Two researchers from the Technical University of Darmstadt, Germany, have discovered a method of bypassing the Wi-Fi Protected Access (WPA) encryption used by many wireless routers.
The exploit takes advantage of a weakness on networks that use WPA with TKIP (Temporal Key Integrity Protocol, a security algorithm based on key switching that is used to strengthen the WPA encryption) by circumventing the algorithm that encrypts the Wi-Fi data packets. Researchers Erik Tews and Martin Beck, who are members of the ethical hacking group known as Aircrack-ng, have not only discovered how to bypass WPA, they've also created a tool to do so. They plan to release the tool at the PacSec conference next week in Tokyo, Japan, Aircrack-ng member Rick Farina confirmed to PC Magazine on Friday.
With the exploit tool in hand, hackers will be able break into networks that have WPA with TKIP encryption. TKIP is a predecessor of AES and was developed to overcome the flaw with WEP [Wired Equivalent Private] security. WPA is essentially WEP with a couple of fixes. The TKIP algorithm rotates keys between clients and access points after enough packets pass between them. By default, most routers on the market change the keys every couple of hours. The exploit takes advantage of this data flowing to and from access points and masquerades its packets by inserting its own and passing them to clients. The packet insertion bypasses the countermeasures used by routers can catch the malicious activity. >From a computer's point of view, the data packets appear to belong to a legitimate access point. According to Farina, just seven packets are needed to gain access to a computer.
Researchers found it even easier to gain access to wireless networks that are using QoS [Quality of Service]. Networks that mix data and voice packets often rely on QoS to prioritize the voice data. However, data packets with QoS are rearranged in sequential order so that they travel faster and are received efficiently. The protection algorithm used by TKIP was relaxed to allow for QoS.
As the exploit tool gains access to a computer, hackers can easily inject new packets and install and execute tools such as Metasploit that can give them permanent access. Metasploit is a large toolkit for testing exploits and it uses well known exploits in its arsenal. Rick said, "With 2 or 3 packets you can fit most tools in the Metasploit toolkit," Farina said.
Because the exploit is specific, users simply need to change the WPA encryption to work with AES or change it to the much more hardened WPA2. If your router doesn't support WPA2, the best course of action is to shorten the timing of the TKIP in the routers, so that keys are refreshed every two minutes or less. The fast refresh makes it harder but not impossible for hackers to gain access. The best course of action, however, is to buy a new router that supports WPA2.