A pair of Japanese researchers have developed an improvement on an existing technique for attacking wireless LAN traffic that enables them to intercept and decrypt encrypted packets in about a minute, significantly lowering the barrier to entry for attackers looking to listen in on supposedly private connections.
The attack builds on the work done earlier by another pair of researchers who found a way to break the WPA encryption protocol that is used on many WiFi routers. Known as the Beck-Tews attack, the method involved making minor changes to packets encrypted with TKIP, a predecessor to WPA, and then sending the packets back to the access point. The vulnerability was in the way that the checksum was used.
However, the attack required a significant amount of time to execute, as much as 15 minutes, making it somewhat impractical to execute in the real world. The newer attack, developed by Toshihiro Ohigashi and Masakatu Morii, improves on the Beck-Tews attack and lowers the amount of time needed to execute it to about one minute. From their abstract:
In this paper, we propose a practical message falsification attack on any WPA implementation. In order to ease targets of limitation of wireless LAN products, we apply the Beck-Tews attack to the man-in-the-middle attack. In the man-in-the-middle attack, the user’s communication is intercepted by an attacker until the attack ends. It means that the users may detect our attack when the execution time of the attack is large. Therefore, we give methods for reducing the execution time of the attack. As a result, the execution time of our attack becomes about one minute in the best case.
There have been problems with the encryption schemes used on WiFi networks almost from the beginning. The main protocol used in early deployments, WEP, has been shown to be woefully insecure over the years, a problem which was supposed to be addressed by the move to TKIP/WPA.
TKIP was designed as a temporary solution to the WEP problem, providing a higher level of security while still running on existing hardware. TKIP was fully implemented in WPA2, the latest iteration of the protocol, and while it has mostly held up well, it has outlived its intended lifespan. The new attack developed by the Japanese researchers doesn’t work against systems using WPA2.
In practical terms, the newest research gives attackers a much stronger weapon to wield against WiFi networks. Man-in-the-middle attacks are among the more common methods of compromising WiFi networks and, combined with the ability to decrypt WPA packets, this spells serious trouble for enterprise deployments that rely on WPA to protect data.