Security Experts:

Researchers Outline How to Crack WPA2 Security

Cracking WPA2 Wireless Security

Securing wireless local area networks can be a tricky business, and a group of researchers have highlighted just how much.

Published in the International Journal of Information and Computer Security, the research outlines how the Wi-Fi Protected Access 2 (WPA2) protocol can be potentially exposed using deauthentication and brute force attacks.

"Thus far, WPA2 is considered to be amongst the most secure protocols," according to the researchers' paper. "However it has several security vulnerabilities. Until now there has not been a complete and fully successful methodology capable of exposing the WPA2 security. This paper provides a novel way of successfully exposing WPA2 security issues by using a complete dictionary that generates all the possible printable ASCII characters of all possible lengths."

The research was performed by Achilleas Tsitroulis of Brunel University in the UK; Dimitris Lampoudis of the University of Macedonia in Greece; and Emmanuel Tsekleves of Lancaster University, UK. According to the researchers, the 802.11i deauthentication process presents a flaw. During the process, clients are forced to reconnect and re-authenticate to the correspondent access point, resulting in the capture of an instance of the pre-shared key. In the case of WPA/WPA2, the four-way authentication handshake is revealed. 

To prove their point, the researchers analyzed 10 different scenarios, with the main difference between them being the password.

"At the beginning, the area was scanned-sniffed with ‘Airodump’ and then a deauthentication attack was made with ‘Aireplay’," according to the paper. "Through that, an instance of the PSK was caught. Finally, ‘Aircrack’ was attempting to reveal the secret password by using the instance of the PSK and matching it with every record of the dictionary. For these experiments we used a very big dictionary that consisted of 666,696 standard printable ASCII character records of various lengths. ‘Airodump’ and ‘Aireplay’ are commands of the ‘Aircrack’ suite, responsible for sniffing and deauthentication respectively."

In all but one of the cases, the key was easily found, the researchers stated.

"The biggest advantage of WPA/WPA2 security protocols is security reliance on dictionary pluralism in words," the researchers continued, adding that while it is very difficult to expose the WPA/WPA2 security protocol, it is not impossible. "Even though, a considerable amount of time would be required. In order to accomplish that, in a relatively short period of time, the adversary should have a FPGA (instead of a computer), performing the whole procedure."

The best way to protect an 802.11i network is through the use of WPA2 in combination with MAC filtering, the researchers recommend. In addition, changing the encryption key periodically can increase the level of difficulty for attackers. The more complex the password, the more the difficulty will rise as well.

"Firstly, network security can be increased by firstly hiding the SSID, so that the procedure of gathering information regarding the network becomes more difficult," the researchers added. "Furthermore, in some APs the Telnet/SSH services are enabled by default. It is advisable to disabling those services in order to protect unauthorised network access, by providing password checks. Not following the above actions, increases the risk of unauthorised network access that can lead to various malicious actions, such as having the AP reconfigured by the adversary."