WPA-PSK Security Myths

Although not strictly related to WPA-PSK cracking, there are two security myths I've seen pop up here at SmallNetBuilder and around the web that I'd like to say a few words about.

Myth 1: Disabling the SSID Broadcast Secures your WLAN

"Cloaking" your SSID might sound good on the surface. But programs like Kismet that are capable of monitoring wireless network traffic are also able to "decloak" access points by listening to traffic between the clients and the access point.

For Kismet, this process takes only a few minutes of relatively light network traffic. Disabling the SSID broadcast really makes it only slightly harder for potential attackers to connect to your AP (they now have to type the SSID instead of clicking on it).

Myth 2: Filtering MAC Addresses Secures Your WLAN

This idea again sounds good on the surface: limit the computers that can connect by their MAC addresses. There are two problems with this technique.

1) Physically maintaining the table of acceptable MAC addresses becomes more burdensome as your network grows.

2) MAC addresses can be easily spoofed.

Chances are, if you are being attacked by someone who has the know-how to get past WPA, they will most likely spoof their MAC when they connect anyway, to avoid detection in your router's logs (by a possible failed MAC filter pass).

Kismet, in particular, excels at this with its AP "clients" view which lists, among other things, client MAC addresses.

Spoofing your MAC address (in Linux) is as simple as this:

bt ~ # ifconfig ath0 hw ether AA:BB:CC:DD:EE:FF
bt ~ # ifconfig ath0 up
bt ~ # ifconfig ath0
ath0      Link encap:Ethernet  HWaddr AA:BB:CC:DD:EE:FF
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:26 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1092 (1.0 KiB)  TX bytes:590 (590.0 b)

WPA-PSK Security Tips

You know how to break weak WPA-PSK keys. Now make sure that it doesn't happen to you by using two simple techniques.

Use long and strong passphrases!

The longer and more random the password, the better. A WPA key is a computer passphrase, and by that I mean that the computer is the one that has to remember it. All you have to do as the user is type it in once and you're ready to go.

So, generate a very long, random passphrase, write it down and put it in a not-so-obvious place. Writing down a passphrase is normally a cardinal sin for security. But in a SOHO setting, it's a reasonable tradeoff between security and convenience.

Frankly, you're much more susceptible to wireless pirates parked outside your apartment (or next door) using the tools I've just described than you are to someone socially-engineering your wife into giving out your wireless LAN key. And even then, wouldn't it be nice if the key took a half-hour for her to read over the phone, giving you a chance to step in and save the day?

So, generate a nasty, long computer passphrase, write it down on a sticky-note, enter it in your router and clients, then stick that sticky-note someplace secure (not to the top of the router!)

Change your SSID

Since the key is salted with the SSID, it makes sense to change your AP's SSID to render the precomputed hash tables useless (assuming you change it to something non-obvious). This forces the attacker to start from square one by either generating a hash table or using just a straight dictionary attack.

Conclusion

So, now you know how crackers can attack wireless networks that use weak WPA / WPA2 PSK keys and the simple countermeasures that you can take to ensure that it doesn't happen to you.

With a strong, long key and good security practices, a wireless LAN secured by WPA / WPA2 is definitely not an easy target.

Tags: Hacking, How To, WiFi, WPA,

Related Articles: