[skunkworker]

An interesting attack on WPA2 on unpatched devices.

This reminds me of the WPS reaver attack, which is a complete facepalm from an implementation perspective. Only 11,000 possible combinations, and trying 1 key every other second would net you the WPA password in < ~5 hours.

"In 2011, a security researcher named Stefan Viehböck discovered a flaw in this implementation. The concept he introduced was based on the following facts:

Out of the 8 digits of the PIN, the last digit is a checksum, which leaves 7 digits to guess. The PIN is validated by dividing it into 2 halves. So first half leaves 10^4 = 10,000 guesses & 2nd half leaves 10^3 = 1000 guesses. So a total of 11000 guesses only, where it should be 10^8 = 100000000 guesses."

[1] https://kalilinuxtutorials.com/reaver-pixewps/

[iliketosleep]

Ah the WPS reaver attack. It's one of the biggest jokes in security I've ever seen. It's like having two doors leading into the same "secure" room: one is a big iron door (WPA2), and the other is a flimsy wooden door (WPS) that can be pushed over with just a bit of force.

Best of all, WPS was enabled by default on most access points and there was no delay on retries.

What makes it even worse is this happened after the whole WEP debacle. You'd think the Wi-Fi Alliance would do some security auditing, but they were obviously more focused on collecting certification fees.

[bjornsing]

Yea makes you wonder about the bozos at Wi-Fi Alliance who designed that shit... How can you make a blunder like that?

[semi-extrinsic]

All the way back to WEP, it's been clear that the WiFi people are much more interested in the radio-technical aspects than safety.

[vlan0]

>WiFi people are much more interested in the radio-technical aspects than safety.

History shows us we should expect folks to build the thing then improve later.