Can attackers harvest WiFi passwords by spoofing ESSID?

4

1

I've recently started using wireless on an (Arch) laptop. My wireless manager (wicd) is set up to automatically associate with any networks with a certain ESSID and attempt to authenticate with them.

Is that a security risk? In particular, could an attacker set up a network with the same ESSID as the one I connect to, then wait for my wireless manager to try to connect, and receive my authentication details?

edit: The network I am connecting to uses WPA Enterprise authentication which requires an identity and password, not an encryption key.

Pandamonium

Posted 2012-02-07T12:21:34.050

Reputation: 43

Answers

5

Pre-shared-keys are never transmitted during the establishment of a wifi session - in other words the client never says "This is the key I have, can I come in?".

Simplifying what happens somewhat in a crappy WEP session, it goes like this:

  1. The client says "I'd like to authenticate"
  2. The access point says "Ok, use your key to encrypt this data", sending some random data
  3. The client encrypts the data with the key and sends it back
  4. The access point checks the encrypted data matches its own version of the data if it encrypts with the key, and lets them in if it matches.

A rogue access point is a security concern, but not one that will make harvesting keys any easier than simply watching the above interaction. The real concern is that people will connect to a rogue access point and transmit sensitive data over it thinking it is an authorised AP.

Paul

Posted 2012-02-07T12:21:34.050

Reputation: 52 173

Thanks, does something similar hold for a WPA Enterprise network? My connection requires identity and password, not a private key. – Pandamonium – 2012-02-07T13:17:24.880

Yes, the keys are never transmitted with WPA either (of any sort). With Enterprise - where you are using certificates, you can also confirm the AP is who they say they are by validating the cert they present is signed by a trusted CA. – Paul – 2012-02-07T13:22:32.600

0

As stated by Paul, this is not possible. For the best home safety just use WPA2. It is easy to set up and protects pretty good. One thing you might want to consider is using a non logical password. If you use "sittinginthesun" as a password it is easily cracked by a dictionary attack while "347asdxjaser8q348szd" is way harder to crack, because the key is not logical and brute forcing doesn't work that well on WPA. For WEP this doesn't work.

I tried cracking my WiFi connection which is set up with a PSK of 26 hexadecimal numbers and letters. WEP was cracked within a few minutes, WPA took me a lot longer and WPA2 wasn't cracked, only when i used "sittinginthesun".

Sneil

Posted 2012-02-07T12:21:34.050

Reputation: 9

Thanks, I don't have control over the network I'm connecting to but I'll keep this in mind if I set up a network of my own – Pandamonium – 2012-02-07T13:36:41.397

@Sneil - The chances of "sittinginthesun" being cracked is as likely as "347asdxjaser8q348szd" there are no known ways to authenticate against WPA and/or WPA2 at this time besides a brute force method. If you were able to crack your own network using WPA/WPA2 then you are doing something wrong. If you want a secure network use WPA2 + TSK or WPA2 + AES an even better solution WPA2 + TSK + AES – Ramhound – 2012-02-07T14:13:32.157

Actually, attacks against WPA are quite possible. Read https://sites.google.com/site/clickdeathsquad/Home/cds-wpacrack - so definitely use WPA2 where possible!

– Rory Alsop – 2012-02-08T09:05:36.543

Asked: 2012-02-07T12:21:34.050

Viewed: 3 765 times

Active: 2015-03-15T16:24:44.137