Countermeasures Against Encrypted Traffic Attacks

By Kevin Beaver

Wired Equivalent Privacy (WEP) — yep, it’s still around — and Wi-Fi Protected Access (WPA), have their own weakness that allows attackers to crack the encryption keys and decrypt the captured traffic. The simplest solution to the WEP problem is to migrate to WPA2 for all wireless communications. You can also use a VPN in a Windows environment — free — by enabling Point-to-Point Tunneling Protocol (PPTP) for client communications.

You can also use the IPSec support built into Windows, as well as Secure Shell (SSH), Secure Sockets Layer/Transport Layer Security (SSL/TLS), and other proprietary vendor solutions, to keep your traffic secure. Just keep in mind that there are cracking programs for PPTP, IPSec, and other VPN protocols as well, but overall, you’re pretty safe, especially compared to no VPN at all.

Newer 802.11-based solutions exist as well. If you can configure your wireless hosts to regenerate a new key dynamically after a certain number of packets have been sent, the WEP vulnerability can’t be exploited. Many AP vendors have already implemented this fix as a separate configuration option, so check for the latest firmware with features to manage key rotation.

For instance, the proprietary Cisco LEAP protocol uses per-user WEP keys that offer a layer of protection if you’re running Cisco hardware. Again, be careful because cracking programs exist for LEAP, such as asleap. The best thing to do is just stay away from WEP.

The 802.11i standard from the IEEE integrates the WPA fixes and more. This standard is an improvement over WPA but is not compatible with older 802.11b hardware because of its implementation of the Advanced Encryption Standard (AES) for encryption in WPA2.

If you’re using WPA2 with a pre-shared key (which is more than enough for small Wi-Fi), ensure that the key contains at least 20 random characters so it isn’t susceptible to the offline dictionary attacks available in such tools as Aircrack-ng and ElcomSoft Wireless Security Auditor. The attack settings for ElcomSoft Wireless Security Auditor are shown here.

ElcomSoft Wireless Security Auditor's numerous password cracking options.

ElcomSoft Wireless Security Auditor’s numerous password cracking options.

As you can see, everything from plain dictionary attacks to combination attacks to hybrid attacks that use specific word rules are available. Use a long, random pre-shared key so you don’t fall victim to someone with a lot of time on their hands!

Keep in mind that although WEP and weak WPA pre-shared keys are crackable, it’s still much better than no encryption at all. Similar to the effect that home security system signs have on would-be home intruders, a wireless LAN running WEP or weak WPA pre-shared keys is not nearly as attractive to a criminal hacker as one without it. Many intruders are likely to move on to easier targets unless they really want to get into yours.