Computer scientists in Japan have developed a way to break the WPA (Wi-Fi Protected Access) encryption system used in wireless routers in just one minute.
The attack, which reads encrypted traffic sent between computers and certain types of routers that use the WPA encryption system, was devised by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University.
The scientists plan to discuss further details at a technical conference on 25 September in Hiroshima.
Security researchers first showed how WPA could be broken last November, but the researchers have accelerated theory into practice, taking the proven 15-minute Becks-Tews method developed by researchers Martin Beck and Erik Tews, and speeding it up to just 60 seconds.
Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard, or AES, algorithm.
According to their report, the limits of the man-in-the-middle attack are fairly restrictive. However, the development should spark users to drop WPA with TKIP as a secure method of protection.
The process of securing routers has been a long one. The WEP (Wired Equivalent Privacy) system introduced in 1997 is now considered to be insecure by security experts. Then came WPA with TKIP, followed by WPA 2.
However, users have been slow to upgrade to the latest secure methods.
Talkback
The advice to start using WPA2 is sound, assuming all the equipment you have supports it. Some older notebooks may not. If you can't use a more secure protocol, there's probably little need to worry.
One thing that's missing from this story is the level of resources or knowledge that was needed to break the crypto this quickly. If you need large amounts of computing power it's unlikely you'll be able to mount this attack on the target of your choice. Remember that you need to be in range of both the access point to make this attack work which, assuming your network is one in a business premises, may not be as simple as it sounds. If you're using a public WiFi access point it won't have encryption turned on anyway.
If you think your corporate network is likely to come under attack, then as well as wireless threats, you should ensure that a wired attacker can't do the same job. Getting a job as a cleaner in your offices is probably the easiest way of hacking into your network, not largely theoretical breaks in encryption algorithms like this.