New attack breaks Wi-Fi security in a minute

Cracked last year, WPA encryption--the standard Wi-Fi security--now crackable in under a minute

Always remember: infallible encryption doesn’t exist.

Wired Equivalent Privacy (WEP), first introduced in 1997, was the first most popular wireless network encryption until four years later, when analysts discovered several weaknesses in the now deprecated system.

In 2003, two years after the first WEP security breaches were uncovered, the Wi-Fi Alliance declared Wi-Fi Protected Access (WPA) the new standard for wireless security encryption. The first version of WPA utilized the Temporal Key Integrity Protocol (TKIP) and the powerful protocol could conveniently be implemented on older devices through a firmware upgrade.

Now, as its predecessor did less than a decade ago, it looks like even WPA encryption with TKIP is cracking at the seams.

After two researchers revealed last November a limited attack on WPA that can take up to fifteen minutes to implement, two Japanese computer scientists say they’ve developed a new attack method that cracks the protocol and breaks into private connections in under a minute. The methodology of the attack was first introduced in a paper at the 2009 Joint Workshop on Information Security in Taiwan at the beginning of August. The two researchers, Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, are to discuss their findings at a conference in Hiroshima in late September.

According to the paper’s abstract, the scientists “propose a practical message falsification attack on any WPA implementation. […] The execution time of [their] attack becomes about one minute in the best case.”

Fortunately, the Wi-Fi Alliance, which owns the trademark to Wi-Fi, has required since 2006 that Wi-Fi-certified products support WPA 2, a much more powerful encryption system than WEP and even WPA with TKIP. Most enterprise Wi-Fi networks already have defenses against this new attack (and the older one from last year), but regular users are strongly encouraged to upgrade their WPA with TKIP or WEP security settings to WPA with AES, which is currently considered the best available wireless encryption system.