Researcher looking at WPA3 discovers new WPA2 attack

by Mark Tyson on 8 August 2018, 13:45

Quick Link: HEXUS.net/qadwcj

Add to My Vault: x

A researcher investigating strengths and weaknesses of the new WPA3 Wi-Fi standard accidentally discovered a new way to attack networks protected by the widespread WPA2 standard (WPA2 was introduced in September 2004). Jens 'Atom' Steube revealed an outline of the streamlined new attack and why it works on the HashCat forums this weekend.

As Computing magazine makes clear, the newfound hackability of WPA2 is due to its Pre-Shared Key exchange process. This won't be an issue with WPA3, as it replaces this authentication method with a Simultaneous Authentication of Equals, claimed to be "much harder to attack".

Looking back at common WPA2 attack methods, Computing explains that "Most attack methods against Wi-Fi networks involve waiting until a user connects and capturing information from the ‘handshake' procedure between user and network, before conducting a brute-force attack for the password." The new attack doesn't need this information, or thus any time waiting for an end user to be logging in. Instead the attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame. Furthermore, the new attack requires just three freely downloadable software tools from Github.

Steube went on to outline the new WPA2 attack's advantages:

  • No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string

Discussing which routers might be vulnerable to the new attack method, Steube said that all 802.11i/p/q/r networks with roaming functions enabled, or more simply "most modern routers," could fall victim to it.

Steube told Bleeping Computer that now it is much easier to access a hash that contains the pre-shared key - but that hash still needs to be cracked. It is best not to use the "obvious pattern" following manufacturer generated PSK, Steube advised users; rather make up your own with complex arrangements of letters and symbols. "A typical manufacturers PSK of length 10 takes 8 days to crack (on a 4 GPU box)," explained Steube.

The WPA3 Wi-Fi security standard was launched back in June this year and it is expected to become firmly established but it will take time. As well as strengthened security, WPA3 will deliver an easier network joining method, so even screenless devices can quickly and simply connect.



HEXUS Forums :: 6 Comments

Login with Forum Account

Don't have an account? Register today!
The source and discussion is here: (Also linked to in the above article)

https://hashcat.net/forum/thread-7717.html

Which indicates to consumer grade devices may not be affected - although the latest Fritz Box OS update may introduce this vulnerability.

Be interested to see if the Draytek series are affected - no doubt there will be a security update in due course.
How long to crack it? How many GPUs? Well I suppose we've found a use for all the old mining stock.

Last time I tried to break WPA2 (I gave it the handshake to make life easier for it), the hackintosh nearly had a stroke.

Yes, I set up a network so I could try and hack it whilst slightly drunk. I'm a sad, sad person.
philehidiot
Yes, I set up a network so I could try and hack it whilst slightly drunk. I'm a sad, sad person.

Worse when you do it sober

… hm :(
philehidiot
Yes, I set up a network so I could try and hack it whilst slightly drunk. I'm a sad, sad person.

Not really, I once took issue with neighbours wi-fi networks broadcasting across the range for the best channel for my own network. It's the only time I've ever used a linux distro, in efforts to gain access to their routers to put them on a fixed channel not close to mine. TL;DR Takes a long time depending on hardware in use, gave up with my ancient laptop.

It is best not to use the “obvious pattern” following manufacturer generated PSK, Steube advised users; rather make up your own with complex arrangements of letters and symbols. “A typical manufacturers PSK of length 10 takes 8 days to crack (on a 4 GPU box),” explained Steube.

Pretty obvious advice, as is turning off roaming and automatically connecting to networks on your devices (especially if hiding your SSID).
Iota
Not really, I once took issue with neighbours wi-fi networks broadcasting across the range for the best channel for my own network. It's the only time I've ever used a linux distro, in efforts to gain access to their routers to put them on a fixed channel not close to mine. TL;DR Takes a long time depending on hardware in use, gave up with my ancient laptop.

My finest moment in this domain was some years ago when a friend was having some script kiddie keep trying to hack him and kept bouncing off the firewall and annoying him with endless pop up messages alerting him to the attempts but furnishing him with the IP address, which he passed on to me.

I can't quite remember what I did it was so long ago but it was essentially an improvised DOS attack. Very effective and he stopped his attempts to hack my friend after a couple of minutes. Things like that are useful to know how to do for situations like that (it was probably only a matter of time before the guy actually found an open port) as long as you're not a prat with it.