Ageing security protocol showing its cracks

Cracking the passwords of some WPA2-protected WiFi networks has been simplified in a development that independent experts have said ought to spur adoption of the latest wireless security technologies.

The team behind password-cracking tool Hashcat have hit on a fresh method to reccover wireless network credentials quicker and without the need for someone to log onto a target network.

Instead of capturing the four-way handshake used to authenticate users onto a wireless access point, the new approach only relies on capturing a particular data packet.

The RSN IE (Robust Security Network Information Element) of a single EAPOL frame can then brute-force decrypted with Hashcat to derive the PMKID (the key used to set-up a connection between a user and an access point), and from that WPA PSK (Pre-Shared Key) passwords.

The new tactic only works against WPA and WPA2-secured Wi-Fi networks with PMKID-based roaming features enabled.

Jens Steube, Hashcat’s creator, said the approach was “discovered accidentally while looking for new ways to attack the new WPA3 security standard”.

WPA3, the next-gen wireless security protocol, remains secure.

Steube said that “most modern routers” using IEEE 802.11i/p/q/r protocols with roaming functions enabled would be exploitable.

The line-up of vulnerable devices remains unconfirmed, though tests have already been carried out.

Ken Munro, a director at Pen Test Partners, told The Daily Swig that the practical application of the attack in the real world can be configuration-dependent.

“The attack facilitates compromise of WPA/PSK networks that don't have any clients connected,” Munro explained.

“Typically, previous attacks would require a client to be connected to the network in order for traffic to be generated and the key cracked. This attack sidesteps that requirement. Some vendors appear to disable the part of the protocol that deals with PMKID packets.”

Professor Alan Woodward, a computer scientist from the University of Surrey, told The Daily Swig that the new hacking technique was a symptom that “WPA2 is showing its age”.

“It used to be that if a weak password had been captured and you captured the four-way handshake, you stood a good chance of breaking the hash using modern computer power,” Professor Woodward said.

“This new method means you don’t even need to capture the four-way handshake.

“But, and is a big but, it’s still gonna take a significant time to recover the key – (days) – so most domestic networks are not worth the effort, and corporate networks using WPA-enterprise are a lot harder to crack.”

WPA2 is showing its age and will soon become obsolete, just like WEP before it.

“It’s a concern as it shows cracks appearing, but luckily WPA3 is here… vendors need to roll that out as soon as they can,” Professor Woodward concluded.