Reports that researchers have successfully hacked wireless networks secured by Wi-Fi Protected Access (WPA) should not alarm corporate users, provided they’re using Advanced Encryption Standard (AES) on WPA2, wireless experts say.
“It’s not a network security threat,” said Geoffrey Smith, vice-president for products and marketing at Proxim Wireless Corp. of Milpitas, Calif. “The majority of networks should have already upgraded to WPA2 which supports the 128-bit AES algorithm.”
Mark Tauschek, senior analyst with London, Ont.-based Info-Tech Research Group, agreed.
“Chances are the hardware enterprises have today will support WPA2,” Tauschek said. “If you go that way I don’t think there’s anything to worry about in the short term.”
More in Network World Canada
Smith and Tauschek were commenting on reports that Erik Tews and Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key in WPA, in 12 to 15 minutes. The researchers are scheduled to demonstrate their hacking method at the PacSec conference in Tokyo.
WPA2, released five years ago, is another name for the 802.11i security standard, designed to protect wireless networks using the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards.
Before 2003, the main security method was wired equivalent privacy (WEP), which became notorious for the speed with which hackers could defeat it. So in 2003, the Wi-Fi Alliance announced WPA, which used some, but not all, elements of 802.11i, which was still in the works at the time.
WPA did not include AES encryption but did use dynamic key allocation, Extensible Authentication Protocol (EAP) and TKIP.
Tews and Beck did not use a “dictionary attack,” or essentially making an extremely large number of educated guesses as to what key is being used to secure the wireless data
Instead, they first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking TKIP easier, but this technique is also combined with a "mathematical breakthrough," that lets them crack WPA much more quickly than any previous attempt, said Dragos Ruiu, Organizer of PacSec.
But Tauschek emphasized TKIP is only one part of wireless security.
“It’s sort of getting blown out of proportion,” he said. “TKIP was a stopgap measure that has been compromised going one way. It’s still an issue and enterprises or anybody for that matter should move to AES given that breach but let’s not blow it too far out of proportion. There’s sort of some fear mongering going on there.”
Smith noted WPA2 has been in place for five years, and this is what corporate IT managers should be using for their wireless networks.
“What these guys are doing I really see as passé,” Smith said. “They haven’t been able to crack upstream.”
Smith said Tews’s break-in is the first time in six years he’s heard of someone defeating TKIP.
“This is the first instance I’ve heard of where someone said they can crack downstream but not upstream,” he said.
More on network security
“If you go that way I don’t think there’s anything to worry about in the short term,” Tauschek said. “If AES gets cracked that’s much bigger concern. A Wi-Fi component of an AES attack would be the least of our worries
Despite the push over the last six years to upgrade to something stronger than WEP, some companies waited a few years before upgrading their wireless network security.
Two years ago, retailer TJX reported a massive security breach, in which at least 45 million credit and debit cards had been breached. TJX was owner of WMI which in turn owned and operated 184 Winners and 68 HomeSense stores.
In a report published in September, 2007, the Privacy Commissioner of Canada noted TJX had not completed its conversion to WEP by the time the breach took place.
In the Report of an Investigation into the Security, Collection and Retention of Personal Information TJX Companies Inc. : Winners Merchant International L.P. , the Privacy Commissioner stated: “We are of the view that WEP does not provide adequate protection as it can be defeated relatively easily. It appears that the intruder may have accessed the RTS servers and client data due to a weak or inadequate encryption standard.”
The report also stated WEP encryption is “easily bypassed” and “is not adequate for protecting a network.”
“We understand that TJX was in the process of changing to a higher encryption standard, and we acknowledge that a conversion of this nature requires lead time for budget, planning and implementation,” the report stated.
With files from Robert McMillan