Risks to Wireless Networks – Attacks on WPA/WPA2

As stated in the previous blog, we started our discussion on why every remote user is likely on an untrusted network by exploring various ways users connect. We started our discussion with WEP in order to better understand the relative protection and methods of attacks on WEP’s interim successor WPA (Wi-Fi Protected Access) and the current standard WPA2. WEP ultimately broke down because given enough traffic, an attacker can recover the key regardless of the key’s complexity.

WPA came out as a stopgap measure in 2003, and WPA2 was introduced by 2004. It contained improvements to protect itself against WEP’s flaws, such as the ability to check the integrity of the packets and avoided problems with the ways the keys were used. The 802.11g era served as a middle ground for all three security measures, with WEP, WPA and WPA2 being options for security. The 802.11n generation of products required adoption of WPA2 in order to take advantage of the speeds above 54 mbps.

There are different ways to implement WPA2, but for the most part, the use of a pre-shared key (PSK) is by far the most commonplace, especially at homes, small businesses, and guest networks. That’s because that pre-shared key security can be implemented with just the access point and the client, for it requires neither a 3rd party 802.1x authentication server nor requires setting up accounts for each user. Thus, for the most part, the networks that users connect to outside of the office, they’ll most likely be using WPA2 with PSK.

The WPA2 PSK supports 256 bit keys, which requires 64 hex characters (0-9, A-F) to enter. It sounds secure in theory, but in practice it simply isn’t that easy to type that many characters to get the device online.  As an alternative, in order to make data entry much easier on humans, WPA2 includes a function to generate a 256-bit key using a much shorter passphrase, and using the wireless access point’s identification (SSID) as a salt for the hash function.

Now in order to execute an attack on the passphrase, one needs to be able to test a large number of passphrase candidates. So while WPA2 remains cryptographically secure (namely the key isn’t recoverable by simply observing the traffic like with WEP), there are methods to test passphrases offline by gathering the handshake packets between the access point and a legitimate user.

In order to collect the necessary packets, one could passively gather traffic when a user joins the network. This requires time, however, as one does not know when someone will come along. The impatient attacker does not have to wait, however, by employing an active attack. As long as there is already a legitimate user online, the attacker can kick the client off the access point with forged de-authentication packets. After getting knocked off, the client will automatically retry to connect, thus providing the attacker with the handshake packets needed for offline passphrase analysis. Thus, unlike WEP, the attacks on WPA2 can be done without spending a significant amount of time in the proximity of the target network. Once the handshake packets have been gathered, the attacker can continue the work elsewhere, out of sight.

With the handshake packets in hand, what’s next? The attacker still must recover the passphrase itself, and in the early days of WPA2 cracking, it was relatively impractical to crack a moderately difficult passphrase. However, new techniques in recent years have made WPA2 cracking far more sophisticated than it had been in the past. In the next blog entry of this series, we’ll explore why passphrases are not as strong as they used to be due to the sophistication of passphrase recovery techniques and weaknesses in human behavior.