When: 21st October 2007

Where: Toorcon 9, San Diego

Download Presentation: The Caffe Latte Attack - Toorcon 9

Press Release: Airtight Networks Corporate Website

What is it about:

In simple words:

"Just consider this. In the 5 mins or so that it takes you to drink your coffee in between appointments, you decide to catch up on a little work for the office.  You are not even in the RF vicinity of your authorized network so your WEP keys are safe. Or at least that’s what you think!

Cafe Latte is brand new attack which uses only an isolated Client laptop to crack the WEP keys of its authorized network. More generally, WEP keys of any network stored in the wireless configuration manager of your laptop can be compromised using this attack, in just a matter of a few minutes"

In tech jargon:

WEP has been proven to be broken time and again. Unfortunately still many small companies and home users rely on WEP to provide them security.

Till today, WEP followers argue that to crack WEP the hacker needs to be near the RF vicinity of the authorized network, with at least one Access Point up and running and hence there is some chance of detection.

The Cafe Latte attack, debunks the age old myth that to crack WEP, the attacker needs to be in the RF vicinity of the authorized network, with at least one functional AP up and running. We demonstrate that it is possible to retrieve the WEP key from an isolated Client - the Client can be on the Moon! - using a new technique called "AP-less WEP Cracking". After this presentation Pen-testers will realize that a hacker no longer needs to drive up to a parking lot to crack WEP. Corporations still stuck with using WEP, will realize that their WEP keys can be cracked while one of their employees is transiting through an airport, having a cup of coffee, or is catching some sleep in a hotel room. Interestingly, our discovery also has a great impact on the way Honey-pots work today and takes them to the next level of sophistication.

Ok, enough said. Let us try and understand how this attack works:

A WEP Client will fall into one of the following network configurations:

1. Shared Authentication and DHCP
2. Shared Authenctication and Static IP
3. Open Authentication and DHCP
4. Open Authentication and Static IP

Because Client never authenticates the AP and that Management frames in 802.11 are not protected or verfied for authenticity of the sender, it is trivial task to spoof them. A Honeypot can thus have a WEP Client associate with it, without having any knowledge of the WEP key.

Once the association phase is complete, there are 2 possibilities:

1. If the Client uses Static IP, then it will send a couple of Gratuitous ARP packets announcing this IP address. Of course, these packets are encrypted and our Honeypot can only collect them. It is not possible to decrypt them at this moment.

2. If the Client uses DHCP, then it will send a couple of DHCP Discover messages, the Honeypot does not (and cannot) reply to these packets. The DHCP process times out and the Client sets an autoconfiguration IP address to its wireless interface. This IP address is in the range of 169.254.0.0-169.254.255.255 . Once the Client stations itself on this IP address, it sends a couple of Gratuitous ARP packets announcing this IP address.

If you notice in both of these cases our Honeypot ends up getting an Gratuitous ARP packet. So now how do we use this ARP packet and make the Client generate more and more traffic?

We dug deep into the flaws in WEP and zeroed down on the Message Modification flaw as the answer. So what is the Message Modification flaw? The first description was in the paper: "Intercepting mobile communication: The insecurity of 802.11"

In simple terms, what the Message Modification flaw allows us to do is capture a WEP encrypted packet, flip arbitrary bits in the packet, adjust the ICV and then retransmit it as a valid packet. The important point to remember here is that we can flip these arbitrary bits even though we have no knowledge of the plain text or any knowledge of the key. Seems to be one shameful flaw :)

So, how do we use this flaw? We take the Gratuitous ARP packet sent by the isolated Client and bit flip the Sender MAC and Sender IP but keep the Target IP the same. Thus we have converted the Gratuitous ARP packet coming from the Target IP into an ARP Request destined for the Target IP (of course we make some trivial modification in the MAC header as well).

When we inject this back to the Target IP i.e. the isolated Client, it replies back with an ARP Response. We repeat the process, till we collect enough ARP packets to break the WEP key using the PTW technique.

To view an offline video presentation of my talk, use the player below.