The wireless security scheme WPA has been cracked in less than 60 seconds by researchers. Smart professionals will have seen this coming, and adopted a security approach that deals with the security arms race, says Larry Walsh
Remember the days when we said 128-bit encryption using DES would take tens of thousands of years to brute force crack? Remember when WEP was secure enough for wireless security so long as you rotated the keys every 60 seconds?
Well, neither one of those statements are true anymore.
As was widely reported last week, WPA – Wi-Fi Protected Access – was cracked in under 60 seconds by Japanese researchers. The attack requires a computer sitting between the authorised wireless computer and the access point – and exploits a flaw in the Temporal Key Integrity Protocol (TKIP).
Security researchers say WPA devices that use the Advanced Encryption Standard (AES) and WPA2 – the next generation wireless security standard – are “safe for now.”
But experts are recommending upgrading from WPA to WPA2 and from TKIP to AES to eliminate the threat of this new attack.
“Safe for now” is the statement that should concern solution providers and consumers of wireless equipment.
Some years ago, when the previous WEP – Wired Equivalent Privacy – standard was deemed flawed and susceptible to easy cracks, experts advised rotating keys every 60 seconds to maintain secure connections. But the speed by which WPA was cracked is disappointing, since it means fast key rotation will probably not be enough to ensure wireless security.
What this attack proves, more than anything, is that the arms race that is security is alive and well. No sooner do security researchers and vendors devise a new technology to combat digital threats, than hackers will devise a means for defeating the defences. It’s a practical reality that security pros have lived with from the dawn of the Internet.
But how tolerant will cost-conscious consumers of IT goods and security technologies be, when technologies suddenly and unpredictably become obsolete? How tolerant will they be given the increasing number of hacks using wireless vulnerabilities as an attack vector?
The list of security products and protocols that have fallen into the ash heap of IT history is long and always growing. Proxy firewalls, standalone antivirus, network intrusion detection, cyber vaults, Blowfish, DES, SSH-1 and more. Security is a moving target. In time, security measures will always become obsolete, which is why good security practices are about risk mitigation and not elimination.