The security found in most wireless access points can now be cracked in under a minute, cryptographic researchers found.
Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann at the cryptography and computer algebra group at the Technical University Darmstadt in Germany found that by refining and applying a form of attack against Wired Equivalent Privacy (Wep) developed by Andreas Klein in 2005, enough packets could be collected to open up a Wep-protected network in around a minute. Cracks used on Wep used to take around 40 minutes as techniques needed far more packets to inspect to find the key used to encrypt the network.
The researchers said that it was possible to recover a 104-bit Wep key with a 50 per cent probability of success using just 40,000 captured packets.
"For 60,000 available data packets, the success probability is about 80 per cent and for 85,000 data packets about 95 per cent," the researchers said. "Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good conditions."
They said the computation of the crack took about three seconds using 3MB of memory on a Pentium-M 1.7 GHz machine. "The same attack can be used for 40-bit keys too with an even higher success probability," they said.
The researchers implemented a proof-of-concept of the attack with the aircrack-ptw tool together with the aircrack-ng toolsuite. The tool is similar to aircrack-ng, which has been used in the past to crack Wep protected networks.
"We believe that WEP should not be used in sensitive environments. Most wireless equipment vendors provide support for TKIP (as known as WPA1) and CCMP (also known as WPA2) which provides a much higher security level. All users should switch to WPA1 or even better WPA2," the researchers said.
The researchers plan to give a talk about the new crack at the Easterhegg 2007 security conference in Hamburg this month.
A paper describing the details and methods used in the attack can be found here.
