[dundee] WPA Cracked

Arron Finnon afinnon at googlemail.com
Fri Nov 7 22:04:05 UTC 2008


Disclosure, Disclosure, Disclosure

By being open about weaknesses we hope to become stronger, yes the
knock on effect is that WPA will get hacked quicker now then it did
last year.  But in fairness that didn't stop ISP's sending out routers
with WEP 64bit knowing that it is far from secure, and WPA has had its
well documented vulnerabilities as well

Who is at fault, the geezer that developed the WEP Fragmentation
attack, or professional companies that deploy this technology, and
trick there users into thinking that they are secure.  All that
shimmers......

The only answer to the WEP issue is to stop supporting it totally, and
the same weakness in WEP namely the weak encryption algorithm is used
in WPA.  It is no surprise this has happened, and the only shock is it
hasn't be found sooner.

I think it is easy to criticises, but none of us are in the position
to make those judgement calls.  WPA was a short term fix to well
documented problems in WEP yet manufacturers still kept on chucking
these routers out.

In the end it will make wireless security better, or we'll stop using
wireless security all together.  It can't be the responsibility of the
researcher yo protect the general public from wireless decryption
attacks, it must be the responsibilty of the organisations that make
money from selling the wireless security in the first place.

>You know what really gets me is that he is going to publish a
>scientific paper on this. Here is a very secure system whereby
>99.99999999999999% of people cannot crack. An ultra-security geek
>comes along to crack things so he can announce to the world that he
>has done it (so he can get all the egotistic credits) and then publish
>his results informing all computer criminality how to do it. This
>could make all normal user homes (non-geeks) at risk, whilst before
>they were not at risk. Is this really responsible? I really wonder
>whether some security researchers are out for their own ego rather
>than looking at general public security.



More information about the dundee mailing list