It was cracked long ago, but hacks for the discredited WEP wireless security protocol still keep coming.
The latest one to be uncovered is the work of AirTight Networks’ researchers Vivek Ramachandran and MD Sohail Ahmad, and was demonstrated at last weekend’s Toorcon9 conference.
Aided by flaws in the Windows Wi-Fi stack, the new attack involved coaxing an isolated Windows laptop into sending back ARP packets in response to a barrage of the same from the attacking machine, from which the WEP (wired equivalency protocol) key can be recovered.
Unlike past attacks, which involved sniffing the encryption key used by WEP using traffic to and from the access point (AP), the new attack involves only the laptop client, and can be done even if the laptop is nowhere near an AP.
The pair have dubbed it the ‘caffe latte’ hack because the time it might take to execute is about the same as would be needed to drink a cup of the expensive brew in an Internet café – they reckon six minutes - also the most likely location for such an attack.
"The myth has been that to crack WEP, the attacker needs to be in the RF vicinity of the authorised network with at least one functional AP up and running," said AirTight’s Ramachandran.
New ways of hacking an already insecure protocol might sound like a student exercise until you remember that WEP is by most measures still the most commonly-used wireless security system, one that is still in use by many retail point of sale networks for instance.
“The multitudes of organisations which have not yet upgraded from WEP to WPA or WPA2, especially those who need to comply with PCI regulations, now know this risk exists and that their WEP keys can be cracked even while one of their employees is taking a quick coffee break far from the RF signal of the office," he said.
The company recommends that road warriors use VPNs when connecting through public hotspots, and simply turn off or disable their wireless connection when not in use. The attack does at least need an open connection to work, so this would be a cheap defence against Caffe Latte.
The issue of securing WEP has become a speciality for AirTight, having last month started publicising an overlay system called WEPGuard that claims to detect and protect against such attacks. Meanwhile, in April of this year, German researchers gleefully hacked WEP in record time.