Don't Panic over WPA Flaw, But Do Pay Attention

The flaw in WPA is minor but important, and won’t affect home users or most networks (yet): I spoke yesterday to Eric Tews, one of the co-authors of a paper covering a WPA flaw that he’ll present next week in Japan at PacSec, a security conference. Tews and his collaborator Martin Beck, who discovered and tested the flaw, found that it’s possible to use weaknesses that remain in WPA’s TKIP encryption type (the weaker of two available in WPA2) to decrypt certain data.

I wrote about this at great technical length at Ars Technica—see Battered, But Not Broken—but let me provide the high-level summary here.

The flaw is not a generic crack: it doesn’t allow a WPA key to be recovered, nor does it work on all data passing the network. The flaw only affects packets encrypted using the TKIP system, which is a backwards-compatible upgrade to 802.11’s original WEP system. It’s also only possible at this point to recover the original text for short packets—those with predictable contents that are quite short. And it requires the use of 802.11e, the Quality of Service (QoS) standard that prioritizes voice and streaming data above that of normal data to provide voice quality and avoid video and audio stuttering.

With the Tews/Beck technique, short packets with mostly predictable content can be cracked through first applying a WEP-style crack that gets an attacker most of the way there, and then using a very slow method of determining the value of the remaining unknown bytes. This allows the keystream—the cryptographic overlay used to encrypt data as it flows, not the network key itself—to be recovered and used to “replay” arbitrary data, such as a changed packet. While TKIP includes replay protection, the graduate students found that the QoS queues would let them replay the same keystream, sidestepping this protection. (Their flaw discovery is very very clever, combining the use of three interrelated protocols’ weaknesses.)

The solution for the flaw at present is to use AES, an encryption option that’s part of WPA2 (and 802.11i, the underlying standard). If your network comprises all WPA2 devices, which nearly all equipment sold starting in 2003 is capable of, then you can opt to set routers to use just the AES type. For home networks or small offices, this would mean choose WPA2-PSK or WPA2 Personal in most cases. (While Windows lets you choose to identify a WPA2 key as TKIP or AES, the router is what controls which algorithms are acceptable.)

And because the crack potentially allows only the injection of changed packets for very specific network stuff, it’s likely that you’d never see this used against a home network because there’s very little you could do with such a flaw. On a corporate network, someone might try to redirect traffic through certain kinds of short forged messages, and that could be a problem.

However, corporate networks should be using robust enough equipment that the keys used for network communication are frequently swapped out, which disrupts this crack; and corporations may already have standardized on WPA2’s AES, which is immune to any attack of this kind.

In the end, you should be wary, but not freaked out. Switching to AES has a price: older computers won’t be able to join your network. But in 2008, the odds are increasingly low that anyone concerned about security would have a Wi-Fi adapter so old that it couldn’t use WPA2.

Breaking News: AT&T Buys Wayport; WPA’s TKIP Cracked?; Virgin America Sets Launch Date
Positive Response to WiMax Launch in Baltimore
Busta Banned in the U.K.?
(E! Online)
Country star Tim McGraw rips label over hits CD
(Reuters)