Freely subscribe to our NEWSLETTER

The answer lies – as is so often the case – somewhere in the middle. An organisation that has implemented a modern wireless LAN with client to core encryption based around WPA2-AES with 802.1x authentication, supplemented with Wireless Intrusion Detection, remains completely secure and unaffected by these vulnerabilities. However, not all organisations have taken the time to effectively secure their wireless networks, and in some cities, 80-90% of networks remain potentially vulnerable to hackers.

A review of wireless security

The Wired Equivalency Protocol provided security for early wireless networks. Ratified in 1999 by the IEEE, WEP used an RC4 stream cipher for confidentiality and a CRC-32 checksum for integrity. Now discredited as a security protocol, WEP’s weak initialisation vectors – primarily the password – is easy to break, and the lack of CRC encryption means there is no integrity check on the headers. Consequently, it takes only a matter of moments for a hacker to break the encryption, and for many years, the advice has been that WEP should not be used to secure any network. Despite this, a worrying number of access points (approaching half in some cities ) remain secured only with WEP.

Improved security resulted from combining WEP with TKIP (Temporal Key Integrity Protocol) to create WPA-TKIP. This removed some of the weak initialisation vectors (adding more characters to the password) and used a Message Integrity Check (MIC) to stop replay attacks. Endorsed by the Wi-Fi Alliance it is a subset of 802.11i and had the advantage of being just a firmware upgrade to devices (unlike WPA2 that required hardware changes). However, WPA-TKIP (or simply ‘WPA’ as it is often referred to) is vulnerable to the attacks identified in 2008.

The WiFi Alliance certified WPA2 in late 2004. For backwards compatibility with WPA, WPA2 can use TKIP, but then becomes vulnerable to both brute force dictionary attacks and the Tews & Beck approach. In practice, WPA2 should always be used in WPA2-AES-CCMP form as specified in the Robust Security Network (RSN) part of 802.11i. More commonly referred to as WPA2-AES or ‘Enterprise WPA2’ it is a completely secure wireless networking protocol using 256bit keys and block sizes for the authentication process, and 128bit keys for data.

Is data transmitted over wireless networks vulnerable to attack?

There is nothing new about brute force dictionary attacks on the authentication process of WPA and WPA2 when a pre-shared key (PSK) is used - the NVidia graphics card simply speeds up the process. Although regular changes of non-dictionary-based passphrases increases the time required to break the authentication (and reduces the time available for the attack) it will always remain potentially vulnerable. In practice, WPA and WPA2 using long PSK passphrases is a perfectly adequate mechanism to secure most home networks, but companies should always follow best practice, and this dictates use of encryption with AES combined with 802.1x authentication – EAP via RADIUS – to authenticate the connection.

The TKIP vulnerability identified by Erik Tews and Martin Beck is very different from the earlier brute force dictionary attacks against WPA with PSK. Instead of attacking the method used to generate the initial key from the passphrase and network SSID, the Tews & Beck attack targets the TKIP data exchange itself, and can affect both PSK and EAP/802.1X (enterprise) networks. It does not affect WPA networks using AES encryption (such as WPA2-AES).

The Tews & Beck attack – noted on the Wireless Vulnerabilities & Exploits database (www.wve.org) - exploits the fact that packets in QoS queues may arrive out of order, and as a result an attacker can defeat the replay protection in TKIP and reuse a captured frame. Applying an older WEP attack known as "chopchop", the plaintext of the packet is revealed byte-by-byte. However, the maximum rate at which the attacker can guess each byte is limited by the TKIP message integrity check (MIC). If two invalid MIC events occur within 60 seconds, the station will shut down for 60 seconds, and then re-associate with new keys. Setting the TKIP rotation interval to a short value (perhaps a few minutes) will reduce the amount of time an attacker has in which to conduct the attack. Since the current attack reveals one byte per minute, it can take 10-15 minutes for an attacker to make significant progress. In practice, the attack does not compromise the key itself, but offers the opportunity for an attacker to inject packets into the network which may compromise other network security components such as firewalls.

Does WPA2-AES guarantee complete security?

An organisation using WPA2-AES with 802.1x authentication can consider its data secure – however, this should not be considered the same as having a secure wireless network.

Client (mis)configuration and user error are without doubt the greatest threat to any network. Indeed some might argue that user error makes discussions over potential vulnerabilities in TKIP almost an irrelevance.

Rogue access points brought into a network by a well meaning employee, clients configured to automatically connect to any wireless network within range (rather than just the approved corporate networks), or corporate laptops connected to insecure home networks, all potentially present greater threats to corporate security than WPA attacks. They provide hackers with a simple and direct access to the wired network, and these threats are greatest to organisations that have not thought out a wireless security policy – or have simply banned wireless from their premises.

An organisation that has implemented WPA2-AES with 802.1x authentication will most likely have considered security as an end to end system and have implemented wireless intrusion detection / prevention to guard against intrusion or user error. The good news is that the ability to secure data to WPA2-AES, deliver stateful firewalling to manage every users connection, and implement wireless intrusion detection comes integral with some of the leading wireless solutions today and provides the highest security necessary for corporate networks. The thoughts of Denis Corée, CIO, Conservatoire National des Arts et Métiers in Paris places the discussion on wireless security in perspective;

“One of my objectives is to provide a level of security on our wired network that matches the security of my wireless network”

1 http://www.elcomsoft.com/news/268.html

2 Practical attacks against WEP and WPA – Martin Beck, Erik Tews TU Dresden / TU Darmstadt November 2008

3 RSA Wireless Security Survey of Paris 2008

4 RSA Wireless Security Survey of London 2008

5 The National Institute of Standards and Technology’s (NIST) Advanced Encryption Standard (AES) using Countermode with Cipher Block Chaining (CBC) Message Authentication Code (MAC) Protocol (CCMP)

6 WVE-2008-0013