Security Experts:

RC4 Attacks Increasingly Practical, Feasible: Researchers

Researchers Exploit RC4 Flaws in NOMORE Attacks Against Real Devices

Researchers have demonstrated that attacks against the RC4 cryptographic algorithm are becoming more practical and feasible than ever.

Despite being very old, RC4 is still one of the most widely used stream ciphers. Experts estimate that RC4 is used 30 percent of the time to secure Transport Layer Security (TLS) connections.

Security experts have often warned that the RC4 encryption algorithm is weak, but the attack methods presented up until now were not very practical.

An attack presented in 2013 took over 2,000 hours to complete. A somewhat more successful method, presented in March 2015, focused on password recovery attacks against RC4 in TLS. This attack still required between 312 and 776 hours to execute.

Now, Mathy Vanhoef and Frank Piessens of the University of Leuven in Belgium have demonstrated that an attacker could decrypt a web cookie protected by the HTTPS protocol within 75 hours. The attack method, which relies on a combination of the Fluhrer-McGrew and Mantin's ABSAB statistical biases, has been dubbed “NOMORE” (Numerous Occurrence MOnitoring & Recovery Exploit).

In experiments that involved real devices, researchers managed to perform a plaintext recovery attack against the TLS protocol in just 52 hours. Vanhoef and Piessens said this was the first time anyone exploited vulnerabilities in RC4, when used in TLS, in attacks targeting real devices.

In the attack described by the experts, a man-in-the-middle (MitM) attacker intercepts the target’s connection to the server, and injects malicious JavaScript code designed to get the victim machine to transmit encrypted requests containing the victim’s web cookie. By capturing a large number of such requests, the attacker can recover likely cookie values and test them until the right one is found.

According to experts, a 16-character cookie can be decrypted with a success rate of 94 percent by capturing roughly 9⋅227 requests. Since the attacker can get the targeted machine to send out 4,450 requests per second, the number of requests needed to decrypt the web cookie is obtained in approximately 75 hours. The list of obtained cookies can be tested in under 7 minutes.

“Generating these requests can even be spread out over time: they do not have to be captured all at once,” the researchers explained.

Cookies are used by websites to identify users and authorize their actions. This means that an attacker in possession of a user’s cookie can log in to their account and perform actions on their behalf.

Experts have pointed out that the NOMORE attack can be leveraged to recover any type of information that is repeatedly encrypted. A research paper Vanhoef and Piessens will present at the USENIX Security Symposium in Washington, D.C. next month also details the application of this attack method against WPA-TKIP (Wi-Fi Protected Access - Temporal Key Integrity Protocol).

WPA-TKIP, a security protocol used in the IEEE 802.11 wireless networking standard, was designed as an interim solution to replace WEP. Despite being outdated, the protocol is still allowed and supported on many protected networks.

Experts have managed to break a WPA-TKIP network within an hour by generating a large number of identical packets. Once the attack against the network is successfully executed, the attacker can decrypt and inject arbitrary packets sent to a client.

As for countermeasures, the researchers said “the only good countermeasure is to stop using RC4.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.