An international team of researchers has exposed holes in the WPA 2 protocol that has so far been considered the safest system to secure wireless computer networks.
In a study published in the International Journal of Information and Computer Security, the researchers from the Brunel University, the UK, the University of Macedonia, Greece, and the Lancaster University, the UK, have determined the Wifi Protected Access 2 (WPA2) can be easily broken into on wireless local area networks.
The three researchers involved in the study - Achilleas Tsitroulis, Dimitris Lampoudis and Emmanuel Tsekleves – have now urged the computer science community to address the problem and develop an alternative protocol to prevent attackers from interfering into wireless systems.
In their experiment, they carried out a brute force attack on the password protecting the WPA2 network and managed to succeed. According to their findings, the time needed to break into a system increases the longer the password used.
The weakest point, the researchers believe, is the de-authentication step involved in the wireless setup.
As part of their security protocols, routers using WPA2 must reconnect and re-authenticate devices periodically and share a new key each time. The team points out that the de-authentication step basically leaves a backdoor unlocked albeit for a limited period. This period, however, could be long enough for a fast-wireless scanner and a determined intruder.
The level of security of an WPA2-based network depends on the set-up of pre-shared key (PSK) encryption keys. In many cases the security is further bolstered using temporal key integrity protocol (TKIP) encryption or the more secure counter mode with cipher block chaining message authentication code protocol (CCMP). 256-bit encryption is available and a password can be an alphanumeric string with special characters up to 63 characters long.
There are thus various entry points for the WPA2 protocol, which the team details in their paper.
Until new security protocols are developed, the team said, users should continue using the strongest encryption protocol available with the most complex password and limit access to their networks to known devices via MAC address.