Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes.
Next week at a Tokyo conference, both Tews and Beck will show an audience how they are able to crack the encryption.
In a previous post, I mentioned the use of WPA and asked that we all stay away from WEP (as it was insecure) and still stand by that statement. What we really need to think about, is using WPA with AES encryption instead of TKIP. The use of AES has not been compromised and is still considered to be safe.
Should You Be Worried?
Although it is a fairly new discovery, cracking tool kits have been updated with the necessary code to exploit the vulnerability. If someone is out there trying to get onto your wireless network and cracking your encryption, they probably are already aware of the new vulnerability and have the latest tools to do so. Anybody can be a target, and there are some easy things you can do to protect yourself.
Make Sure You Are Not At Risk
If you have a fairly new router (as far back as 2005 in some cases), you can simply choose to use AES encryption with WPA — or switch from WPA to WPA2 (which has not been compromised). If you only have WEP as an option, then you should consider using a very long password for your wireless connection — one with random letters, symbols and numbers. The longer and more complex the password, the more secure. Go to grc.com/passwords to generate a secure password.
Photo credit Steven Riehl
Related Articles
]]>Open Wi-Fi
In a previous post, I discussed some of the mistakes that should be avoided when setting up your home’s wireless router (read Are You Making These Mistakes with Your Home Wi-Fi). One such mistake is leaving your access point “open”. Since public Wi-Fi access is usually “open” and you usually don’t have a choice about how to connect to a public access point, you should take precautions when surfing sites that may contain personal information.
Since communications between your laptop and the public access points are made over the air in an unencrypted manner, your email can be read by anybody who is savvy enough to start a free network sniffing program that is freely available for downloaded on the Internet. How much more careful about what your read at one of these hotspots would you be if you knew it was possible for someone to see the data that was being sent to our browser? How much personal information do you store in your email account?
HTTPS Browser Connections
There is something simple and easy you can do to ensure that you’re reading email securely. You can browse to your Gmail account without fear of prying eyes or network hackers. Simply use the HTTPS protocol when accessing your web email. HTTPS encrypts the data from your computer all the way back to the server you are browsing. Since the data is encrypted, even if someone is sniffing the network, they will not be able to determine what you are reading. The data simple looks like a bunch of random bits with no meaning.
Gmail and Yahoo
Both Gmail and Yahoo mail automatically redirect your browser to their “https” versions for login. This means that when you send your username and password to authenticate, it will be encrypted and secure. You can see this when browsing to mail.google.com or mail.yahoo.com. Go ahead and try it. Type “http://mail.yahoo.com” or “http://mail.google.com” in your browser’s address bar and see where you end up. You’ll notice that your browser now reflects the new address which begins with “https://”. Your browser is now using the HTTPS protocol to communicate with the login server.
A Gmail Advantage
The login process is only the beginning. Yes, your login information is secure, but unless you specifically tell the browser to use the “https://” address, your security encryption ends at the login for Gmail users. Browsing to http://mail.google.com will encrypt the login information only, but browsing to “https://mail.google.com” will not only encrypt your login, but your entire session as well. All the information sent to and from your computer to Google mail will be protected along with your username and password. This is one advance Gmail has over Yahoo mail. Yahoo mail will not encrypt the entire session even though you specify “https://” in the address bar.
A Secure HTTPS Session
Notice the “lock” icon in your browsers status bar. It is usually located somewhere near the bottom right of your browser window. If the lock icon is present, it means that your session with the web server is encrypted. Gmail uses will see the lock for the entire session (if they have browsed to the “https://” version of the page), but Yahoo users only see it at the login screen.
Other Web Email
Most mail programs provided by your ISP or hosting service do include web email. Try to access your web mail via the HTTPS address and see what happens.
Bottom Line
Be careful when browsing at public Wi-Fi hot spots. Try to use the HTTPS protocol for web mail because it can protect your privacy and security. At this point, it looks like Google has the advantage over Yahoo in this department. Don’t forget to bookmark https://mail.google.com and https://mail.yahoo.com to ensure you always use the secure pages when possible.
Related Articles
]]>Open Access Point
Don’t make it easy for people to steal your personal information. Any security is better than no security. Straight out of the box, many wireless routers default to a non-secured state in order to make installation easier, so you should change this right away. Many information thieves will simply move on to your neighbor’s non-secured wireless network since it will be seen as an easier mark.
Using WEP Security
Yes, I did say that any security is better than none, but if you have the option to go with WPA security instead of WEP, please start using WPA. WEP security has been proven to be quite weak. Any tech savvy person can sit in a car on your street and crack your WEP encryption in about 30 seconds using freely available tools downloaded from the Internet. WPA security has been proven to be much more secure and in most cases easier to implement. Many older routers do not support the new encryption scheme of WPA but do support WEP security. If this is your only option, then by all means use WEP, but seriously look into upgrading your wireless router to a newer model.
Not Changing the Router’s Default Password
How many of you have never bothered to change the default password on your router? Seems like a very simple thing, but thousands of us never do it. Here are plenty of websites that list the default passwords for many consumer-based wireless routers. If just a few trial and error sessions is all it takes to break in to your network, it might be worth it to just take a couple of seconds to do this quick fix.
Automatic Connection Settings Computer
If your wireless router were on the fritz, would you know it? Windows and Mac computers try to make connecting wireless as easy as possible and will automatically connect to the next available network. This could be neighbor’s open access point which for one, is unlikely to make for friendly neighbors if they find out you’re using their network, or two a little unethical (kind of like stealing cable). Check your settings and make sure you are only connecting the wireless networks you intended to use.
Broadcasting your SSID
Wireless routers allow you to broadcast your SSID. This is like the name of your wireless network. It acts as a beacon allowing others to more easily find your network. Newer routers by default do not broadcast your SSID in an attempt to be more secure. Not broadcasting the SSID will stop your neighbor from accidentally trying to connect to your network, but will not deter a determined hacker. Hackers have tools that will show them the SSID if at least one computer is using the wireless network. The real message in this one is to not think that hiding your SSID is enough.
Wireless networks are a great way to stay productive while being comfortable. I don’t want to discourage anyone from taking advantage of this great technology, but I do want all of you to be safe. What are your thoughts on the above mistakes?