Feeds

Cafe Latte attack steals credentials from Wi-Fi clients

Would you like a corporate login with that espresso?

5 things you didn’t know about cloud backup

Hackers have refined a new technique for breaking into Wi-Fi networks protected by the aging Wired Equivalent Privacy (WEP).

The so-called 'Cafe Latte' attack aims to retrieve the WEP keys from the PCs of road warriors. The approach concentrates its attack on wireless clients, as opposed to earlier attacks that cracked the key on wireless networks after sniffing a sufficient amount of traffic on a network.

"At its core, the attack uses various behavioral characteristics of the Windows wireless stack along with already known flaws in WEP," explains Vivek Ramachandran, a security researcher at AirTight Networks, who will demonstrate the approach at the Toorcon hacking conference in San Diego this weekend (19-21 October). "Depending upon the network configuration of the authorised network we will show that it is possible to recover the WEP key from an isolated Client within a time slot ranging between just a few minutes to a couple of hours."

The attack relies on a laptop's attempt to connect to a WEP-protected network as a means to trick it into sending thousands of WEP-encrypted ARP (Address Resolution Protocol) requests.

ARP is a network protocol that maps between a network layer address and a data link layer hardware address. ARP, for example, is used to resolve IP addresses to their corresponding Ethernet address. This is necessary because a host in an Ethernet network can only communicate with another host if it knows the MAC address.

Manipulating this process can generate a bundle of WEP-encrypted ARP traffic. This data is then analysed to extract a WEP key.

An attacker can then present his machine as a bridge to the internet towards prospective victims, inspecting their traffic and potentially installing files on compromised PCs.

The shortcomings in WEP have been known for years. In April other researchers revealed a technique that might be used to break the protocol in under two minutes, far less than needed for the Cafe Latte attack.

Despite this, WEP remains widely used in consumer, small business and retail environments. WPA (Wi-Fi Protected Access) system replaced WEP years ago but an estimated 41 per cent of businesses continue to use WEP, Infoworld reports.

Early Wi-Fi technology fitted in retail point-of-sale terminals, and warehouses reportedly support only WEP. Hackers who obtained millions of credit card records from TJX, the giant US retailer, are thought to have used these shortcomings to break into its systems.

The Cafe Latte attack also has implications for the development of more sophisticated honeypots, according to Ramachandran and Md Sohail Ahmad, a colleague at AirTight who helped develop the approach.

"This presentation debunking the age-old myth that to crack WEP, the attacker needs to be in the RF (radio) vicinity of the authorised network," Ramachandran and Ahmad explain. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.