty comes where if like me, you have a visiting laptop.. then typing a string like
Y({_{UAV$=|fNGBd@\pYGyaL$e'GSN}ZMot]?Vt|YS\F5a<_O&&hk|c@[tx{-O(
is no mean feat :lol:
-
A floppy disk drive is still essential for transferring such things as 63 character passwords.
Visiting computers at chez hake generally have a RJ45 stuffed into them. I keep a 30 meter long cable for such purposes.
:dance:
-
>> A floppy disk drive is still essential for transferring such things as 63 character passwords.
ahhh - good thinking. USB stick should work too :)