Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Hack Wireless Network in 3 Minutes

CmdrTaco posted more than 9 years ago | from the still-can't-balance-budget dept.

Wireless Networking 501

xs3 writes At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys. This article will be a general overview of the procedures used by the FBI team.."

cancel ×

501 comments

Sorry! There are no comments related to the filter you selected.

fr1st (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12144604)

ps0t

Not too surprising (0, Offtopic)

SeanTobin (138474) | more than 9 years ago | (#12144605)

They didn't do a full brute force on the key (which takes around a gig of captured packets and a few cpu-hours to do). What they did was exploit the fact that many wireless AP's allow you to select a pass-phrase and generate a set of keys from that. They then ran a dictionary attack against the pass-phrases and checked the resulting keys. Not a bad job, but they could do much better. Here's how:

First, the first 24 bits of the key are transmitted in clear text. This allows you to narrow the field of keys by 2^24. Not too useful on its own - but...

Secondly, pre-compute the keys of all words in a dictionary attack. Select only the resulting keys whose first 24 bits match your target. You now have ((dictionary size*4) / 2^24) keys to check through. (dictionary size is multiplied by 4 since most AP's allow you to select one of four keys for any given pass-phrase.)

Now, this will handle most novices who setup their router with a weak passkey. For defense against this attack, simply don't use a password/phrase. MD5ing a certain length of /dev/urandom and using that as a passkey is almost certain to thwart this attack, although it can still be brute forced with enough captured data and cpu time.

Of course, if you really care about people sniffing your traffic, you should be using ipsec anyway.

Re:Not too surprising (5, Informative)

Anonymous Coward | more than 9 years ago | (#12144746)

Wow, you didn't read the article did you?

They didn't do a dictionary attack. What they did was use aircrack that uses a statistical method to crack the key. You need lots and lots of packets and they got those using void/deauth and a replay attack. It's all in the article.

Also, you also only need one packet to brute force a key.

Re:Not too surprising (5, Informative)

Qzukk (229616) | more than 9 years ago | (#12144777)

I only managed to get to the third page of the useless article (seriously people, put more than 2 paragraphs on a page!)

But so far I have "He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers." which makes me wonder if they actually used a dictionary attack...

Finally loaded the 4th page. Apparently they knocked an authorized user off the AP repeatedly and collected the resulting flood of reauthentication packets, plus used packet replay attacks to get the AP to respond to replayed ARP requests (apparently they are easy to spot in a pcap dump despite encryption). This gave them all the IVs they needed to crack the key.

Re:Not too surprising (5, Funny)

Cruithne (658153) | more than 9 years ago | (#12144817)

What is surprising is that such a l33t cr3w used powerpoint for their presentation :/

Re:Not too surprising (2, Interesting)

Flying Purple Wombat (787087) | more than 9 years ago | (#12144834)

Interesting post, too bad I used up my mod points earlier today.

Question: what is a suitable length for a random passkey? I always use random strings for stuff like this, but wonder how long they should be.

First DEAD BEEF (5, Funny)

jargoone (166102) | more than 9 years ago | (#12144607)

Note to self: change WEP key to something other than "DEADBEEFDEADBEEFDEADBEEFDE".

Re:First DEAD BEEF (5, Funny)

Tackhead (54550) | more than 9 years ago | (#12144643)

> Note to self: change WEP key to something other than "DEADBEEFDEADBEEFDEADBEEFDE".

Note to poster: DEADFEDDEADFEADDEADFED is also a poor choice.

Re:First DEAD BEEF (5, Funny)

jargoone (166102) | more than 9 years ago | (#12144684)

Note to poster: DEADFEDDEADFEADDEADFED is also a poor choice.

Indeed it is. It's several characters too short.

Re:First DEAD BEEF (2, Funny)

British (51765) | more than 9 years ago | (#12144825)

Alternate Wep key(er, something like this): BA DB 0B 13 37 (bad bob leet)

I personally prefer (4, Funny)

arglesnaf (454704) | more than 9 years ago | (#12144903)

DECAFC0FFEEBADBADBADBADBAD

WEP = weak (4, Insightful)

null etc. (524767) | more than 9 years ago | (#12144614)

WEP was almost a weak afterthought for wireless technology. This is just a demonstration of why WEP users should switch to WPA.

WPA is just as 'weak' against Brute Force (4, Insightful)

Phoenixhunter (588958) | more than 9 years ago | (#12144660)

As long as people continue to use dictionary based passwords, it doesn't really matter how good the encryption is.

Re:WPA is just as 'weak' against Brute Force (0, Redundant)

0kComputer (872064) | more than 9 years ago | (#12144869)

Yeah, but the article said he used random letters and numbers.

Re:WPA is just as 'weak' against Brute Force (4, Interesting)

hey! (33014) | more than 9 years ago | (#12144920)

Personally, I use "random.org" to generate 152 bit keys. These should be reasonably secure from brute force attacks.

This is reasonably secure for most of my clients, but I'm still a bit worried about those mind-control-rays penetrating my tinfoil hat. How do I know the numbers weren't intercepted. Granted, I'm not advertising the customers they're going to, but you can never be too careful.

Anybody have experience with building and integrating a hardware random number generator?

Re:WEP = weak (5, Insightful)

gad_zuki! (70830) | more than 9 years ago | (#12144722)

Is WPA a solution? WPA is just as, if not more, susceptible to a dictionary attack because its password based. WEP isnt usually, but in this case they were using a dictionary attack to crack APs which generate keys from english words. Like Linksys does.

More info here. [google.com]

Re:WEP = weak (1)

null etc. (524767) | more than 9 years ago | (#12144769)

WPA is just as, if not more, susceptible to a dictionary attack because its password based.

One problem is that many routers allow the user to enter a "password", which is then hashed into a WEP key. I personally know several people who use passwords to generate their WEP key.

How is this news? (4, Insightful)

Nintendork (411169) | more than 9 years ago | (#12144615)

Do we really thing the FBI is so ignorant that they aren't aware of WEP and WPA cracking utilities?

Pffft Cracking? The Feds have backdoors! (5, Funny)

Phoenixhunter (588958) | more than 9 years ago | (#12144898)

Nah, they have the manufacturers build in a backdoor! Didn't you watch 24 last night? All they needed was the manufacturer ID and they got root access!

Re:Pffft Cracking? The Feds have backdoors! (1)

PedanticSpellingTrol (746300) | more than 9 years ago | (#12144914)

Backdoor? More like "Unchanged default settings". Works just fine IRL.

FP (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12144616)

First Post Linux Rocks!!!

slashdot keeps its amazing streak up! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12144618)

anti-slash.org!
anti-slash.org!
anti-slash.org!
rob malda sucks dick for canadian quarters

Those Crazy Feds (2, Funny)

clarus (39399) | more than 9 years ago | (#12144619)

Was the password public?

I bet it was public:public

Silly FBI

Re:Those Crazy Feds (2, Funny)

Cumstien (637803) | more than 9 years ago | (#12144778)

No linksys like the ID.

Re:Those Crazy Feds (5, Funny)

lucabrasi999 (585141) | more than 9 years ago | (#12144812)

I bet it was public:public

Actually, the Password was 1-2-3-4-5.

I found that to be rather disturbing, since I have the same combination on my luggage.

Re:Those Crazy Feds (1)

robbyt (528845) | more than 9 years ago | (#12144873)

i bet the password was ether "love" "secret" "god" or "sex" YOUR TAX DOLLARS AT WORK! HACK THE GIBSON!!

takes me longer than 3 minutes (5, Funny)

amichalo (132545) | more than 9 years ago | (#12144620)

Damn those feds are good.

It takes me longer than 3 minutes just to type the WEP key from my router into my client!

Re:takes me longer than 3 minutes (0, Offtopic)

ahsile (187881) | more than 9 years ago | (#12144658)

... ... ...
bwa ha ha ha ha ha.

This is so true.

Re:takes me longer than 3 minutes (1)

WwWonka (545303) | more than 9 years ago | (#12144698)

It takes me longer than 3 minutes just to type the WEP key from my router into my client!

Yeah I know, it takes me forever to remember how to spell kwyjibo as well!

Duh . . . (-1)

Anonymous Coward | more than 9 years ago | (#12144622)

We are surprised .. .why?

The feds can do this too? (0)

llzackll (68018) | more than 9 years ago | (#12144632)

I've been doing this for years. Now the feds have their hands on this technology. Run for cover!

Suprise! (0)

ptrangerv8 (644515) | more than 9 years ago | (#12144640)

But who's suprised that the *feds* can brute force a WLAN? From my own (albiet limited) understanding, it's not to hard to packect sniff and crack on your own... The feds have moer CPU power than *most* average joes anyhow, so I'm just suprised that they decided to go public with this...

Re:Suprise! (0, Troll)

Patrick Mannion (782290) | more than 9 years ago | (#12144670)

The EFF and ACLU conspiracy types will be crawling out of the woodwork now. RUN FOR COVER!

No worries. (5, Funny)

unstable23 (242201) | more than 9 years ago | (#12144650)

I live in the middle of nowhere. I think I may notice two men sitting with a laptop in an ominous black car with government plates, as the only place they could be close enough is my driveway.

Still, it may be time to look at running an IPSEC tunnel over the wireless network.

Re:No worries. (5, Funny)

B3ryllium (571199) | more than 9 years ago | (#12144721)

But what if they have special FBI antennas? Made from FBI pringles cans?

Re:No worries. (5, Funny)

_Sprocket_ (42527) | more than 9 years ago | (#12144794)

....black, ominous pringles cans?

Re:No worries. (0)

Anonymous Coward | more than 9 years ago | (#12144820)

With silent black helicopter blades...

Re:No worries. (1)

Anarke_Incarnate (733529) | more than 9 years ago | (#12144842)

They don't need pringles cans. They hack you using frickin' laser beams.

Re:No worries. (1)

the_pooh_experience (596177) | more than 9 years ago | (#12144813)

But they'll be hiding. Their ominous black car will not have government plates on it.

Re:No worries. (1)

Striikerr (798526) | more than 9 years ago | (#12144824)

" I live in the middle of nowhere. I think I may notice two men sitting with a laptop in an ominous black car with government plates, as the only place they could be close enough is my driveway."

Shortly after this was posted, the ominous black car sped off. Moments later, an ominous black van with the company name

Flowers
By
Irene

on the side pulled up and parked.

Tongue, Meet Cheek (5, Interesting)

American AC in Paris (230456) | more than 9 years ago | (#12144654)

Thankfully, the FBI are the good guys.

When I first read the closing line of the article, I chuckled.

Then I felt dismayed.

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.

Re:Tongue, Meet Cheek (1, Informative)

Threni (635302) | more than 9 years ago | (#12144705)

> It really is a shame when the prevailing "geek" attitude towards agencies like
> the FBI is mistrust and fear, not confidence and respect.

I can't tell if you're being sarcastic or not. Perhaps you're an American and have therefore been brainwashed into not looking too hard at what the FBI, CIA etc have been up to for the last 30 years! How about you give the books "hegemony or survival" or "understanding power" by Noam Chomsky a couple of evenings of your time?

Re:Tongue, Meet Cheek (-1)

Anonymous Coward | more than 9 years ago | (#12144785)

Right, because Chomsky is such an objective, unbaised, informed author.

Not.

Re:Tongue, Meet Cheek (2, Insightful)

Boronx (228853) | more than 9 years ago | (#12144868)

Woah. You don't have to read Chomsky to know that these guys are quite often up to no good.

Re:Tongue, Meet Cheek (3, Insightful)

Anonymous Coward | more than 9 years ago | (#12144888)

Sometimes biased people are the only ones willing to present certain FACTS at all.

Actually, replace "sometimes" with "almost always".

Honestly, the only people who should worry about bias to the extent of ignoring an entire publication or speaker are the ones too fucking stupid to cross-reference citations. Chomsky is usually damned thorough and rigorous about referencing neutral media - in fact at least 25% of his communication, in my experience, has been debunking "leftist" bullshit. Intelligent people on the "right" do the same kind of self-policing. It's only the sheep-like extremist newbies that howl about bias day-in and day-out.

Re:Tongue, Meet Cheek (5, Interesting)

SeattleGameboy (641456) | more than 9 years ago | (#12144728)

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.

Shame... but well earned. Just read the history of FBI.

Re:Tongue, Meet Cheek (1)

Robotron23 (832528) | more than 9 years ago | (#12144759)

But we geeks HAVE to make out we think their the good guys...otherwise they'll get us!

Re:Tongue, Meet Cheek (4, Insightful)

be-fan (61476) | more than 9 years ago | (#12144780)

Confidence and respect should not get in the way of pragmatism. To a great degree, the FBI's interests and one's own align. To a lesser degree, they are divergent. This is particularly true in the realm of privacy, where it is in the FBI's interest to violate it, and your own interest to protect it. In cases where interests do not coincide, it is completely rational to not be at least wary.

Re:Tongue, Meet Cheek (2, Insightful)

be-fan (61476) | more than 9 years ago | (#12144810)

Let's try that again. "It is irrational to not be at least wary".

Re:Tongue, Meet Cheek (3, Interesting)

Verteiron (224042) | more than 9 years ago | (#12144870)

Well, I would be pretty disappointed if the FBI couldn't do this. I'm also pretty confident that if they are publicly announcement a 3-minute crack, they've probably got a 30-second cracking process down in the basement. Of course, that won't be announced until the 10-second one is working...

My respect for the FBI borders on paranoia because it is their job to have access to things that I do not. I'm pretty sure it's human nature (at least for -this- human) to keep a respectful, watchful eye on those with more knowledge than I have.

Re:Tongue, Meet Cheek (1)

Ogive17 (691899) | more than 9 years ago | (#12144871)

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.
Here comes my off topic/flamebait comment. The prevailing "geek" attitude is to congregate in large online communities and complain about the daily news while hiding behind monikers. Everything government is automatically taboo.

FEDS HAXED MY HARD DRIVE - I NEED UR HELP! (0, Troll)

MAIL ME UR PORN (873573) | more than 9 years ago | (#12144656)

I lost my hard drive and now ALL of my porn is GONE!

I still have my gmail tho so if everyone would PLEASE MAIL ME PORN I would REALLY APPRECIATE IT!

!!! My email address is mailmeurporn@gmail.com !!!
THANK YOU KIND /.! :)

Comment (5, Funny)

pete-classic (75983) | more than 9 years ago | (#12144665)

None of the agents could be reached for comment, as they were all busy arresting eachother citing the Patriot Act and the DMCA.

-Peter

IOW: Do as we say, not as we do... (1, Flamebait)

denis-The-menace (471988) | more than 9 years ago | (#12144765)

Government hypocrisy at its best.

Countermeasures & Conclusion (-1, Redundant)

anandpur (303114) | more than 9 years ago | (#12144674)

1) Network segregation
Put your access point on a separate subnet, with a firewall separating the wireless and internal users

2) Change the default settings on your access point
Default settings (SSID, administrator password, channel) are well known and even included as part of some WLAN attack tools

3) Use WPA with a strong key
WPA is a definite improvement over WEP in providing wireless security. But the version intended for home and SOHO use--WPA-PSK--has a weakness shared by any passphrase security mechanism. The choice of simple, common and short passphrases may allow your WPA-protected WLAN to be quickly compromised via dictionary attack (more info here).

4) Update your firmware
This is helpful if your AP or client doesn't currently support WPA. Many manufacturers have newer firmware for 802.11g products that add WPA support. You may also find this for 802.11b gear, but it's not as common. Check anyway!

5) Turn off the WLAN when not in use
A $5 lamp timer from your local hardware store is a simple, but effective way to keep your WLAN or LAN from harm while you're sleeping.

Re:Countermeasures & Conclusion (5, Informative)

Anonymous Coward | more than 9 years ago | (#12144761)

If you're going to cut-and-paste for karma, please CITE YOUR REFERENCES!

The page you snipped this from is cached here:

http://66.102.7.104/search?q=cache:ChC8gBE_LsEJ:ww w.tomsnetworking.com/Sections-print-article111.php +%22definite+improvement+over+WEP+in+providing+wir eless+security%22&hl=en&client=firefox-a [66.102.7.104]

Re:Countermeasures & Conclusion (3, Informative)

Homology (639438) | more than 9 years ago | (#12144845)

Even more secure :

1) Install a OpenBSD [openbsd.org] after plugging in a wireless card that can be used in hostap mode.

2) Install OpenVPN [openvpn.net] (that has a nice Windows client), and generate server and client certificates. There are howto and scripts for this.

3) Configure the built-in OpenBSD packet filter [openbsd.org] to only accept connections to/from OpenVPN ports on the wireless NIC.

4) Show war drivers the finger.

Re:Countermeasures & Conclusion (1)

Pxtl (151020) | more than 9 years ago | (#12144884)

#4 is the main reason I haven't moved to WPA. It just takes too much time to go through and figure out how to get each machine onto it - especially since WPA is a new feature on the WinXP boxes and I have had enough of a headache with XP's wireless system (SP2 and my wifi card didn't really get a long).

Website DOSed in less than three minutes. (0)

Anonymous Coward | more than 9 years ago | (#12144677)

Mirror???

Script Kiddies (0)

Anonymous Coward | more than 9 years ago | (#12144682)

So what this is telling us is the Feds are really just script kiddies?

Encryption is now useless (5, Insightful)

d'oh89 (859382) | more than 9 years ago | (#12144685)

Guess it's time to pack it up and go home? Course not. No one in their right mind would trust 128 bit encryption over a wireless network for enterprise sensitive data. That's why we have other methods available (Secure token comes to mind). Now if someone really wanted your credit card number when you buy Doom 3 from Amazon.com, they're gonna get it. Luckily you'll probably get your money back when they buy a nice new 30" Mac display and a dual 2.5 gHz system.

People just need to realize that nothing is infalliable, maybe when this is mentioned on Fox News or CNN the general public will learn that they shouldn't trust their network for sensitive data. I know I don't.

Re:Encryption is now useless (3, Informative)

gregor_b_dramkin (137110) | more than 9 years ago | (#12144847)

"No one in their right mind would trust 128 bit encryption over a wireless network"

No one in their right mind makes absolute statements. Yes, I know. This sentence is a paradox. Or is it?

The number of bits is not the problem. The (a) problem with WEP is that it contains weaknesses which allow shortcuts that take less time than an exhaustive search of the keyspace would take. The effective strength of 128 bit WEP is regarded as much weaker than 128 bit AES encryption.

In Soviet Russia (-1, Offtopic)

elasticwings (758452) | more than 9 years ago | (#12144690)

Wireless Encryption cracks you!!!

Filter by MAC Address (0)

Anonymous Coward | more than 9 years ago | (#12144691)

On top of WEP encryption, you should also try to filter access to your wireless network using MAC addresses. I do not think a hacker would be able to easily get around that....

You are joking right? (4, Informative)

Anonymous Coward | more than 9 years ago | (#12144823)

On top of WEP encryption, you should also try to filter access to your wireless network using MAC addresses. I do not think a hacker would be able to easily get around that...

OK, just in case you seriously don't know, MAC addresses are not encrypted, so it is dead simple to sniff traffic to find valid MAC addresses and then change the MAC address of the hacking box to the valid MAC address (usually during a time when that machine is not actually connected). I've heard that this is a good way to gain access at pay to play locations like Starbucks ;) MAC filtering will only stop the very casual person from gaining access to your network.

Also keep in mind that MAC filtering only prevents someone from joining the network, you can still sniff at will at the packets.

Re:Filter by MAC Address (1)

PerspexAvenger (671820) | more than 9 years ago | (#12144843)

Given that they're attacking an access-point in use in this case (with validated clients connected), all they need do is snarf the MAC of a good client, wait till they disconnect, and they can reconfigure their card to present a perfectly valid address.
Finding the WEP key is the harder bit.

sniff, sniff, sniff, Ew, MAC address! (1)

denis-The-menace (471988) | more than 9 years ago | (#12144856)

Change MAC address of my nic
Try again. (probably wait until the other guy shuts off his Laptop, though.)

Already acting slow... (5, Informative)

Theaetetus (590071) | more than 9 years ago | (#12144693)

Seems this is also an article in how to /. a server in 3 minutes...

Assembled, for your pleasure:
-------

Title: The Feds can own your WLAN too

Introduction
Millions of wireless access points are spread across the US and the world. About 70% percent of these access points are unprotected--wide open to access by anyone who happens to drive by. The other 30% are protected by WEP (Wired Equivalent Privacy) and a small handful are protected by the new WPA (Wi-Fi Protected Access) standard.

At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys.

This article will be a general overview of the procedures used by the FBI team. A future article will give step-by-step instructions on how to replicate the attack.

WEP Cracking - The Next Generation

WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.

Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text.

Traditionally, cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets--a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key.

Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!"

On with the Show

Before we get into the steps that the FBI used to break WEP, it should be noted there are numerous ways of hacking into a wireless network. The FBI team used publicly available tools and emphasized that they are demonstrating an attack that many other people are capable of performing. On the other hand, breaking the WEP key may not necessarily give an attacker complete access to a wireless network. There could also be other protection mechanisms such as VPNs or proxy servers to deal with.

For the demonstration, Special Agent Bickers brought in a NETGEAR wireless access point and assigned it a SSID of NETGEARWEP. He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers.

Note that normally, you have to find wireless networks before you can crack them. The two wireless scanning tools of choice are Netstumbler for Windows or Kismet for Linux. Since the other WEP cracking tools are mainly Linux-based, most people find it easier to stick with Kismet, so they don't have to switch between Windows and Linux.

Another FBI agent started Kismet and immediately found the NETGEARWEP access point. Just for fun, a third agent used his laptop and ran FakeAP, a program that confuses scanning programs by putting up fake access points.

Attack!

After a target WLAN is found, the next step is to start capturing packets and convert them into pcap (short for packet capture) format. These pcap files will then be processed by other programs. Many programs, both commercial and open source, can be used to capture packets, but the two favorites seem to be Kismet or Airodump (now part of Aircrack). Ideally, one laptop should be scanning, while another laptop will be running the attack--which is what the FBI team did.

About half a dozen different software tools were then used by the FBI team, and they are listed--along with their download links--at the end of the article. Thankfully, the Auditor's Security Collection, which we reviewed last year, is a live CD that has all of these tools already installed. Even the FBI likes this distribution.

If a hacker is lucky enough to find an extremely busy wireless network, passive sniffing should provide enough good packets to allow the WEP key to be recovered. In most cases, however, an active attack or series of attacks are needed to jump start the process and produce more packets. Note that active attacks generate wireless traffic that can itself be detected and possibly alert the target of the attack.

The FBI team used the deauth feature of void11 to repeatedly disassociate the laptop from the access point. Desired additional traffic was then generated as Windows XP tried to re-associate back to the AP. Note that this is not a particularly stealthy attack, as the laptop user will notice a series of "Wireless Network unavailable" notifications in the taskbar of their desktop screen.

Another attack method the FBI team used is a replay attack. The basic premise of this attack is to capture at least one packet traveling from the victim laptop to victim access point. This packet can then be replayed into the network, causing the target AP to respond and provide more traffic to capture.

Aireplay (also part of Aircrack) can perform a replay attack based on captured ARP (Address Resolution Protocol) packets, which are broadcast at regular intervals in wired and wireless networks and are easy to spot. Aireplay automatically scans a captured pcap file, pulls out the suspected ARP requests, and replays them to the access point.

After about three minutes of capturing and cracking, the FBI team found the correct WEP key, and displayed it on a projected notebook screen. Agent Bickers, still speaking to the audience, turned around, looked at the screen and was surprised, "Usually it takes five to ten minutes."

Countermeasures & Conclusion

So what can you do to prevent hackers from getting into your network? Special Agent Bickers and his team have some tips for wireless users. He stresses that these are mainly for home users and should not be considered as official FBI best practices for businesses.

1) Network segregation
Put your access point on a separate subnet, with a firewall separating the wireless and internal users

2) Change the default settings on your access point
Default settings (SSID, administrator password, channel) are well known and even included as part of some WLAN attack tools

3) Use WPA with a strong key
WPA is a definite improvement over WEP in providing wireless security. But the version intended for home and SOHO use--WPA-PSK--has a weakness shared by any passphrase security mechanism. The choice of simple, common and short passphrases may allow your WPA-protected WLAN to be quickly compromised via dictionary attack (more info here).

4) Update your firmware
This is helpful if your AP or client doesn't currently support WPA. Many manufacturers have newer firmware for 802.11g products that add WPA support. You may also find this for 802.11b gear, but it's not as common. Check anyway!

5) Turn off the WLAN when not in use
A $5 lamp timer from your local hardware store is a simple, but effective way to keep your WLAN or LAN from harm while you're sleeping.

Bickers also said that if you have an access point that can swap keys fast enough, you may be able to stay ahead of an attacker. "Most likely they will get bored and attack someone else." But for most WLAN owners, this method isn't practical.

The FBI demonstrated this attack to the computer security professionals at the ISSA meeting in order to show the inadequate protection offered by WEP. It is one thing to read stories of WEP being broken in minutes, but it is shocking to see the attack done right before your eyes. It was fast and simple.

Thankfully, the FBI are the good guys.

In Splinter Cell They Break PGP In 3 Seconds! (1, Troll)

Pants75 (708191) | more than 9 years ago | (#12144704)

Sam, I mean Me, got hold of some encrypted data out of a "Data Stick" and that Grim girl back at the office had it cracked in no time!

I didn't even have to hang around in the dark waiting for her to load up her secret PGP cracking software!

Re:In Splinter Cell They Break PGP In 3 Seconds! (0)

Anonymous Coward | more than 9 years ago | (#12144908)

In Soviet Russia, we crack YOU.

Protection (5, Interesting)

dpace32 (740923) | more than 9 years ago | (#12144709)

I am surprised that wireless A/P dont block a MAC address after X number of attempts

Re:Protection (1)

PerspexAvenger (671820) | more than 9 years ago | (#12144875)

Would be a very easy way to perform a denial-of-service against an authorised user, unfortunately - find who you want locked offline, clone their MAC, and simply spew crap against the access point till it gets the hump and closes the door on that MAC addy.

Re:Protection (0)

Anonymous Coward | more than 9 years ago | (#12144881)

Not half as surprising as that the attacker doesn't change its MAC address after every X number of attempts..

Re:Protection (1)

Sunspire (784352) | more than 9 years ago | (#12144913)

That would be entirely pointless, the attacker will simply change his MAC which takes him half a second, while legitimate users may lock themselves out or be subjected to DoS attacks.

Hmm... (1)

Robotron23 (832528) | more than 9 years ago | (#12144714)

This is a good development, considering how heavily law enforcement authorities worldwide have been criticised regarding their dealing with cyber crime, reflected in low conviction rates and a general obscurity about such agencies, not to mention in ever sensationalizing press reports.

Perhaps this'll lead to a surge in cyber operations, and probably new employment oppurtunities within the FBI and other such organizations?

WEP is only useful for (4, Interesting)

josepha48 (13953) | more than 9 years ago | (#12144740)

preventing people from accidentally accessing your network. In basic wireless security, you should change the SSID, and use wep. That way your neighbor, if they have a wifi card they cannot just see your network and start surfing on it right away. It will take them 3 minutes (LOL). Actually just changing the SSID and WEP will help prevent the potential issue of what happens when you have 3 wifi networks all with the same SSID. What will a client do when it tries to access the network. It should find the strongest signal, but sometimes you may have 2 signals that are the same strength and the client will get a DHCP ip address from one and then try to surf through the other and may have flaky access. I change SSID for that reason and add WEP the honest people out.

WEP is like gun laws in the US. They only keep the honest people from having guns. What a great society we live in.

Re:WEP is only useful for (1)

beavis88 (25983) | more than 9 years ago | (#12144787)

WEP is like gun laws in the US. They only keep the honest people from having guns

Of course, if everyone in society was honest, we wouldn't need any laws, right?

Re:WEP is only useful for (1, Troll)

i.r.id10t (595143) | more than 9 years ago | (#12144874)

An armed society is a polite society.

Re:WEP is only useful for (1)

CynicalGuy (866115) | more than 9 years ago | (#12144896)

WEP is like gun laws in the US. They only keep the honest people from having guns

Of course, if everyone in society was honest, we wouldn't need any laws, right?

Wouldn't need any guns either..

Re:WEP is only useful for (1)

rworne (538610) | more than 9 years ago | (#12144902)

Yes, if laws were only for things like theft, perjury, libel and the like.

Laws cover other issues. For example: quality of life and revenue generation. Just because your neighbor blasts polka music and "banana phone" all hours of the night doesn't make him dishonest. But it can be illegal.

I can drive in excess of the speed limit. It doesn't make me dishonest but it does allow local law enforcement to extract revenue from me with fines.

Re:WEP is only useful for (1)

glesga_kiss (596639) | more than 9 years ago | (#12144911)

In basic wireless security, you should change the SSID, and use wep.

I had to change my SSID through other reasons. The default on Cisco kit is "tsunami", and seeing as I set it up just after Christmas it seemed neccessary to change it...

Wifi: Feds best friend on a stakeout (5, Funny)

9mm Censor (705379) | more than 9 years ago | (#12144757)

So now when the feds are parked out in front of your house waiting for you to leave your apartment, they can leech off your neighbours wifi...

Not really WEP weakness (5, Insightful)

Jaime2 (824950) | more than 9 years ago | (#12144771)

This doesn't show that WEP is insecure... simply that the key-generation schemes favored by many manufacturers are insecure. Netscape 2.2 was vulnerable to the same type of weakness by using 22 bits of information to build it's 40 bit session key for SSL.

BTW, assuming a similar key generation scheme, this technique could break AES or 3DES, the encryption algorithm is irrelevant here. Why is it that vendors of security products can't figure out security?

And then they arrested themselves... (-1, Troll)

Max Threshold (540114) | more than 9 years ago | (#12144783)

...for DMCA violations and acts of computer terruh. Right?

It's simple - use WAP-PSK (1, Interesting)

Vrejakti (729758) | more than 9 years ago | (#12144800)

Just need an actual "pasword". My 63 character WAP password does me quite nicely, and I don't have to change it once in my lifetime since it would take near a googlplex years to crack with brute force anyways. If there's a problem in the firmware, well that's another story.

For those interested, my WAP passphrase is t2h4e1r0e4a1r0e5XXXXXXXXXXi7d1e6s1t1o9e0v5e9r1y5s7 t6o0r9y5y6o1u
(Those 10 X's are just for my protection, can't give it all away now or I might have to think about changing it!)

And yes, I DO have that memorized.

other way around (3, Funny)

404forbidden (872210) | more than 9 years ago | (#12144802)

i read to fast, at first i read "fed wireless network hacked in 3 minutes" ... "old news" i thought..

I'm in shock (1)

oil (594341) | more than 9 years ago | (#12144804)

Here, all this time I thought that those G-Men were just clean cut, straw hat wearing good guys. My world is shattered.

Oh well, back to Vice City.

so they can crack wep, big deal? (0)

Anonymous Coward | more than 9 years ago | (#12144806)

So what can do with this info? watch what you browse on the web???

In order for them to get anything out of my network they would have to hack my ssh keys & password since all my internal traffic is ssh protected.

one word: (0, Offtopic)

Run4yourlives (716310) | more than 9 years ago | (#12144891)

email.

Just Leave It Open (5, Funny)

duffer_01 (184844) | more than 9 years ago | (#12144836)

Glad I didn't go through the effort of locking mine down. Who has the last laugh now, Mr. "You gotta lock that thing down"?

What about japanese? (0)

Anonymous Coward | more than 9 years ago | (#12144850)

What if my passphrase is based on one or more foerign languages?

Great, reasonable doubt in a pringles can (5, Insightful)

maird (699535) | more than 9 years ago | (#12144863)

So, just about any law you can break with a computer is now fair game. When you go to court just refer to the three minutes it could have taken some nefarious hacker to use your network without your knowledge. Since the likelihood of such an attack is low then I recommend everyone use a dictionary entry to generate keys. It will keep your neighbours off your network and you'll leave yourself with a perfect reasonable doubt defence when sued or prosecuted.

Read it and WEP (1)

krough (771131) | more than 9 years ago | (#12144867)

All your EVERYTHING are belong to us.

Yeah? well, decrypt this! (0, Troll)

ylikone (589264) | more than 9 years ago | (#12144886)

Here is an encrypted message which uses a method I made up myself. I know nothing about cryptography... so maybe this is easy to crack, but maybe not. Try to crack it if you can, the decoded message will give further instructions.

57636C3U5O5V5Z445K5U5J6A2X5S5V3Z5V5T3L6J
6B643P5L5L323M5P5U66685E6668683P5L622P5H
5Z3Z665V5M6D445M5W5M5P1A3M3W543U605E5Y61
3R5Q623S395U3W646B665I66623R5I5W5O0W5Z67
5W3U5W5X426J5R5M5W3S213M6B5S60673L6E6B3R
605N5Y2S3M5T655P65626A6G5O5L3Q5P315F5X63
65493L42593R5N5R5R395W5T3Z655W5R5X613R5Q
623S2X5X625N41673L696A5O3P5X5Q0W5Y5W5W3U
665X5V6A5N5I605O183M5Z65616A5R42615X5K60
69345Y5X66603V5X5Z5Z5R5V5R61395J674B3U67
5L5V6G3R5Q623S375M636C5Y5R3L5W613R635N62
3D3M5W5S645R3L6E6B3R5K605L2R5P4A3Z3U4T5Y
6E444W3P5V5L3D3M5Q5W3U5Q5S676C5V5M625P30
633W6E64625R61445L5M5L5L395X5T3Z4Z3V5V5Z
5X5V5T673S2Z5S636E3U615S6E645S5V5P3S2P5G
636C663V5G6C6L5Z615X5R365F645Z6B493L4259
5P3P675Z393M5R5S603V5J6363645Z5N3S385M5X
6A3U625Y6E4G3R5X5U5P2P5X5T3Z655S5R5Y445W
5M3Q5L323M5T645N5W5P425X633P5V5L365P634V
5Y5W5R6F6K455K5J3S2P5S5S3Z5R6B5T665X5S5V
3Q64333M615W3U5V5S6H44685W633S2S5N5S3Z5V
673Z4244575P5N622T3M61605T5V5X425X5V605X
3S2Q5J3W6A61605I42675S5V5M3S335K3W695R6A
5E6C604543443S3B5J6063463V5Q5V6L5L5M3Q5Y
335Y4A

Good luck.

And I always thought... (0, Troll)

jessecurry (820286) | more than 9 years ago | (#12144897)

...that the feds were clueless when it comes to technology :)

With my help.. (1)

JFlex (763276) | more than 9 years ago | (#12144899)

..they could do it in under 2.

Is wireless security overrated? (2, Insightful)

loopsandsounds (752223) | more than 9 years ago | (#12144900)

Maybe 10% of the population are aware of WEP's weaknesses, but would the other 90% understand what/where/how to conifugre WPA on an AP or gateway? I'm not quite sure that Joe home user should be so worried about his WEP key. Most home users don't have any security policy or strategy (ie. millions of exploited Windows machines sitting directly on the internet), and most businesses have a poor network security policy. As a consultant for a large networking manufacturer, I am amazed at the lengths corporations will go to in securing their wireless network, meanwhile you can walk into unsecured parts of the building and just plug in (no 802.1x), or they have a substandard VPN or internet gateway solution. Maybe it would make more sense for our government to do seminars on security practices for computing(including wireless networking) versus demonstrating a 4 year+ old IV weakness vulnerability?

Most likely /.'er response (2, Funny)

Cereal Box (4286) | more than 9 years ago | (#12144926)

How dare they! The feds have no right to break into someone's wireless network, no matter how simple the password! I want to see the FBI taken down for this! <continues ranting about "the feds">...

I'm sure we'll hear many comments along those lines from Slashdotters who are no doubt using a wireless connection that they've broken into...

Corporate Espionage (3, Insightful)

SunFan (845761) | more than 9 years ago | (#12144927)


This is why I always get a little nervous seeing wireless routers stuck to the ceilings of some offices. Given the average security of most offices with wired networks, the outlook for un-wired networks isn't good, IMO.

Pulling cable is a PITA, but it is a layer of physical security that shouldn't be dismissed too soon.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?