SlideShare a Scribd company logo

WPA/WPA2 TKIP Exploit

AirTight Networks
AirTight Networks

WPA’s stature as a secure protocol was recently challenged for the first time. TKIP, an essential encryption component of WPA, which was heralded for years as the replacement for the broken WEP encryption, was shown to be vulnerable to a packet injection exploit.

TechnologyBusiness
1 of 7
Download to read offline
AIRTIGHT NETWORKS WHITEPAPER WPA/WPA2 TKIP Exploit: Tip of the Iceberg? A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved.
AIRTIGHT NETWORKS WHITEPAPER WPA/WPA2 TKIP Exploit: Tip of the Iceberg? Both excitement and unease rolled through the wireless security community in November 2008 when news broke that researchers had cracked TKIP at the security convention in Japan [1, 2]. TKIP, an essential encryption component of WPA, which was heralded for years as the replacement for the broken WEP encryption to guard our wireless networks had been poked and sprung a leak for the first time. A Review of WPA WPA was introduced as a replacement for WEP around 2003. By 2003, WEP was completely broken which had a stifling effect on WLAN adoption. It was because of a timely effort on the part of the WiFi Alliance that WPA became available to replace WEP as a better security framework for WLANs. WPA is a security framework whose: (a) encryption component is called TKIP, and (b) authentication component can be either PSK (designed for home users) or RADIUS (designed for enterprise usage). An important property of WPA, besides better security, was that WEP devices could be software/firmware upgraded to WPA. That is, they did not require a hardware upgrade. Since its introduction in 2003, WPA has served the purpose it was designed for very well and no vulnerabilities/exploits were discovered targeting enterprise WPA over last 5 years. Many organizations today have migrated to WPA as their wireless security framework. WPA Compromised for the First Time And suddenly in November 2008, enterprise WPA was compromised for the first time with the discovery of the TKIP exploit. Below is the high level description of how this TKIP exploit works (see [1, 3, 4] for detailed technical description): 1) Victim: Victim of the TKIP exploit is any WLAN client connected to AP, which uses WPA for security and which also supports multiple QoS streams. The multiple QoS streams feature was introduced by IEEE 802.11e standard to facilitate supporting QoS sensitive voice over IP (VoIP) type of applications on WLAN. © 2009 AirTight Networks, Inc. All rights reserved. 2
AIRTIGHT NETWORKS WHITEPAPER 2) Attack Vector: The attacker first passively sniffs wireless packets transmitted by the AP to such client and subjects the sniffed packets to combination of tricks such as replays and guesses. 3) Attack: When these tricks are completed, the attacker is able to wirelessly inject a certain number of arbitrary packets into the client. Impact, Prognosis, and Remedies In its current form, the impact of TKIP exploit is limited and there are some immediate remedies available to ensure that a WLAN does not fall prey to this exploit. The impact is limited because, in its current form, there are several limitations on what attacker can do with this exploit (see update on some of these points at the end of the paper): I. First and foremost, it is not a key recovery exploit The TKIP Exploit II. It only works if client uses QoS feature of 802.11e/WMM III. It is slow. There has to be lead time of about 12 minutes before any packet injection can be done. Thereafter, 7-15 packets can be injected every 4 minutes IV. The injected packets have to be very small, say, less than 100 bytes V. Packet injection in AP is not possible. Nonetheless this exploit does provide hooks to build malware and attack sequences on top of WPA. Discussions have already begun in security forums on possibilities ARP poisoning, TCP manipulation, DNS manipulation etc. using this exploit. A concept attack sequence to inflict TCP indirection using this exploit to drill a hole in enterprise firewall is discussed in [4]. Moreover, discovery of exploits is an evolutionary process wherein one discovery leads to another. We have seen this happen in the case of WEP before, and history can repeat itself for WPA now that the first crack has developed. Given these possibilities, this development should not be ignored. It is important to be proactive in protecting your networks from this exploit. Fortunately, there are antidotes available: i) Turning off QoS feature: This remedy may only be practical for those enterprises which do not (intend to) support QoS sensitive applications such as VoIP over wireless. © 2009 AirTight Networks, Inc. All rights reserved. 3
AIRTIGHT NETWORKS WHITEPAPER ii) Reducing TKIP key rotation interval: As a rule of thumb, this exploit can be frustrated by reducing TKIP key rotation interval to something less than 12 minutes (many enterprises currently use key rotation interval of 12 hours). The administrators however will need to evaluate the impact of this on performance of their APs. iii) Wireless intrusion detection and prevention system (WIPS): Those enterprises which already have overlay WIPS installed and those which intend to install one in near future can seek protection from this exploit from their WIPS vendor. This exploit is detectable and preventable using overlay WIPS. For example, SpectraGuard Enterprise from AirTight Networks provides WPAGuardTM feature to protect for such WPA exploits. iv) Migrating to WPA2: This exploit can be avoided by migrating to WPA2. WPA2 uses AES encryption instead of TKIP, thus eliminating exposure to TKIP exploit. This remedy is only possible for those which have WPA2 capable hardware and who Single Layer Approach are prepared to undertake the upgrade project right away. Unlike WEP to WPA transition, which was possible without change to WEP hardware, WPA to WPA2 transition requires hardware change. Note: WPA2 allows TKIP as optional encryption component. So migrating to WPA2 while continuing to use TKIP as encryption will not protect users from this exploit. They will have to use AES encryption with WPA2. Also the exploit is on TKIP encryption, so changing authentication component (PEAP, EAP-TLS etc.) of the security framework will not provide protection from this exploit. Layered Approach to Wireless Security If you are wondering if migrating to WPA2 will solve the wireless security problem Multi-Layer Approach once and for all, unfortunately, the answer is a resounding NO. There is little doubt that WPA2 is a strong security framework which has: a) encryption component as AES (CCMP), and (b) authentication component either as PSK (designed for home users) or RADIUS (designed for enterprise usage). Nonetheless doors can be opened into WPA2 via misconfigurations, improper implementations and more importantly its combination with other protocols. In fact, recently an attack over WPA2 was demonstrated via misconfigured PEAP authentication component [5]. Today we are on the verge of embracing a new WLAN protocol, the much celebrated 802.11n. Much of WPA2 will run on 802.11n networks. The 802.11n is © 2009 AirTight Networks, Inc. All rights reserved. 4
AIRTIGHT NETWORKS WHITEPAPER not battle-hardened in the field and might well have loose ends during the initial years of deployment. The possibility of these loose ends opening doors into WPA2 cannot be ruled out. And finally, WPA2 is not even designed to address wireless threats from rogues, misassociations, honeypots, ad hoc connections, DOS attacks, MAC spoofing etc. So even if you deploy WPA2 in the network, the network still remains vulnerable to these threats. Hence, enterprises should deploy a second layer of security which can insulate them from both: a) Current and future cracking exploits, and b) other threats mentioned above. This second layer of security cover can be obtained by installing wireless intrusion prevention system (WIPS) in the network. WIPS can monitor your wireless environment for policy violations and suspicious activity which pose threat to wireless network. It can proactively alert on vulnerabilities in wireless networks which could be exploited by hackers. WIPS SpectraGuard Enterprise can also detect active threats. It can block wireless communication which in violation of enterprise wireless security policy and can also block active threats. It is also possible to physically locate source of vulnerability or threat using location tracking feature of WIPS. Additionally, WIPS can provide ongoing assessment and reporting on compliance of wireless networks to regulatory standards and best practices. Finally, as added benefit, WIPS can also facilitate monitoring of wireless network performance and troubleshooting of wireless network problems. SpectraGuard WIPS from AirTight Networks AirTight® offers wireless intrusion prevention (WIPS) in its SpectraGuard® product suite with both on site and on demand models providing a flexible, end-to-end solution that gives customers true visibility into their wireless security posture and SpectraGuard Online a choice in how they manage it. SpectraGuard automates every step of the wireless vulnerability management cycle so that you receive the network protection you need - from vulnerability assessment and compliance reporting to vulnerability remediation. You can have confidence in knowing that your information is protected over any wireless network and on any device. AirTight s the industry’s first WIPS vendor with a comprehensive portfolio that helps protect, plan and optimize 802.11n networks. If you would like more information about AirTight’s solutions please contact: sales@airtightnetworks.com or Tel: +1 (877) 424 7844. © 2009 AirTight Networks, Inc. All rights reserved. 5
AIRTIGHT NETWORKS WHITEPAPER Update to WPA/WPA2 TKIP Exploit A modification to the original TKIP attack is recently reported[7]. It proposes two modifications as follows: Victim 1. Requirement of multiple QoS streams traded for man-in-the-middle (MIM). The basic idea here is to introduce MIM between the victim client and the AP which selectively drops packets transmitted to the victim client to create holes in client’s Attacker sequence number counter. These holes are used by the attacker (collocated with MIM) to replay packets. This thus removes requirement of multiple QoS streams, which in the original exploit were needed for successful replays. The flip side is that a unique arrangement of devices is required in which the AP and the client cannot Access point hear each other, but the attacker can hear both of them. 2. Some reduction in packet “injection” time. First note that there is no decrease in lead time of about 12 minutes before any packet can be injected. Thereafter, only 1 falsified packet can be injected into client as there are no multiple QoS streams. In the success case (0.37 probability), it takes 1 minute to inject one falsified packet. Compare this to assured injection of 7-15 packets in 4 minutes in the original attack. The effective rate of packet injection is in fact more in the original attack. Now if we combine the time reduction techniques of the new attack with QoS streams so that 7-15 packets can be injected per success, taking into account 0.37 probability of success, it is about 1.5 times faster. A further enhancement could be to inject both good and bad guesses (not described by researchers in the paper) which can then allow assured injection of 7-15 packets every minute and make it 4 times faster. In summary, we do not think that the new discovery has much different impact compared to the original exploit. It proves existence case for the exploit in the absence of multiple QoS streams, but with stringent MIM requirement. It does not reduce 12 min lead time of the attack, but thereafter may increase the rate of packet injection somewhat. © 2009 AirTight Networks, Inc. All rights reserved. 6
AIRTIGHT NETWORKS WHITEPAPER References ABOUT AIRTIGHT NETWORKS [1] “Practical attacks against WEP and WPA”, by Martin Beck and Erik Tews, http://dl.aircrack-ng.org/breakingwepandwpa.pdf. AirTight Networks is the global leader in wireless security and compliance solutions providing [2] “Battered, but not broken: understanding the WPA crack”, by Glenn customers best-of-breed Fleishman, http://arstechnica.com/articles/paedia/wpa-cracked.ars, technology to automatically November 06, 2008. detect, classify, locate and block all current and emerging wireless threats. AirTight offers [3] Tkiptun-ng documentation: http://www.aircrack-ng.org/doku. both the industry’s leading php?id=tkiptun-ng. wireless intrusion prevention system (WIPS) and the world’s first wireless vulnerability [4] SANS presentation by Joshua Wright: https://www.sans.org/webcasts/ management (WVM) security- show.php?webcastid=92188. as-a-service (SaaS). AirTight’s award-winning solutions are [5] “PEAP: Pwned Extensible Authentication Protocol”, by Joshua Wright and used by customers globally in the financial, government, retail, Brad Antoniewicz, ShmooCon 2008. manufacturing, transportation, education, healthcare, telecom, [6] “Is the latest vulnerability just the tip (or TKIP) of the iceberg?” Webinar and technology industries. by Pravin Bhagwat and Hemant Chaskar, PhD, AirTight Networks, http:// AirTight owns the seminal patents for wireless intrusion prevention www.airtightnetworks.com/home/news/events-and-webinars/webinar-tkip- technology with 12 U.S. patents vulnerability.html. and two international patents granted (UK and Australia), and [7] “A Practical Message Falsification Attack on WPA”, by T. Ohigashi and more than 20 additional patents pending. AirTight Networks is a K. Mori, http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20 privately held company based Message%20Falsification%20Attack%20on%20WPA.pdf, September 2009. in Mountain View, CA. For more information please visit www.airtightnetworks.com The Global Leader in Wireless Security Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.

Recommended

курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004VasilStoilov
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
BGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA Cyber Security
 
Enkripsi
EnkripsiEnkripsi
Enkripsiahyarsigit
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Ports, pods and proxies
Ports, pods and proxiesPorts, pods and proxies
Ports, pods and proxiesLibbySchulze
 
Kesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaKesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaFerhat Ozgur Catak
 

Recommended

курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004курсова работа по васил стоилов 12004
курсова работа по васил стоилов 12004VasilStoilov
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
BGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA CTF 2012 Ethical Hacking Yarışması Çözümleri
BGA CTF 2012 Ethical Hacking Yarışması ÇözümleriBGA Cyber Security
 
Enkripsi
EnkripsiEnkripsi
Enkripsiahyarsigit
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Ports, pods and proxies
Ports, pods and proxiesPorts, pods and proxies
Ports, pods and proxiesLibbySchulze
 
Kesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaKesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaFerhat Ozgur Catak
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
VMware cloud on AWS
VMware cloud on AWSVMware cloud on AWS
VMware cloud on AWSAmazon Web Services
 
Cryptography
CryptographyCryptography
CryptographyKalyani Government Engineering College
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Сравненителна характеристика на криптографски алгоритми
Сравненителна характеристика на криптографски алгоритмиСравненителна характеристика на криптографски алгоритми
Сравненителна характеристика на криптографски алгоритмиВаня Иванова
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentationRam Bharosh Raut
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıAhmet Gürel
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithmArpana shree
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirtplarsen67
 
KRACK attack
KRACK attackKRACK attack
KRACK attackVadimDavydov3
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography pptAnubhav Sokhal
 
Adli Bilişim ve Adli Bilişim Araçları
Adli Bilişim ve Adli Bilişim AraçlarıAdli Bilişim ve Adli Bilişim Araçları
Adli Bilişim ve Adli Bilişim AraçlarıAhmet Gürel
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
Firewall basics
Firewall basicsFirewall basics
Firewall basicsFredrick Hall
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configurationNutan Kumar Panda
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
Describe the primary differences between WEP, WPA, and WPA2 protocol.pdf
Describe the primary differences between WEP, WPA, and WPA2 protocol.pdfDescribe the primary differences between WEP, WPA, and WPA2 protocol.pdf
Describe the primary differences between WEP, WPA, and WPA2 protocol.pdfrajkumarm401
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedIRJET Journal
 

More Related Content

What's hot

Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
Сравненителна характеристика на криптографски алгоритми
Сравненителна характеристика на криптографски алгоритмиСравненителна характеристика на криптографски алгоритми
Сравненителна характеристика на криптографски алгоритмиВаня Иванова
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıAhmet Gürel
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirtplarsen67
 
Adli Bilişim ve Adli Bilişim Araçları
Adli Bilişim ve Adli Bilişim AraçlarıAdli Bilişim ve Adli Bilişim Araçları
Adli Bilişim ve Adli Bilişim AraçlarıAhmet Gürel
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 

What's hot (20)

Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
VMware cloud on AWS
VMware cloud on AWSVMware cloud on AWS
VMware cloud on AWS
 
Cryptography
CryptographyCryptography
Cryptography
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Сравненителна характеристика на криптографски алгоритми
Сравненителна характеристика на криптографски алгоритмиСравненителна характеристика на криптографски алгоритми
Сравненителна характеристика на криптографски алгоритми
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Kvm and libvirt
Kvm and libvirtKvm and libvirt
Kvm and libvirt
 
KRACK attack
KRACK attackKRACK attack
KRACK attack
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
 
Adli Bilişim ve Adli Bilişim Araçları
Adli Bilişim ve Adli Bilişim AraçlarıAdli Bilişim ve Adli Bilişim Araçları
Adli Bilişim ve Adli Bilişim Araçları
 
Key management
Key managementKey management
Key management
 
Firewall basics
Firewall basicsFirewall basics
Firewall basics
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 

Similar to WPA/WPA2 TKIP Exploit

Describe the primary differences between WEP, WPA, and WPA2 protocol.pdf
Describe the primary differences between WEP, WPA, and WPA2 protocol.pdfDescribe the primary differences between WEP, WPA, and WPA2 protocol.pdf
Describe the primary differences between WEP, WPA, and WPA2 protocol.pdfrajkumarm401
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedIRJET Journal
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Dr. Amarjeet Singh
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bSylvain Martinez
 
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018Mohammad Fareed
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11bguestd7b627
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSreekanth GS
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 
chapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptchapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptabenimelos
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Ajin Abraham
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view IPv6 Conference
 
Wi fi protected access
Wi fi protected accessWi fi protected access
Wi fi protected accessLopamudra Das
 
Wireless Security
Wireless SecurityWireless Security
Wireless SecuritysiDz
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 

Similar to WPA/WPA2 TKIP Exploit (20)

Describe the primary differences between WEP, WPA, and WPA2 protocol.pdf
Describe the primary differences between WEP, WPA, and WPA2 protocol.pdfDescribe the primary differences between WEP, WPA, and WPA2 protocol.pdf
Describe the primary differences between WEP, WPA, and WPA2 protocol.pdf
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
 
609 618
609 618609 618
609 618
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Pdf3
Pdf3Pdf3
Pdf3
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
 
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
chapter 7 -wireless network security.ppt
chapter 7 -wireless network security.pptchapter 7 -wireless network security.ppt
chapter 7 -wireless network security.ppt
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
WPA 3
WPA 3WPA 3
WPA 3
 
Network security
Network securityNetwork security
Network security
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view
 
Wi fi protected access
Wi fi protected accessWi fi protected access
Wi fi protected access
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 

More from AirTight Networks

Is 11ac Right for Your Network?
Is 11ac Right for Your Network?Is 11ac Right for Your Network?
Is 11ac Right for Your Network?AirTight Networks
 
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014AirTight Networks
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfAirTight Networks
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight Networks
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration AirTight Networks
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution briefAirTight Networks
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013AirTight Networks
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...AirTight Networks
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecurityAirTight Networks
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Networks
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1AirTight Networks
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsAirTight Networks
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesAirTight Networks
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseAirTight Networks
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseAirTight Networks
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsAirTight Networks
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresAirTight Networks
 

More from AirTight Networks (20)

Is 11ac Right for Your Network?
Is 11ac Right for Your Network?Is 11ac Right for Your Network?
Is 11ac Right for Your Network?
 
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
Air tight 11ac webinar series session 2 - 11ac feature deep dive - june 2014
 
Wi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise ThyselfWi-Fi Offload Summit - Monetise Thyself
Wi-Fi Offload Summit - Monetise Thyself
 
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
AirTight 11ac Webinar Series, Aession 1 - Intro to 802.11ac - June 10 2014
 
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
Restaurant Wi-Fi Primer: Retail Analytics and Social Integration
 
AirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSPAirTight Networks Evolution - Cloud & MSP
AirTight Networks Evolution - Cloud & MSP
 
AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6AirTight Networks WIPS at Wireless Field Day 6 WFD6
AirTight Networks WIPS at Wireless Field Day 6 WFD6
 
AirTight social wifi solution brief
AirTight social wifi solution briefAirTight social wifi solution brief
AirTight social wifi solution brief
 
Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013Considerations for a secure enterprise wlan data connectors 2013
Considerations for a secure enterprise wlan data connectors 2013
 
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
Drive Revenue, Protect Data, & Automate PCI Compliance by Dwight Agriel | @Ai...
 
Survey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise SecuritySurvey on the Impact of BYOD on Enterprise Security
Survey on the Impact of BYOD on Enterprise Security
 
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
AirTight Secure Wi-Fi™ Cloud-based Secure Wi-Fi Access with PCI Wireless Scan...
 
Non WiFi interference combat guide 1
Non WiFi interference combat guide 1Non WiFi interference combat guide 1
Non WiFi interference combat guide 1
 
WPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQsWPA2 Hole196 Vulnerability FAQs
WPA2 Hole196 Vulnerability FAQs
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
 
Conquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the EnterpriseConquering the Minefield of Soft Rogue APs in the Enterprise
Conquering the Minefield of Soft Rogue APs in the Enterprise
 
Windows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the EnterpriseWindows 7 - A New Wireless Risk to the Enterprise
Windows 7 - A New Wireless Risk to the Enterprise
 
802.11w Tutorial
802.11w Tutorial802.11w Tutorial
802.11w Tutorial
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
 

Recently uploaded

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 

Recently uploaded (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

WPA/WPA2 TKIP Exploit

  • 1. AIRTIGHT NETWORKS WHITEPAPER WPA/WPA2 TKIP Exploit: Tip of the Iceberg? A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved.
  • 2. AIRTIGHT NETWORKS WHITEPAPER WPA/WPA2 TKIP Exploit: Tip of the Iceberg? Both excitement and unease rolled through the wireless security community in November 2008 when news broke that researchers had cracked TKIP at the security convention in Japan [1, 2]. TKIP, an essential encryption component of WPA, which was heralded for years as the replacement for the broken WEP encryption to guard our wireless networks had been poked and sprung a leak for the first time. A Review of WPA WPA was introduced as a replacement for WEP around 2003. By 2003, WEP was completely broken which had a stifling effect on WLAN adoption. It was because of a timely effort on the part of the WiFi Alliance that WPA became available to replace WEP as a better security framework for WLANs. WPA is a security framework whose: (a) encryption component is called TKIP, and (b) authentication component can be either PSK (designed for home users) or RADIUS (designed for enterprise usage). An important property of WPA, besides better security, was that WEP devices could be software/firmware upgraded to WPA. That is, they did not require a hardware upgrade. Since its introduction in 2003, WPA has served the purpose it was designed for very well and no vulnerabilities/exploits were discovered targeting enterprise WPA over last 5 years. Many organizations today have migrated to WPA as their wireless security framework. WPA Compromised for the First Time And suddenly in November 2008, enterprise WPA was compromised for the first time with the discovery of the TKIP exploit. Below is the high level description of how this TKIP exploit works (see [1, 3, 4] for detailed technical description): 1) Victim: Victim of the TKIP exploit is any WLAN client connected to AP, which uses WPA for security and which also supports multiple QoS streams. The multiple QoS streams feature was introduced by IEEE 802.11e standard to facilitate supporting QoS sensitive voice over IP (VoIP) type of applications on WLAN. © 2009 AirTight Networks, Inc. All rights reserved. 2
  • 3. AIRTIGHT NETWORKS WHITEPAPER 2) Attack Vector: The attacker first passively sniffs wireless packets transmitted by the AP to such client and subjects the sniffed packets to combination of tricks such as replays and guesses. 3) Attack: When these tricks are completed, the attacker is able to wirelessly inject a certain number of arbitrary packets into the client. Impact, Prognosis, and Remedies In its current form, the impact of TKIP exploit is limited and there are some immediate remedies available to ensure that a WLAN does not fall prey to this exploit. The impact is limited because, in its current form, there are several limitations on what attacker can do with this exploit (see update on some of these points at the end of the paper): I. First and foremost, it is not a key recovery exploit The TKIP Exploit II. It only works if client uses QoS feature of 802.11e/WMM III. It is slow. There has to be lead time of about 12 minutes before any packet injection can be done. Thereafter, 7-15 packets can be injected every 4 minutes IV. The injected packets have to be very small, say, less than 100 bytes V. Packet injection in AP is not possible. Nonetheless this exploit does provide hooks to build malware and attack sequences on top of WPA. Discussions have already begun in security forums on possibilities ARP poisoning, TCP manipulation, DNS manipulation etc. using this exploit. A concept attack sequence to inflict TCP indirection using this exploit to drill a hole in enterprise firewall is discussed in [4]. Moreover, discovery of exploits is an evolutionary process wherein one discovery leads to another. We have seen this happen in the case of WEP before, and history can repeat itself for WPA now that the first crack has developed. Given these possibilities, this development should not be ignored. It is important to be proactive in protecting your networks from this exploit. Fortunately, there are antidotes available: i) Turning off QoS feature: This remedy may only be practical for those enterprises which do not (intend to) support QoS sensitive applications such as VoIP over wireless. © 2009 AirTight Networks, Inc. All rights reserved. 3
  • 4. AIRTIGHT NETWORKS WHITEPAPER ii) Reducing TKIP key rotation interval: As a rule of thumb, this exploit can be frustrated by reducing TKIP key rotation interval to something less than 12 minutes (many enterprises currently use key rotation interval of 12 hours). The administrators however will need to evaluate the impact of this on performance of their APs. iii) Wireless intrusion detection and prevention system (WIPS): Those enterprises which already have overlay WIPS installed and those which intend to install one in near future can seek protection from this exploit from their WIPS vendor. This exploit is detectable and preventable using overlay WIPS. For example, SpectraGuard Enterprise from AirTight Networks provides WPAGuardTM feature to protect for such WPA exploits. iv) Migrating to WPA2: This exploit can be avoided by migrating to WPA2. WPA2 uses AES encryption instead of TKIP, thus eliminating exposure to TKIP exploit. This remedy is only possible for those which have WPA2 capable hardware and who Single Layer Approach are prepared to undertake the upgrade project right away. Unlike WEP to WPA transition, which was possible without change to WEP hardware, WPA to WPA2 transition requires hardware change. Note: WPA2 allows TKIP as optional encryption component. So migrating to WPA2 while continuing to use TKIP as encryption will not protect users from this exploit. They will have to use AES encryption with WPA2. Also the exploit is on TKIP encryption, so changing authentication component (PEAP, EAP-TLS etc.) of the security framework will not provide protection from this exploit. Layered Approach to Wireless Security If you are wondering if migrating to WPA2 will solve the wireless security problem Multi-Layer Approach once and for all, unfortunately, the answer is a resounding NO. There is little doubt that WPA2 is a strong security framework which has: a) encryption component as AES (CCMP), and (b) authentication component either as PSK (designed for home users) or RADIUS (designed for enterprise usage). Nonetheless doors can be opened into WPA2 via misconfigurations, improper implementations and more importantly its combination with other protocols. In fact, recently an attack over WPA2 was demonstrated via misconfigured PEAP authentication component [5]. Today we are on the verge of embracing a new WLAN protocol, the much celebrated 802.11n. Much of WPA2 will run on 802.11n networks. The 802.11n is © 2009 AirTight Networks, Inc. All rights reserved. 4
  • 5. AIRTIGHT NETWORKS WHITEPAPER not battle-hardened in the field and might well have loose ends during the initial years of deployment. The possibility of these loose ends opening doors into WPA2 cannot be ruled out. And finally, WPA2 is not even designed to address wireless threats from rogues, misassociations, honeypots, ad hoc connections, DOS attacks, MAC spoofing etc. So even if you deploy WPA2 in the network, the network still remains vulnerable to these threats. Hence, enterprises should deploy a second layer of security which can insulate them from both: a) Current and future cracking exploits, and b) other threats mentioned above. This second layer of security cover can be obtained by installing wireless intrusion prevention system (WIPS) in the network. WIPS can monitor your wireless environment for policy violations and suspicious activity which pose threat to wireless network. It can proactively alert on vulnerabilities in wireless networks which could be exploited by hackers. WIPS SpectraGuard Enterprise can also detect active threats. It can block wireless communication which in violation of enterprise wireless security policy and can also block active threats. It is also possible to physically locate source of vulnerability or threat using location tracking feature of WIPS. Additionally, WIPS can provide ongoing assessment and reporting on compliance of wireless networks to regulatory standards and best practices. Finally, as added benefit, WIPS can also facilitate monitoring of wireless network performance and troubleshooting of wireless network problems. SpectraGuard WIPS from AirTight Networks AirTight® offers wireless intrusion prevention (WIPS) in its SpectraGuard® product suite with both on site and on demand models providing a flexible, end-to-end solution that gives customers true visibility into their wireless security posture and SpectraGuard Online a choice in how they manage it. SpectraGuard automates every step of the wireless vulnerability management cycle so that you receive the network protection you need - from vulnerability assessment and compliance reporting to vulnerability remediation. You can have confidence in knowing that your information is protected over any wireless network and on any device. AirTight s the industry’s first WIPS vendor with a comprehensive portfolio that helps protect, plan and optimize 802.11n networks. If you would like more information about AirTight’s solutions please contact: sales@airtightnetworks.com or Tel: +1 (877) 424 7844. © 2009 AirTight Networks, Inc. All rights reserved. 5
  • 6. AIRTIGHT NETWORKS WHITEPAPER Update to WPA/WPA2 TKIP Exploit A modification to the original TKIP attack is recently reported[7]. It proposes two modifications as follows: Victim 1. Requirement of multiple QoS streams traded for man-in-the-middle (MIM). The basic idea here is to introduce MIM between the victim client and the AP which selectively drops packets transmitted to the victim client to create holes in client’s Attacker sequence number counter. These holes are used by the attacker (collocated with MIM) to replay packets. This thus removes requirement of multiple QoS streams, which in the original exploit were needed for successful replays. The flip side is that a unique arrangement of devices is required in which the AP and the client cannot Access point hear each other, but the attacker can hear both of them. 2. Some reduction in packet “injection” time. First note that there is no decrease in lead time of about 12 minutes before any packet can be injected. Thereafter, only 1 falsified packet can be injected into client as there are no multiple QoS streams. In the success case (0.37 probability), it takes 1 minute to inject one falsified packet. Compare this to assured injection of 7-15 packets in 4 minutes in the original attack. The effective rate of packet injection is in fact more in the original attack. Now if we combine the time reduction techniques of the new attack with QoS streams so that 7-15 packets can be injected per success, taking into account 0.37 probability of success, it is about 1.5 times faster. A further enhancement could be to inject both good and bad guesses (not described by researchers in the paper) which can then allow assured injection of 7-15 packets every minute and make it 4 times faster. In summary, we do not think that the new discovery has much different impact compared to the original exploit. It proves existence case for the exploit in the absence of multiple QoS streams, but with stringent MIM requirement. It does not reduce 12 min lead time of the attack, but thereafter may increase the rate of packet injection somewhat. © 2009 AirTight Networks, Inc. All rights reserved. 6
  • 7. AIRTIGHT NETWORKS WHITEPAPER References ABOUT AIRTIGHT NETWORKS [1] “Practical attacks against WEP and WPA”, by Martin Beck and Erik Tews, http://dl.aircrack-ng.org/breakingwepandwpa.pdf. AirTight Networks is the global leader in wireless security and compliance solutions providing [2] “Battered, but not broken: understanding the WPA crack”, by Glenn customers best-of-breed Fleishman, http://arstechnica.com/articles/paedia/wpa-cracked.ars, technology to automatically November 06, 2008. detect, classify, locate and block all current and emerging wireless threats. AirTight offers [3] Tkiptun-ng documentation: http://www.aircrack-ng.org/doku. both the industry’s leading php?id=tkiptun-ng. wireless intrusion prevention system (WIPS) and the world’s first wireless vulnerability [4] SANS presentation by Joshua Wright: https://www.sans.org/webcasts/ management (WVM) security- show.php?webcastid=92188. as-a-service (SaaS). AirTight’s award-winning solutions are [5] “PEAP: Pwned Extensible Authentication Protocol”, by Joshua Wright and used by customers globally in the financial, government, retail, Brad Antoniewicz, ShmooCon 2008. manufacturing, transportation, education, healthcare, telecom, [6] “Is the latest vulnerability just the tip (or TKIP) of the iceberg?” Webinar and technology industries. by Pravin Bhagwat and Hemant Chaskar, PhD, AirTight Networks, http:// AirTight owns the seminal patents for wireless intrusion prevention www.airtightnetworks.com/home/news/events-and-webinars/webinar-tkip- technology with 12 U.S. patents vulnerability.html. and two international patents granted (UK and Australia), and [7] “A Practical Message Falsification Attack on WPA”, by T. Ohigashi and more than 20 additional patents pending. AirTight Networks is a K. Mori, http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20 privately held company based Message%20Falsification%20Attack%20on%20WPA.pdf, September 2009. in Mountain View, CA. For more information please visit www.airtightnetworks.com The Global Leader in Wireless Security Solutions AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com © 2009 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.