infosec4all.com

Recently, there was a lot of commotion in the media about WPA being hacked. Steve Gibson did a great job dissecting this ‘hack’ and explaining what exactly it is about. Audio version of Security Now episode 170 with Leo Laporte is available in high quality and low quality, and transcripts are available in txt, html, and pdf.

This is a great example how media can can blow things out of proportions. As security professionals, we have to remember that simulating a security event under laboratory conditions is far from a security danger in the real world.

Bottom line - it is only WPA(2)-TKIP that is vulnerable, and TKIP was a temporary solution to WEP vulnerability replaced by WPA2-AES anyway. If someone still needs TKIP for legacy hardware support, simply disabling quality of service (WMM) feature on the router will eliminate this vulnerability. And finally, even if compromised, this vulnerability could only enable attacker to replay certain packages, an event that would most likely lead to denial of service.

For a long time, when asked for advice on using wireless networks, my answer has been: “If you don’t know how to setup and use WPA2-AES - DO NOT USE wireless at all.” Simple as that. This is a good time to check friends’ and neighbors’ wireless routers, upgrade the firmware, and make sure WPA2-AES is enabled.