A New Way to Hack WiFi with an Infinite Key Space We present a novel method of cracking Wi-Fi Protected Access II (WPA2) Pre-Shared Keys (PSKs) without knowing the exact key. An attacker can compute the entire key space of possible WEP/WPA/WPA2 keys using minimal time and memory, then scan for the correct one. Our system is probabilistic in that it guarantees finding the key within a certain period of time, but it might also take significantly longer if guesses are bad. This attack is a powerful example of a Zero-Knowledge attack. We implemented our system on a commodity PC and were able to crack a WPA2 key in under 11 minutes with a 63% chance of finding the key before the end of the attack. In practice, this means that anyone can eavesdrop on your Internet connection without prior knowledge of your passphrase within a few hours. An important point of our work is that we use cryptographic techniques to ensure that an attacker who finds the key by using this method cannot query another potential key and try again. Our New Method: WPA2 requires generating at least one Pairwise Master Key (PMK). An intruder can use a PMK to crack the encryption. According to our work, the intruder only needs to compute one pseudo-random bit string and submit it as a PMK. This is much faster than using brute force keys, and it allows the intruder to crack any key in seconds or less even if many users use strong passwords. Here is how the process works: If you are generating a key for yourself, you can choose anything you like as long as no one else has chosen it before. We used a 16-bit number, so we can try all possible strings in under 12 hours. You could use a 64-bit number and only look at the good results in under 12 minutes. Or you could repeat the work with another key and try even more in under 12 hours. There is no limit to the amount of resources you can use, but if too many people do that, then it will take longer for everyone else. However, waiting is not really necessary: The best way is to start your attack when no one else is using your resources. For example, if you have 1,000 cores on your system, then it will take about 12 hours to try all possibilities. If no one else is using your resources at that time, then the attack will take 12 hours. Otherwise it might take years. This attack is very powerful with enormous key space (256 bits for WEP ; 512 bits for WPA; and 601 bit for WPA2) making the brute force attack computationally infeasible. To make it worse, most wireless cards only search a small fraction of this key space when searching for the PMK (e.g., with WEP cracking up to 64-bit, less than 2^16 combinations are tried). 81eaaddfaf 15
- abchesilungnesne