WPA2 Security Cracked Without Brute Force

Researchers found a major flaw in WPA-2 which is best-hope security for most users
Researchers found a major flaw in WPA-2, which is best-hope security for most users.

It’s possible to crack the wireless WPA-2 encryption that is the standard of reasonable security for wireless LANs in both homes and businesses, according to research published today.

It is possible to crack WPA-2 by a direct, brute-force attack, but takes a considerable investment of time or a lot of compute power, according to a previous study by Cologne, Germany-based security researcher Thomas Roth, who did it in 20 minutes by running a custom script on a cluster of GPU instances within Amazon, Inc.’s EC2 cloud service.

The level of security provided by WPA-2, which uses pre-shared keys to encrypt traffic between a wireless access point and client using TKIP or CCMP, is high enough to make it the most widely recommended way to secure wireless clients. WEP, the previous standard, was cracked as early as 2001, and debunked completely by 2007, causing most vendors and security experts to choose WPA-2 as the only practical, reasonably secure protocol that was widely available.

There are plenty of online guides to cracking WPA-2 with brute-force or dictionary attacks. Lacking anything better, however, most experts recommend the level of security WPA-2 provides as reasonable, if the password is long enough to keep brute-force attackers working longer than most would bother.

WPA-2’s weakness isn’t the sign-in, however, according to a study published March 13 at the International Journal of Information and Computer Security.

The real weakness is the de-authentication process in which routers periodically sign a client device off in order to force it to reconnect and re-authenticate with a new key, according to researchers Achilleas Tsitroulis, Dimitris Lampoudis and Emmanuel Tsekleves. During that process, the router leaves the old session open long enough for a determined intruder with a fast wireless scanner to gain access.

There are published descriptions available of ways to attack WPA-2 during de-authentication, as well, but none have demonstrated the unsecured “backdoor” that leaves the WPA2 security protocol “fully exposed by malicious attacks.” Restricting access to specific MAC addresses can stop that approach, the authors note, except from attacks using spoofed MAC addresses. Since there is no better alternative available to most users, however, MAC addresses and using long, long passwords are the best bet for the time being, they wrote.

Image: Shutterstock.com/ Maksim Kabakou

7 Responses to “WPA2 Security Cracked Without Brute Force”

  1. Andrew Greenhill

    Yes I agree with the comments here, good post but let me leave a warning.

    I am quite good with secrurity and found that someone had managed to gain access to my LAN because I run my own DNS server on the LAN and it had blocked access to the hacker plus the firewall had stoped the hacker geting out to the internet using the leased IP from the routers DHCP server. Could had used white-list MAC address but didn’t.

    I decided to see for myself how easy it was to hack local wifi’s and kept coming across simple to use one click programs that said they would do the trick but they are all scams and you end up with god knows what on you machines when you download or run these programs, its a scam and none of them work.

    So after trying the easy route I download CommView and that is a very good tool and I could see all the local routers using this tool and some internal traffic from devices connected to these local routers but the program does not come free if you want to run it long enought to catch hand-shakes needed to catch a public shared key (PSK) then you have to pay

    I managed to find a crack for CommView and left it running for an hour and managed to catch a single hand-shake on my own network so went for the plan of hacking myself so I saved the CommView logs as a WireShark format and loaded up Aricrack-ng GUI.exe to use the logs generated by Commview only to find that I also needed a work dictionary because it uses brute force to crack the private key using the PSK on the local machine so that the wifi router does not get attacked with milions of fake requests.

    I have seen the videos on Youtube where they claim that brute force worked and I am calling hoax on them uness they happen to be very lucky or put the password in the word dictionary in the first place.

    My mistake was letting a child in the house know the password that was later given out to freinds I think but I have put this one click hack attack to bed, it does not work

  2. Wow all you need is a MAC based filtering. Only allow your router to authenticate to your devices through MAC verification. Super easy to setup and you should always use a 20+ character passphrase, too easy. I hack neighbors wifi all the time, just for fun. It’s amazing how many people still use short passwords that actually have real words in them, makes my job much easier.