Vulnerability discovered in WPA encryption

Wi-Fi Protected Access (WPA) encryption can be partially cracked in about 15 minutes, German researchers have discovered.

Eric Tews from the Technical University of Darmstadt in Germany and fellow German security researcher, Martin Beck, determined that an attacker could decrypt packets from a WPA -protected network and also inject malicious packets into the network, Tews told SCMagazineUS.com Thursday in an email.

The vulnerability exists in the Temporal Key Integrity Protocol (TKIP), a security protocol that replaced the Wired Equivalent Privacy (WEP) standard and was renamed WPA by the Wi-Fi Alliance trade group. It's main improvement was that it generated new packet encryption keys at frequent intervals.

WEP, now considered a weak standard, was superseded in 2003 by the more robust WPA standard, designed to be compatible with then-existing hardware, and in 2004 by WPA2, a standard incorporating AES, the U.S. government encryption standard.

Tews said the WPA vulnerability could theoretically be exploited by an attacker but it is not as effective as attacks on WEP encryption.

Though he and his colleague were able to crack part of the standard, Tews said the technique does not represent a complete key recovery attack because it does not decrypt PSKs (pre-shared keys). It only enables recovery of temporal keys used by the network. In addition, it would not be useful for stealing bandwidth over a wireless network.

Tews plans to discuss his and Beck's findings at the PacSec conference next week in Tokyo. The researchers expect to post more information about the vulnerability on the aircrack-ng wiki after the conference.