Wireless Vulnerabilities & Exploits
Wireless Vulnerabilities & Exploits
WVE ID: WVE-2008-0013
Type: Vulnerability
Status: Candidate
Classification:
Cryptographic
Hijacking
Information Disclosure
Infrastructure
Design Flaw
Description:
TKIP is vulnerable to replay (via WMM/QoS) and plaintext discovery (via ChopChop). This affects all WPA-TKIP usage.
Discussion:
By replaying a captured TKIP data frame on other QoS queues an attacker can manipulate the RC4 data and checksum to derive the plaintext at a rate of one byte per minute.
By targeting an ARP frame and guessing the known payload, an attacker can extract the complete plaintext and MIC checksum.
With the extracted MIC checksum, an attacker can reverse the MIC AP to Station key and sign future messages as MIC compliant, opening the door for more advanced attacks.
Credits
Author:
Erik
Trews
(e_tews@cdc.informatik.tu-darmstadt.de)
: TU-Darmstadt
Author:
Martin
Beck
(hirte@aircrack-ng.org)
: TU-Dresden
References
URL:
https://www.sans.org/webcasts/show.php?webcastid=92188
URL:
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
URL:
http://arstechnica.com/articles/paedia/wpa-cracked.ars/1
Released: 2008-11-18
Submitter
Mike
Kershaw
(dragorn@kismetwireless.net)
: Aruba Networks
Submitted: Tue Nov 18 08:46:56 -0800 2008
Candidate Date: Tue Nov 18 08:50:50 -0800 2008
