How WPA wireless networks are hacked, and how to protect yourself
As wireless networks evolve, so does the security encryption needed to protect them. As usual, the methods to hack this encryption evolves just as fast, so let’s take a look at how its done and how to protect yourself from these types of threats.
WEP-based encryption was the first to be developed, and therefore first to be easily cracked and made vulnerable. Then came WPA-based encryption which took the security up a level and introduced some new methods. Let’s look at some differences between the two. WEP, or Wired Equivalent Privacy, is a basic form of wireless security where both the “WAP” and the user are configured with an encryption key of either 64 bits or 128 bits in HEX. When someone connects to the network, the access point issues a “random challenge.” The user inputs the key which is encrypted with the “challenge answer.” If the answer is correct, the user is granted access to the network. WEP is easy to crack because the network key required to gain access is static, and with very little effort can be figured out.
WPA-based encryption, or Wi-Fi Protected Access, is similar in theory to WEP but doesn’t use a static network key, but rather a “Temporal Key Integrity Protocol (TKIP),” which changes keys with every data packet sent or received. This by itself makes WPA a very secure method for wireless networks, but the problem is that in most home-based environments, a “shared pass phrase” is used to access the network. If this pass phrase is any word found in the dictionary, a hacker can crack it through what is known as a “brute force dictionary attack.” While it may take a long time, it can be done.
Since WEP can be easily cracked, we’ll focus on educating you on how your WPA-encrypted wireless network can be cracked and made vulnerable to attacks as well, and how to prevent this from happening, or at least lower your risk considerably. With WPA, there’s two different versions; PSK and RADIUS. In the simplest terms, PSK is hackable and RADIUS is not. PSK uses the TKIP process I mentioned above to authenticate the network, and therefore makes it vulnerable to cracking. While WPA is indeed much more secure than WEP, only WPA-RADIUS is un-crackable. Ninety percent of access points and home wireless routers don’t even support WPA-RADIUS, only advanced enterprise-based routers do, which leaves most WPA-secured home-based networks almost as vulnerable as WEP-secured networks.
The key to cracking a WPA wireless network is to sniff out the PMK, or Primary Master Key. To do this you have to capture certain packets of information being sent and received across the network and catch a certain “handshake” process. The “handshake” is the authentication between the client and the access point, which is still highly encrypted due to the method WPA secures itself but is still associated with the PMK. To automate this process, there’s freely available software called “Aircrack-ng,” which is a software suite of tools for sniffing and manipulating wireless networks. All someone has to do is run the software provided in Aircrack-ng, which will connect and sniff out a WPA-secured wireless network and find the “handshake” that is occurring. Once this is identified, its a matter of finding the word that is associated with this “handshake,” which is also the PMK to allow access to the network.
This is where it gets a little tricky. If the password is any word in the dictionary its likely it can be cracked. If the password is long, and contains symbols along with upper and lowercase letters, it’s likely the password can’t be figured out. 9 times out of 10 the password is an everyday word that’s easily found in any dictionary. For someone to figure this out, the process is again automated and fairly easy. All you have to do is find a dictionary in “.txt” form, which is fairly easy to find online, and input that list into the software provided in the Aircrack-ng suite. The software will go down the list and try each and every word. This process is known as a “Dictionary Brute Force Attack,” and is really the only way to crack a WPA-secure network. If the word is found, the network is cracked- so the longer and more complicated the password, the harder it is and longer it will take to crack.
Now that you know that it can be done, it’s time to learn how to protect yourself from these types of attacks in the future. Properly setting up your WPA-secured wireless network will make all the difference between someone being able to get in or not. Most people are ignorant to the fact that basic WPA-based setups are nearly as vulnerable as WEP-based setups and that with a few simple adjustments it could be almost unbreakable.
It all starts with your wireless router. If WEP-based security is the only option available on your router, it’s time to upgrade. Newer routers will likely have WPA-based encryption on several different levels. The normal variations are WPA and WPA2. Beyond that, there’s two different types of authentication; TKIP (as mentioned above) as well as “AES,” which is a newer and more secure method. AES and TKIP are the algorithms used during the sending and receiving of packets via the network. AES is more advanced and provides a higher level of protection. TKIP was really only developed to provide an “interim” solution until something better could be developed, which was eventually AES. Most routers that use WPA are setup to use TKIP by default, so simply logging into your router and changing the setting to AES can a make a world of difference.
If your router is only one to two years old, you may be able to find a firmware update online as well which would most likely give you the newest WPA-based security features, including AES. As a rule of thumb, the highest level of security is “WPA2-AES.” This is the level of encryption the US government uses, and is the highest available by today’s standards. If this isn’t available, basic WPA-encryption will suffice, just make sure the password is as long and complex as possible.
When it comes to securing a network via WPA, the password, or PMK, is the most important aspect. Include a combination of upper and lowercase letters, numbers and symbols in a phrase that’s as long as possible. The only way to crack WPA, as mentioned above, is to sniff out the password associated with the “handshake” authentication process, and if this password is extremely complicated, it will be almost impossible to crack. The only downside to this high-level of security is the fact that it will slow down the overall speed of your network, but in the long-run, it’s well worth it.
This article originally appeared in Tech.Blorge.com on February 7, 2009.