Got a minute? It's now enough time to crack WPA

David Heath
Thursday, 27 August 2009 18:20

Business IT - Security

WEP was cracked and rendered effectively pointless within a few years of its introduction.  High hopes were held for WPA, but those hopes are now well-and-truly dashed.

Reports today of a presentation at the upcoming IEICE conference in Hiroshima on September 25th suggested that WPA is as broken as WEP.  The only saving grace being that AES implementations are still (currently) safe.

Extending the Becks-Tews method (illustrated here for instance) which outlined a 15-minute attack on WPA, Japanese researchers Toshihiro Ohigashi (of Hiroshima University) and Masakatu Morii (of Kobe University) have described a new attack which could be executed in, at best, 60 seconds.

This is every person's home wireless network we're talking about.

The paper outlines the limits of the attack, which at the moment are rather restrictive, but as every security researcher will tell you, attacks always get better, never worse.  I'm not going to describe the attack, I suggest you read the paper.

My advice?  Make sure your wireless network uses AES encryption.  Beyond that, if you have greater security concerns, don't use wireless.