Security Alert: Improved WiFi attack algorithms

luke_churchluke_church Registered Users Posts: 507 Major grins
edited April 7, 2005 in Digital Darkroom
Dear All,

For those who don't yet know me as a paranoid gibbering wreck... I used to get regularly heckled for abusing WiFi over at DPR in an attempt to stop people thinking that WEP made anything secure....

Well, different forum, same issue, improved algorithm...

So it seems that we now have an average attack time of 3-10 minutes to steal the WEP key...

Use it guys, by all means, just don't trust it if you care, of if you have things to hide....

Article

http://www.tomsnetworking.com/Sections-article111.php

Related Scientific Paper

http://ftp.die.net/mirror/papers/802.11/wep_attack.html

It's a llama eat llama world out there folks, take care and lock your network up at night before going to bed... :thumb

All the best,

Luke

Comments

  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited April 6, 2005

    It's a llama eat llama world out there folks, take care and lock your network up at night before going to bed... thumb.gif

    i so *do* love a good inside joke, luke lol3.gif

    i'll try to read this but i'm off to calif for the remainder of the week. i'll follow up later ...

    thanks for being part of the team here, luke. i always appreciate your tech stuff, so please, keep it comin' :D
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited April 6, 2005
    Hey Luke,

    I read this article on Slashdot yesterday. Personally, I don't understand all the hype around this presentation. The tool has been out for 6 months. WEP has been know to be insecure for just under 4 years. And the FBI had nothing to do with the new tool or the original exploit discovery. I think the FBI just wanted to prove that their l33t script kiddies too, after the debacle that was carnivore.

    The thing I find amusing it that everyone is so paranoid about wireless...ok there is some need to be under certain conditions but it's a proximity attack, the attacker has to be within range of your network. I would suggest that many home users are more worried about wireless security than the gapping hole on their wired network.

    My 2 cents worth,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • luke_churchluke_church Registered Users Posts: 507 Major grins
    edited April 6, 2005
    Hey David,
    devbobo wrote:
    I read this article on Slashdot yesterday. Personally, I don't understand all the hype around this presentation.
    Sorry, I wasn't aware that it was being hyped. The only thing that seemed newish in this was the speed, bit faster than I'd seen before. But the difference between an hour and 10 minutes isn't all that much. I was just sharing it for general information.
    The tool has been out for 6 months. WEP has been know to be insecure for just under 4 years. And the FBI had nothing to do with the new tool or the original exploit discovery. I think the FBI just wanted to prove that their l33t script kiddies too, after the debacle that was carnivore.
    Oh sure, I wasn't implying there was anything really new, maybe my title was misleading, I was under the impression some of the attack algorithms had been tuned... The paper I referenced was dated August 6th, 2001, so sure, it's not new. I don't really care about the FBI's involvement to be honest. The point is and has been clear for sometime, Wifi like most protocols by secret desgin, sucks. Big time.
    The thing I find amusing it that everyone is so paranoid about wireless...ok there is some need to be under certain conditions but it's a proximity attack, the attacker has to be within range of your network. I would suggest that many home users are more worried about wireless security than the gapping hole on their wired network.
    0. I agree, everything in good measure. Many home networks have problems that make Wifi look hard.

    1. I think the hardware companies brought this upon themselves by advertising '128' bit Wifi as 'massively more secure'. They seem to have managed to persuade some people, I was just doing a little be to diswade them. I have known a fair number of people with relativly secure networks otherwise, other than a gaping WiFi hole.

    2. NAT routers do help a fair bit to help the home user.

    3. There are a disturbing large number of otherwise relativly clued up organisations with broken WiFi networks [Including some people who *REALLY* should know better]

    4. WiFi can be used trivially by seriously nasty people as a very good, high speed anonomiser. In some of the 'war games' I've been involved with, installation of Wifi has played a major part in the downfall of otherwise pretty hard targets.

    Hey ho... Just thought it was worth bring to peoples attention... The home user is never going to deal with the seriously bad guys, but they could at least not the leave the front door open with a big sign saying 'rob me'. You're probably right, I'm fighting entropy.

    Cheers,

    Luke
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited April 6, 2005
    Hey Luke,

    None of that was direct at you.

    <rant>
    I get really sh*tty with the type journalism around these days, which try to sensationallise (?) stuff to the extent that people really think wireless=insecure. People are worried about their home networks being invaded by wardriving geeks, etc. I mean why would them bother, when they could probably break into some company down the road.
    </rant>
    I was under the impression some of the attack algorithms had been tuned.
    My understanding is that the original attack hasn't changed, but the app implements a statistical attack, which basically eliminates the need for a brute force search of the keyspace.
    The home user is never going to deal with the seriously bad guys, but they could at least not the leave the front door open with a big sign saying 'rob me'. You're probably right, I'm fighting entropy.
    I totally agree, but the major problem is these article are so full of information that most people can't discern the relevent information. The message should be clear...
    1. Turn off SSID broadcast
    2. Enable MAC Address filtering
    3. Enable WPA encryption with a strong password.
    WiFi can be used trivially by seriously nasty people as a very good, high speed anonomiser. In some of the 'war games' I've been involved with, installation of Wifi has played a major part in the downfall of otherwise pretty hard targets.
    I would be very interested to hear more about this.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited April 6, 2005
    BTW...are you involved with Dasher ?

    I remember playing around with that about 3 or 4 years ago...very cool !!
    David Parry
    SmugMug API Developer
    My Photos
  • luke_churchluke_church Registered Users Posts: 507 Major grins
    edited April 6, 2005
    Just slightly!!!
    Woooo.... Too cool...

    I guess you looked at the website?

    As I type this I'm currently writing a paper on the re-design and implementation of Dasher for software development, a suprisingly subtle and complex problem... That's my primary task for the year.... The work is partially done under the wrapper of PolyMorphiX Networks and partially of Cambridge Uni, where the original Dasher came from.

    So yes, kind of involved with Dasher :D

    How did you come across it? Do you use Debian?

    It's a small world!
    devbobo wrote:
    BTW...are you involved with Dasher ?

    I remember playing around with that about 3 or 4 years ago...very cool !!
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited April 6, 2005
    Woooo.... Too cool...

    I guess you looked at the website?
    lol yeah, i'm a serial profile checker icon10.gif

    I'm struggling to remember...maybe slashdot.
    i used the windows version.

    As I type this I'm currently writing a paper on the re-design and implementation of Dasher for software development, a suprisingly subtle and complex problem... That's my primary task for the year.... The work is partially done under the wrapper of PolyMorphiX Networks and partially of Cambridge Uni, where the original Dasher came from.
    You lucky bugger...i'm currently doing a Masters of Applied Science in Info Sec, and would love to do research in that area.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • luke_churchluke_church Registered Users Posts: 507 Major grins
    edited April 7, 2005
    Hey David,
    My understanding is that the original attack hasn't changed, but the app implements a statistical attack, which basically eliminates the need for a brute force search of the keyspace.
    OK, I had a slightly different impression. I agree that the original attack hasn't changed, it's still a compromise due to weak use of IVs, however I was under the impression that statistical attacks had been around for quite some time and combination with traffic injection had accelerated the attack to a few hours. However quotes of 10 minutes suprised me and looked like an improved statistical algorithm, however it could be the forcable ejction of other users from the APs that are causing the acceleration. But I confess I hadn't looked all that hard.

    Anyway, this is splitting hairs, nothing fundamental has changed I agree.
    I would be very interested to hear more about this.
    As I'm sure you'll understand the information that I can give is a pretty limited. Essentially I was working as the attacking party in a series of war games with an important 'asset'. This 'asset' had employed fairly tough fortress security, using pretty hard physical encapsulation and pretty well managed firewalls.

    In several of the rounds of the war games, I won using attacks based using WiFi, using a combination of the known technical exploits and social engineering. These included

    [DISCLAIMER, this IMHO isn't dangerous, it's very general, it's well known from other books, e.g. Mitnik. Moderators feel free to delete this post if you feel it to be inappropiate, I won't be held responsible for evil use of this information, I'm a nice guy :): , I only work for people who in my opinion are nice guys]

    Social Engineering:

    - Persuading a cleaner to place a Wifi AP on the network, claiming I was from a covert authority group. [OK, so it's not WiFi's fault]

    - Sending a manager a free PDA for him to use at work that required WiFi to be installed in his office and didn't support VPNs, WPA, then breaking the WEP encryption

    - Using a home wireless LAN that a manager had taken a habit of plugging his laptop into, breaking it and compromising the laptop and hence the network

    Technicalish:

    - Remote compromise, a WiFi loop provides an excellent method of remotly having a presence on a network

    - Covert Channel, using a WiFi repeater to leach information out to the world

    - Encouraging a dependancy on WiFi, then jamming it using AP kick-off when I wanted to kill network functionality

    - Useful distribution point for attacks, compromises of laptops etc. If you remove the WiFi card and put it in a local bin it becomes kind of hard to find the machine that was using it. [Think virus distriubtion, pinning the blame clearly on an individual of your choice], easier, faster and almost as cheap as pay as you go phones and easier to direct the blame...

    So nothing special, it just makes it substantially easier to gain remote access to a network or machines on it, saves all the messy business of breaking into houses etc. Of course it is only one [small] component of a blended attack, but in the case in question it made matters substantially easier. The penalties for loosing if it had been a real attack would have been significant.

    Lesson: Defend in depth, otherwise you will lose. Hopefully the 'asset' will have learnt.

    Hope this was of some interest and please understand the lack of specifics :-)

    Luke
Sign In or Register to comment.