Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A New Wi-Fi Exploit, Limited But Clever

kdawson posted more than 4 years ago | from the out-of-thin-air dept.

Security 77

eggboard writes "Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His 'Enhanced TKIP Michael Attacks' still don't allow extraction of a key, and are limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he's figured out how to put in large payloads, and to extract data sent from an access point to a client — all without cracking the network key. The attack requires proximity to sniff and inject data, but it's another crack in the older key standard (TKIP) that no one with serious security interests should still be using." Here is Beck's paper (PDF) describing the new attacks.

cancel ×

77 comments

Sorry! There are no comments related to the filter you selected.

Just use SSL over L2TP over IPsec over WPA (1, Funny)

Anonymous Coward | more than 4 years ago | (#31298934)

That's what I always do.

Re:Just use SSL over L2TP over IPsec over WPA (5, Funny)

Anonymous Coward | more than 4 years ago | (#31299106)

Alice? Alice, is that you?

We were using SSL over L2TP over WPA over IPsec. Who else have you been seeing?

Bob

Re:Just use SSL over L2TP over IPsec over WPA (2, Funny)

Anonymous Coward | more than 4 years ago | (#31300056)

My services as a private investigator are available at a very reasonable price, should you wish them.

Eve

Re:Just use SSL over L2TP over IPsec over WPA (1)

johny42 (1087173) | more than 4 years ago | (#31305116)

Alice? Alice, is that you?

We were using SSL over L2TP over WPA over IPsec. Who else have you been seeing?

Bob

You don't want to know.

Trust me.

Trent

Tsunami heading for Huwaii (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31298958)

Hawaii has a Tsunami heading it's way

Re:Tsunami heading for Huwaii (-1, Offtopic)

JustOK (667959) | more than 4 years ago | (#31298980)

surf's up.

Offtopic but true (0)

Anonymous Coward | more than 4 years ago | (#31299272)

It hits in an hour at 11:19 AM local time (1:19 PM pacific time) so put your birth certificates in a safe place.

A Little Help Please (1, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#31299058)

Since I have an unnatural fear of vowels I'm waiting for a protocol who's acronym is constructed solely of consonants.

That would be the HBC (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31299156)

Harry Butt Crack.

Re:A Little Help Please (1)

oldhack (1037484) | more than 4 years ago | (#31299494)

Tough being a slav...

Re:A Little Help Please (1)

Jeian (409916) | more than 4 years ago | (#31301490)

i herd u dont liek TKIPs?

Use a MAC address filter (0)

sleekware (1109351) | more than 4 years ago | (#31299150)

This still can be worked around by spoofing MAC addresses, but every thing you do to secure your wireless network helps (hidden SSID, etc).

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31299178)

Yes and no. If I just want to browse the web while away from home, the first thing I do is look for an open wifi. If I find one that does silly security through annoyances like that, then as soon as I break them (which realistically takes only a few minutes if you're already booted into linux), then I'll start scanning around the network to see what was so important to hide.

Re:Use a MAC address filter (1, Funny)

Anonymous Coward | more than 4 years ago | (#31299216)

I do this at home (do not broadcast SSID, MAC address filter, etc.). But, it's just on principle, I have nothing to hide. However if I've wasted 10 minutes of your time getting on my network and another 30 minutes snooping around admiring my MP3 collection, it's worth it.

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31299394)

He said looking at, not admiring. NOT the same thing.

Re:Use a MAC address filter (3, Informative)

gparent (1242548) | more than 4 years ago | (#31299608)

SSID broadcast and mac address filter do nothing to stop hackers, unfortunately.

Re:Use a MAC address filter (1)

jvin248 (1147821) | more than 4 years ago | (#31305152)

Read up on kismet.

Re:Use a MAC address filter (1)

gparent (1242548) | more than 4 years ago | (#31307282)

Your point?

Re:Use a MAC address filter (1)

alexo (9335) | more than 4 years ago | (#31347264)

SSID broadcast and mac address filter do nothing to stop hackers, unfortunately.

Actually, broadcasting your SSID can stop (some) hackers. Especially if you choose one like "NSA Honeypot".

Re:Use a MAC address filter (1)

gparent (1242548) | more than 4 years ago | (#31347500)

I'm making that my next SSID. Kudos to you, good sir.

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31299626)

Not broadcasting is even more dangerous, as someone can set up a network with the same ID that does broadcast, and potentially capture your traffic without your knowledge.

Re:Use a MAC address filter (2, Funny)

Anonymous Coward | more than 4 years ago | (#31299930)

Not broadcasting is even more dangerous, as someone can set up a network with the same ID that does broadcast, and potentially capture your traffic without your knowledge.

Really? I don't think anybody else would choose "Linksys" as an SSID, would they?

Re:Use a MAC address filter (1)

paulej72 (1177113) | more than 4 years ago | (#31300326)

Really? I don't think anybody else would choose "Linksys" as an SSID, would they?

Maybe if they had a D-Link router they might.

Re:Use a MAC address filter (1)

mOdQuArK! (87332) | more than 4 years ago | (#31300462)

So, no problem if someone installs a proxy on your machine & uses it to surf child porn? I'm sure that it won't take long or have any impact on your reputation for you to explain to the nice law enforcement agents that it wasn't really you doing that sort of thing.

Re:Use a MAC address filter (4, Insightful)

Sir_Lewk (967686) | more than 4 years ago | (#31299242)

That is poor advice because all it does is create the illusion of security. Actually good advice would be "just use wpa2, or wpa-aes". If you use proper security with your wifi network then there is no need for child's play games like that.

Re:Use a MAC address filter (1, Informative)

SigILL (6475) | more than 4 years ago | (#31299538)

If you use proper security with your wifi network then there is no need for [a MAC address filter].

Actually, I'd suggest to use both. If one fails, you still have the other.

Re:Use a MAC address filter (5, Insightful)

DMUTPeregrine (612791) | more than 4 years ago | (#31299660)

When the MAC filter fails, you still have the other. If WPA2 fails, you have nothing, because the MAC filter is effectively worthless.

Re:Use a MAC address filter (1)

Tromad (1741656) | more than 4 years ago | (#31302144)

The likelihood of someone bothering to bypass my home MAC filter is similar to winning the lottery or being burglarized.

Re:Use a MAC address filter (1)

Sir_Lewk (967686) | more than 4 years ago | (#31302588)

What exactly do you think the likelyhood of someone cracking a WPA2 network is? If someone is actually able to get through WPA2, they won't even blink at MAC filtering. Well, maybe they'll laugh..

Re:Use a MAC address filter (1)

Tromad (1741656) | more than 4 years ago | (#31302696)

Near zero? The likelihood of someone living anywhere close to me that has both the desire and knowledge to get into my minimally secure network is similar to the likelihood that an extremely hot girl will approach me and give me her number.

Re:Use a MAC address filter (1)

Sir_Lewk (967686) | more than 4 years ago | (#31303086)

Think again. Near zero is an over-estimation. Unless you live nextdoor to the NSA*, and they happen to need free wifi, then there is absolutely no reason that you need anything more than WPA2. All you are doing is wasting your own time. Nobody elses.

*Not like MAC filtering would faze the NSA in the slightest...

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31304866)

This is the same approach I use. I live in a not-particularly-wealthy area in a low-tech country, and most anyone with well-above-average computer knowledge already knows each other. I know that my neighbors' primary interests include basketball, wrenching on cars, worshiping various deities, and getting shit-faced drunk. No other computer geeks in the area, and the layout and location of the neighborhood mean touch-n'-go wardriving isn't possible. If you park near my house everyone is going to notice. I just use plain WEP so my DS can get online while keeping the casual moochers off. There's not much you can do inside the LAN without brute-forcing more passwords anyways. You could grab some warez from the read-only anonymous shares on my file server, but who cares. The laws here mean that pirating pop-culture warez or even downloading loli over the connection is quite safe. Anything short of breaking into a big local corporation, or the Pentagon would not get me into trouble.

Now if I was living in a big city in a first-world country, you bet your ass I'd use WPA2 and I'd be checking the AP logs to see who's been logging on.

Re:Use a MAC address filter (1)

Sir_Lewk (967686) | more than 4 years ago | (#31302614)

I should also point out that if that were true, at least 3 of my neighbours should have won the lottery by now...

Re:Use a MAC address filter (1)

sleekware (1109351) | more than 4 years ago | (#31299594)

It seems that you assumed that I wouldn't suggest first to use wpa2, etc. Seeing as the article is about cracking advanced encryption, I would hope that this is already in place. Poor advice? I think not. It adds additional roadblocks. I also said that it 'helps'. Not that it's a foolproof plan. It just makes it more of a pain to break in. For example, using a MAC address filter would mean that they would have to spoof a MAC address that you have whitelisted. This requires additional effort and information gathering. Using a SSID that is not broadcasted, and also not easily guessable (not a dictionary word, and a certain length, etc), makes it harder for SSID crackers to pick it up as well. You may be happy with just using strong encryption, but I very much prefer enabling these additional security features to harden it even further, even if it is just a little bit further.

Re:Use a MAC address filter (1)

Korin43 (881732) | more than 4 years ago | (#31299896)

You think that someone who can crack WPA or WPA2 isn't going to know how to spoof their mac address? And hiding your SSID literally does nothing when they're listening for individual packets, not listening for your router to announce itself.

Re:Use a MAC address filter (1)

jibjibjib (889679) | more than 4 years ago | (#31300086)

Anyone who cracks your WPA already has the technical knowledge and sniffed packets needed to spoof a MAC address and connect without the SSID.

Re:Use a MAC address filter (1)

tomz16 (992375) | more than 4 years ago | (#31302016)

It seems that you assumed that I wouldn't suggest first to use wpa2, etc. Seeing as the article is about cracking advanced encryption, I would hope that this is already in place. Poor advice? I think not. It adds additional roadblocks. I also said that it 'helps'. Not that it's a foolproof plan. It just makes it more of a pain to break in.

For example, using a MAC address filter would mean that they would have to spoof a MAC address that you have whitelisted. This requires additional effort and information gathering.

Using a SSID that is not broadcasted, and also not easily guessable (not a dictionary word, and a certain length, etc), makes it harder for SSID crackers to pick it up as well.

You may be happy with just using strong encryption, but I very much prefer enabling these additional security features to harden it even further, even if it is just a little bit further.

I will second what the other two people replying to you have said :

#1) SSID just requires a single deauth to any client. This literally takes 2 seconds to do.
#2) Your clients are broadcasting their MAC addresses in the clear, and it's a fair assumption that any associated client is on your MAC whitelist... Anyone hacking your wireless network is literally staring at these MACS (and probably continuously typing them back into the console).

Anyone with the technical sophistication to go after WPA already knows this (and can bypass both your MAC and SSID measures in LITERALLY 10 seconds)

If enabling these two features makes you FEEL safer then by all means keep them on. But they offer NO additional protection (not even a teeny tiny bit), and are probably a bit of a hassle for you
- Have to add each legit client to MAC table
- Some clients barf on the hidden SSID

Your ONLY effective consumer-level protection at the moment is to pick a completely random long WPA PSK! (even then, there are a few attacks that allow a hacker to decypt WPA packets without knowing the key)

Re:Use a MAC address filter (4, Insightful)

KibibyteBrain (1455987) | more than 4 years ago | (#31299310)

How exactly? Using exploits in non-deprecated wireless security is far more technically involved than running some script kiddie application which will list all wi-fi networks in range, SSID broadcasting or not, and also the mac address of clients on those networks automagically, as well as crack obsolete security like WEP.

So really, anyone who could even think about cracking a WPA or RADIUS network, which would take quite a bit of time and effort and probably days of information gathering to achieve in practice, would find such measures trivial to break.

However, these measures still lower the supportability of your network, which means they would be very costly for something useless. And even worse, because users who had issues with say, your MAC address filter, might not know how to fix them, they might do something stupid to their machine which actually has the net effect of making your network LESS secure. Fun.

Using WPA or MAC address filters would be like arguing that putting a thumbtack on the floor outside a fortress enhances it's security. Objectively undeniable, but still laughable. Sure it will help keep stupid little kids out of your fortress, but those are not the type of people who could never get past the giant walls, moats, archers, etc your actual fortress security employs. On the other hand, this tack, not being in the fortress standards, might actually manage to make miserable the life of a well intentioned, if stupid, servant, guard, etc.

Re:Use a MAC address filter (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31299424)

Using WPA or MAC address filters would be like arguing that putting a thumbtack on the floor outside a fortress enhances it's security. Objectively undeniable, but still laughable. Sure it will help keep stupid little kids out of your fortress, but those are not the type of people who could never get past the giant walls, moats, archers, etc your actual fortress security employs. On the other hand, this tack, not being in the fortress standards, might actually manage to make miserable the life of a well intentioned, if stupid, servant, guard, etc.

So what you're saying is that if I carefully place my metaphorical thumbtack in a strategic position on my fortress' porch I'll hear you laughing when you're trying to hack into my wireless network? Well, the jokes on you because I have several wireless devices broadcasting on different SSID's that are merely decoys to thwart your dastardly efforts while I connect to the internet via a bright red cable.

If you don't believe me you can see for yourself. There's a key under the mat - just let yourself in.

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31301716)

I switched out the cable for a blue one.

PS I made myself a pb and j sandwich and when I poured a glass of milk there were chunks! Chunks I say! Have some standards man...

PPS Can't fault the organic peanut butter though. Mmmmmm...

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31302662)

I see what you are saying but I think you are a little off with the 'thumbtack' analogy.

Obscuring the SSID is a sign saying "PRIVATE FORTRESS - KEEP OUT" and the MAC address filter is a picture badge. Yes they can be ignored or easily duplicated but they support the concept of defense in depth and can act as deterrents. It also makes regulators and upper management happy to see several controls in place, even if they have nominal value.

If you get caught breaking into that fortress the prosecutor can state "your honor, he ignored the sign and duplicated a badge before breaking through a flaw in the castle wall". Harder to defend against breaking several controls instead of one (no matter how great that one control is).

I wish I could of explained this in terms of cars carrying the equivalent of 2 1/2 Library of congresses but I'm not that good at metaphors.

Re:Use a MAC address filter (5, Informative)

Bert64 (520050) | more than 4 years ago | (#31299372)

Hiding your SSID can actually be detrimental...
If your SSID is open, then your machine can see its broadcasts and connect to it... If the SSID is hidden, then your machine has to probe for it by name.. Meaning that if your machine is away from its usual location, you can see what network its looking for...

If the SSID is hidden, then someone trying to break into it just needs to sniff traffic for a while to get the SSID anyway.

Re:Use a MAC address filter (1)

dotgain (630123) | more than 4 years ago | (#31299598)

Mod parent up, it's amazing how little-known these facts are about SSID hiding. I proudly broadcast my SSID: "iWatchYouSleep"

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31299884)

One more little known fact: It's perfectly OK to use spaces in SSIDs. "I watch you sleep." is a valid SSID.

Re:Use a MAC address filter (1)

dotgain (630123) | more than 4 years ago | (#31319038)

Another better known fact: Some implementations of 802.11 suck

Re:Use a MAC address filter (1)

Anci3nt of Days (1615945) | more than 4 years ago | (#31304102)

99% of fixing your security isn't about being secure: it is about being less enticing than the next-door neighbour's network.

Re:Use a MAC address filter (1)

jvin248 (1147821) | more than 4 years ago | (#31305234)

It's also fun to see SSIDs with "Pirate" or "Hacker" in the names..."There be Monsters this way". It frightens the peasants.

Of course, it's entertaining to deploy some honeypots.

Re:Use a MAC address filter (4, Insightful)

Holmwood (899130) | more than 4 years ago | (#31299440)

I've never really understood this attitude. I feel that one needs to be aware of security theatre, or security kabuki -- things that make you feel safer but don't actually make you safer. There are two possibilities for an attacker: an idiot, or, someone very capable.

While it's true that a non-broadcast SSID might stop an idiot, ditto for locking down MAC addresses, you can extract both of these (completely unencrypted) from the packet stream. Any modestly competent attacker can do this quite quickly.

But locking down MAC addresses and turning off SSID broadcasting increases the tedium of administration while making no real difference to a hacker. Like the TSA, it's security kabuki in my view.

In general, I don't find my security enhanced by assuming that the attacker is a clueless moron. If that were the case, then Windows 98 coupled with digital hashes checked against all files would be a secure OS.

The one argument I think you could come up with is that if you enable all security features in a disciplined manner then that's just good practice. Maybe. I still think it smacks of a bit of security theatre.

Re:Use a MAC address filter (1)

not_hylas( ) (703994) | more than 4 years ago | (#31301404)

Never interrupt your enemy when he's making a mistake.
- Napolean Bonaparte (1769 - 1821)

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31306906)

I don't think most of the posters here consider the other posters to be enemies.

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31307084)

I believe the subject (of the thread) to be crackers (not the kind you use with soup).

Re:Use a MAC address filter (0)

Anonymous Coward | more than 4 years ago | (#31301528)

Yeah, "Hidden" SSID isn't. It just broadcasts nulls instead of strings. Also, some routers (mine, at least) will actually broadcast more of these "empty" identification packets, for some reason. fire up a copy of kismet if you don't believe me.

Very Limited (3, Informative)

HazE_nMe (793041) | more than 4 years ago | (#31299196)

The router must be running Linux with WMM enabled.
From TFA:

As with the previous attack, a lot of stars have to be in alignment. The biggest requirement is that TKIP has be the key type, not AES-CCMP. An attacker has to be proximate to sniff traffic and inject packets. The router has to be running Linux, like many Wi-Fi routers do. The router doesn't need to be compromised; there's a particular Wi-Fi packet sequence that's more predictable, and thus easier to use in the attack. Network QoS (802.11e/WMM) needs to be enabled as well.

Re:Very Limited (2, Interesting)

eggboard (315140) | more than 4 years ago | (#31299728)

That's not as limited as it sounds. There are perhaps hundreds of millions of routers running versions of embedded Linux, and WMM/802.11e may be enabled by default on many of those!

Re:Very Limited (1)

Hurricane78 (562437) | more than 4 years ago | (#31312666)

In fact you can bet that it’s enabled in every router that also does allow you to connect a landline phone for VoIP. Which, I guess, is true for pretty much all of them.

Re:Very Limited (1)

kainewynd2 (821530) | more than 4 years ago | (#31299942)

Oh noes! Linux is h@xx0r3d!

Sorry... just got off the roof...

TKIP and CCMP (1)

dandart (1274360) | more than 4 years ago | (#31299358)

TKIP and CCMP are both vulnerable to cracking still. People can go in, wait, deauth you, steal your 4-way handshake, and dump the file on a computer or cluster, and have your password quickly.

How about ethernet? No? Well, make sure it's WPA2 Enterprise with a very long password, hidden, etc.

Re:TKIP and CCMP (4, Interesting)

eggboard (315140) | more than 4 years ago | (#31299900)

That comment is halfway between troll and truth.

That only works for short passwords using dictionary words and common alternatives--typically eight characters or fewer. Yes, you can get precomputed dictionaries for common SSIDs, and you can even use a new service to do some computation.

However, move to 9 characters of random text (&fa^g_!80) and a unique SSID ("My little pony's network"), and all bets are off to computing the result in anything like a usable period of time.

TKIP and AES-CCMP remain strong for long, strong passwords, long being 10 or more characters, but 12 to 20 is best.

Re:TKIP and CCMP (1)

dandart (1274360) | more than 4 years ago | (#31300024)

I jolly well hope so! It's a shame so many users still have WEP/WPA 10-digit hex passwords. To say nothing of default router and predictable passwords.

Re:TKIP and CCMP (1)

Monolith1 (1481423) | more than 4 years ago | (#31302576)

However, move to 9 characters of random text (&fa^g_!80) and a unique SSID ("My little pony's network"), and all bets are off to computing the result in anything like a usable period of time.

TKIP and AES-CCMP remain strong for long, strong passwords, long being 10 or more characters, but 12 to 20 is best.

Could someone please answer this? I find when I try to use WPA2 the connection is flaky for my 3yo laptop, whereas WPA provides me a very stable connection. If I use WPA-PSK with a 63 character pseudo random password, and a quirky SSID am I still vulnerable to these WPA TKIP weaknesses? Or does my big crypto strength password still keep me relatively "safe" from your average script kiddy? I don't understand if these exploits still rely on weak passwords?

Re:TKIP and CCMP (2, Informative)

eggboard (315140) | more than 4 years ago | (#31302822)

1. If you're having trouble with WPA2, it's an implementation issue. There's no reason that WPA2 shouldn't work as well or better than WPA. In some silicon, AES-CCMP encryption can work faster than TKIP. Check for firmware upgrades on adapters and APs.

2. TKIP keys cannot be extracted by any known methods. Short TKIP and AES-CCMP passphrased-based keys are vulnerable to brute-force dictionary attacks, typically based on precomputed common SSIDs. A key of 10 or more characters is probably fine; 20 random characters is beyond computation in this universe. 63 is just silly.

3. The TKIP exploits are particular to AES-CCMP and don't recover the key, nor does any particular key length prevent the exploit. The exploits rely on a set of givens (such as 802.11e/WMM being available and enabled on a router), but this latest exploit that I link to uses the integrity checksum to extract a packet delivered to a client in the right circumstances.

4. This attack could be weaponized, but it's a proximity attack, so the yield is very very low in such attacks.

Re:TKIP and CCMP (1)

Xabraxas (654195) | more than 4 years ago | (#31304872)

TKIP and CCMP are both vulnerable to cracking still. People can go in, wait, deauth you, steal your 4-way handshake, and dump the file on a computer or cluster, and have your password quickly.

That's only if your password is weak. You still need to use a dictionary attack in that scenario. It is still a good recommendation to move to WPA2 though because this article, like the one before it, show some cracks starting to appear in TKIP.

secure wireless = wrong. (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31299410)

if you need really good security in your wireless, JUST LEAVE IT OPEN.
And use a vpn of course ;)
ipsec is widely supported, but openvpn is a good choice too.
secure, encrypted, configurable, and with YEARS of testing behind!

Lack of WPA2-AES support in devices (1)

Emperor Tiberius (673354) | more than 4 years ago | (#31299488)

Annoyingly, I can think of two devices that can't cope without TKIP under WPA2. The older Apple Airport Express and a Linksys wireless bridge.

Without TKIP, these two devices have effectively become expensive (when they were purchased, at least) door stops. It's aggravating, because they both advertised support for WPA2-AES!

Re:Lack of WPA2-AES support in devices (1)

paul248 (536459) | more than 4 years ago | (#31299646)

AES support is mandatory for WPA2 devices. If it doesn't support AES, it doesn't have WPA2.

Re:Lack of WPA2-AES support in devices (0)

Anonymous Coward | more than 4 years ago | (#31300288)

AES support is mandatory for WPA2 devices. If it doesn't support AES, it doesn't have WPA2.

Yes for your first sentence if you are referring to 802.11i; your second sentence is not necessarily true.

AES is mandatory for a device to be in full compliance with 802.11i, but WPA2 (RSN) itself can be used with the TKIP protocol if desired.

Re:Lack of WPA2-AES support in devices (0)

Anonymous Coward | more than 4 years ago | (#31300388)

WPA2 does require AES, but WPA2 doesn't have to be used with CCMP. So it's possible some old Apple router supported AES, but not the CCMP protocol for some strange reason (CCMP uses AES too).

SSID (3, Interesting)

getNewNickName (980625) | more than 4 years ago | (#31299534)

Re: wi-fi security, what's to stop someone from creating a hotspot with the same SSID and just wait for the user to provide their credentials when they try to re-login? The average user will probably just go ahead and re-enter their password. No need for breaking any encryption, just a bit of social engineering.

Re:SSID (0)

Anonymous Coward | more than 4 years ago | (#31299718)

Reminds me of the old trick, pull up near someone's house, disable their wireless router, and setup your own wireless network with the same SSID and encryption, then just log their data as they access their bank accounts, online funds, etc...

Seems so easy nowadays with cell phone tethering and a laptop, I'm surprised more people don't do it.

Re:SSID (0)

Anonymous Coward | more than 4 years ago | (#31299808)

What online banking website has unencrypted logins?

Re:SSID (2, Insightful)

jibjibjib (889679) | more than 4 years ago | (#31300098)

The one on my own server that looks suspiciously similar to a major bank's website.

Re:SSID (1)

fluffy99 (870997) | more than 4 years ago | (#31300124)

What online banking website has unencrypted logins?

How many people would notice a man-in-the-middle attack where the connection between the middle and their computer wasn't encrypted/https?

Re:SSID (1)

fluffy99 (870997) | more than 4 years ago | (#31300094)

Because the password is never sent during the 4-way handshake.

Re:SSID (1)

getNewNickName (980625) | more than 4 years ago | (#31301256)

Because the password is never sent during the 4-way handshake.

I'm not talking about stealing the password from an existing connection. More simply just using the same SSID and waiting for the user to accidentally connect to the rogue router. Most users will gladly re-enter their credentials again.

Re:SSID (0)

Anonymous Coward | more than 4 years ago | (#31301542)

Not if you make the passphrase (not password) a 32 digit hex number generated by hashing an unpredictable text file that changes over time. As the user is wandering over to look up the password, (I hope) they would say: "Wait. what?"

I suppose most users don't use a passphrase.

Re:SSID (2, Informative)

fluffy99 (870997) | more than 4 years ago | (#31301954)

Because the password is never sent during the 4-way handshake.

I'm not talking about stealing the password from an existing connection. More simply just using the same SSID and waiting for the user to accidentally connect to the rogue router. Most users will gladly re-enter their credentials again.

When a client connects to a WEP or WPA access point, there is a four-way challenge-response handshake:

      1. The client station sends an authentication request to the Access Point.
      2. The Access Point sends back a clear-text challenge.
      3. The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request.
      4. The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response.

So pretending to be their wireless access point or even sniffing the exchange won't reveal the passphrase.

Now if you pretend to be their access point and don't request authentication, then they may very well connect to you and never be the wiser. Then assuming you provide internet access, you are free to sniff or alter their data streams.

I suppose its possible to pretend to be their access-point, and pass along the pieces of the handshake to the real access point. That would make you a man-in-the-middle, but that doesn't buy you anything more than just sniffing the traffic out of the air.

Re:SSID (1)

fractaltiger (110681) | more than 4 years ago | (#31302414)

Haven't tried this stuff, but know that Windows will tell you when you reconfigure a network to use different encryption. It then rejects your login until you go to a very specific connection wizard and tell it to the correct new type.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>