Hackers have refined a new technique for breaking into Wi-Fi networks protected by the aging Wired Equivalent Privacy (WEP). The so-called 'Cafe Latte' attack aims to retrieve the WEP keys from the PCs of road warriors. The approach concentrates its attack on wireless clients, as opposed to earlier attacks that cracked the key …
Many problems besides wep
Some people realize that WEP is inherently insecure these days.
However even if WEP were secure there are many other security issues with WIFI hotspots. These apply even to the more secure WPA.
1. You have to trust the operator of the hotspot to not be snooping traffic or stealing your data (as well as their ISP). And that they haven't been hacked.
2. You're can't be positive that you've actually connected to the hotspot you intended to, it could be a hacker's access point falsely advertising the same ESSID, you or your laptop software might decide to connect to it initially because of a stronger signal.
3. Attacks that affect traditional wired networks still apply to wireless despite WEP/WPA which only aim to secure the link to the AP. For instance ARP attacks, etc. Although with the right hardware it should be possible to separate clients from each other.
The solution is, if possible, to use a VPN for all your sensitive traffic. This way data would be safe even when going over public channels.
"An attacker can then present his machine as a bridge to the internet towards prospective victims, inspecting their traffic and potentially installing files on compromised PCs."
Obviously not the main point, but: installing files? compromised PC by recovering the WEP key? wtf?
Err, no ?
"ARP protocol to make sure it doesn't share the same IP address"
Err, no, it's just a process of discovering IP to MAC mappings.
And if you wanted to check if an IP address remained unassigned, wouldn't a quick attempt to map it to a MAC be the first thing you would try? It doesn't say ARP is designed for this purpose, just that it's used for it. When looking for a security vulnerability, it's worth noting any protocols that weren't used as designed. In this case, someone seems to have found a way to turn a misuse of ARP into a useful opportunity.
WEP - Use it and get what you deserve.
Anyone still using WEP, gets what they deserve IMHO, same goes for using public access points without encrypting your traffic.
I don't get it
Why would I be trying to connect to my office wireless lan in a cybercafe? And what's the benefit to the hacker? Is he going to follow me back to work to get access my office lan?
"Obviously not the main point, but: installing files? compromised PC by recovering the WEP key? wtf?"
The same is true in switched networks, you can make the address of the attacking machine to pretend it is the gateway by poisoning the arp cache of the victim, all traffic bound for the internet then goes through this machine and can be inspected by the attacker. Its a common MITM (Man in the middle) attack made easier because the victim is using WiFi
What's not to get?
"Why would I be trying to connect to my office wireless lan in a cybercafe?"
Open up kismet (a wireless sniffer) around a wireless machine and you'll see that it regularly puts a 'shout out' for all wireless networks that it knows about. That's why if you have several networks set up, you can automatically connect when you're in range. That's the default configuration in XP SP2.
The 'traditional' method was to be in range of the target network, snoop on traffic and then replicate it to the base station directly, gathering weak data and being able to crack the key in a short space of time.
This new method works even when the target network is nowhere near. The attack works by listening for those 'shout outs' and then effectively saying "here I am", tricking the client into sending loads of weak data and then cracking that for the key in the same way. The key can then be used to gain access to the network when it is within range in the normal way.
Surely they mean "Caffè latte", to be linguistically consistent ...
alternatively "Café au lait"
You might be trying to connect to your office from a cyber cafe because you are not actually in the same country / city and need access to email / documents etc.
The benefit to the hacker is that he could now compromise your system and use it as a basis for a covert channel, or any other route to the internet that points back to you when he does illegal stuff!
Thats even before said hacker steals all your company info, and leaks it out to your competition, or just deletes it all to p*ss you off, or encypts it all and holds you to ransom.
Even worse, once they have access to you system they have an entry point to start stealing your desktop traffic and then potentially grab your user name / passwords for online banking / systems which can then be used to steal money / identity informaton from you.
Its still worth bearing in mind the point about trusing the access point, it is more than possible for these to be spoofed to look exactly like BT / other and then all your traffic could be compromised.
There are lots of benefits.
What happened to the good old days, when to steal something you just beat them up! lol...
If I were a criminal, I would skip this whole cracking business, and just beat the guy up in the toilets and steal his laptop... that way, I got passwords, I got laptop, possibly got wallet.... good times! :)
Yes I get all that but what's the point? I'm in a cafe and you have the wep key to my network which is at unknown location. What use is that to you? And how does that then compromise my laptop? I'm sitting in a cafe using an unencrypted wireless connection. You don't need to compromise my WEP key to start firing exploits at me or sniffing my traffic.
I get it
I assume the point is that you break the WEP key on the client and wait for the Wndows Zero Configuration Client to search your preferred network list (PNL) and connect to a soft AP which now offers a network connection with your SSID and WEP key. The attacker could then run Nessus etc and potentially exploit the host. I have to say when I’ve tested this type of attack most clients have a non encrypted network in their preferred network list like t-mobile, BTOpenzone etc so no need to set-up a WEP authenticated connection to get them to connect. However it's good to know this could be done.