Advisories

CERT-In Advisory CIAD-2008-0062

Vulnerability in Wi-Fi Protected Access WPA Protocol

Original Issue Date: November 25, 2008

Severity Rating: High

Systems Affected

Devices configured to use TKIP Temporal Key Integrity Protocol as the encryption mechanism are affected.

Overview

A weakness has been discovered in the Wi-Fi Protected Access protocol that allows an attacker to decrypt one packet at a time , currently at a rate of one packet per 12-15 minutes to potentially access a targeted network.

Description

WPA is a subset of IEEE 802.11i standard. It addresses Wi-Fi security with a strong new encryption algorithm as well as user authentication, a feature that was not available in WEP Wired Equivalency Protocol . WPA may use Temporal Key Integrity Protocol TKIP or Advanced Encryption Standard AES for encryption and employs 802.1X authentication. Wireless Internet service providers WISPs may find that WPA's enhanced encryption and authentication schemes are attractive in public hot spots as they provide a high level of security for service providers and mobile users who are not utilizing VPN connections.

The weakness has been discovered in the Temporal Key Integrity Protocol TKIP component of Wi-Fi Protected Access WPA .An attacker can decrypt short packets by exploiting the weakness in the checksum and failure reporting mechanisms of TKIP. The gathered information from the decrypted packets is used to launch replay or spoof attack such as ARP messages. Packets can only be decrypted when sent from the wireless access point AP to the client unidirectional .

Workaround

It is advised to to use WPA2 with the AES-CCMP cipher suite, because AES is a more robust standard for encryption.
When WPA2 with AES is not available users are advised to rotate the pairwise key more frequently.
Administrators may consider disabling Wi-Fi Multimedia WMM QoS on the network if it is not required for an application. Depending on the applications that are in use, performance may be degraded to unacceptable levels by implementing this workaround

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sr-20081121-wpa.shtml

References

CISCO
http://www.cisco.com/warp/public/707/cisco-sr-20081121-wpa.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=17092

SANS
http://isc.sans.org/diary.html?storyid=5300

ZDNET
http://blogs.zdnet.com/security/?p=2133

SecurityFocus
http://www.securityfocus.com/bid/32164

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India