Cracking the passwords of some WPA2 Wi-Fi networks just got easier

Technique exploits weakness in design of roaming-enabled IEEE 802.11i/p/q/r wireless


The folks behind the password-cracking tool Hashcat claim they've found a new way to crack some wireless network passwords in far less time than previously needed.

Jens Steube, creator of the open-source software, said the new technique, discovered by accident, would potentially allow someone to get all the information they need to brute force decrypt a Wi-Fi password, by snooping on a single data packet going over the air.

Previously, an attacker would need to wait for someone to log into a network, capture the four-way handshake process used to authenticate users with a wireless access point, and use that to brute-force search for the password.

This particular technique specifically works against WPA and WPA2-secured Wi-Fi networks with PMKID-based roaming features enabled, and it can be used to recover the PSK (Pre-Shared Key) login passwords.

Wi-fi symbol made out of clouds. Photo by Shutterstock

With WPA3, Wi-Fi will be secure this time, really, wireless bods promise

READ MORE

"This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard," Syeube explained late last week, adding that it won't work against next-gen wireless security protocol WPA3.

"WPA3 will be much harder to attack because of its modern key establishment protocol called Simultaneous Authentication of Equals (SAE).

"The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame."

The team found that, when an attacker has the RSN IE information, the PMKID (the key needed to establish a connection between a user and an access point) can be pulled out via a packet capture tool and then brute-force decrypted with Hashcat. Steube noted that this can often be done in around 10 minutes or so, depending on noise over the Wi-Fi channel.

"Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector," Steube explained. "We receive all the data we need in the first EAPOL frame from the AP."

As a result, the attacker would be able to break into a vulnerable wireless network in far less time without needing to get any other information from other users or devices, only information the router itself provides to all users, authenticated or otherwise.

Steube said that while he does not yet know which brands and models of routers are specifically at risk to the technique, he believes "most modern routers" using IEEE 802.11i/p/q/r protocols with roaming functions enabled would be exploitable. ®


Other stories you might like

  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining science, no

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

    Continue reading

Biting the hand that feeds IT © 1998–2022