Cracking the WPA Security Standard - Page 2

Second, because the encryption key is not broken as part of this attack, and the subversion of the Michael Integrity Check the attack uses is really only practical when interpreting small packets (too much to guess and not enough time before a regularly scheduled rekeying event happens), an attacker cannot decrypt and steal data from over the air. However, the attack (along with some MAC spoofing) allows the attacker to pose as an access point in order to inject a small amount of traffic into the stream. This traffic injection could be used to poison the client's ARP or DNS caches, redirecting the machine to an unintended (and possibly nefarious) destination.

"In the worst possible case scenario, the attacker can inject-pretending to be the access point-up to seven packets to the client," said Rick Farina, senior wireless security researcher at AirTight Networks. "The client will accept these as validly encrypted. You could cause all kinds of denial-of-service conditions by ARP spoofing, or you could probably convince the client to talk to a server on the Internet."

However, wireless users and administrators should not be fooled into thinking WPA2 equals safety from this attack. The WPA2 Wi-Fi certification standard includes both AES- and TKIP-based security as options, so wireless administrators must make sure that a WPA2-protected network only supports AES encryption in order to be safe from this attack.

Third, from what I gather, the mode of authentication used for a WPA with a TKIP network does not make a difference. This attack should work against TKIP-protected networks running either preshared key or 802.1x/EAP authentication, since the attack is going after the Pairwise Transient Key, which is used in both cases.

However, enterprise wireless administrators may be able to tune their networks to rekey at a faster rate than normal to thwart the attack (I've heard the attack authors recommend rekeying every 2 minutes). But wireless administrators should evaluate carefully whether the performance impact from this change is significantly greater than the impact derived from moving to AES encryption instead.

Also, since this is not a brute force attack, wireless administrators should be aware that the length of a preshared key does not make a difference with this attack.