WPA2 Broken Again And, This Time, No Patch
Written by Frank HayesWireless security is broken—again. And this time, it’s WPA2, the WiFi security protocol that meets PCI-DSS requirements. Attendees at next week’s Black Hat and Defcon security conferences in Las Vegas will hear how it’s practical to break into a WPA2-encrypted network without brute-force encryption cracking. The only requirement: The attacker must be an authorized user of the network. According to the researchers from AirTight Networks who unearthed the problem, a malicious insider can simply send spoofed packets encrypted using the shared group key directly to other users on the WiFi network, tricking them into redirecting their data to the insider.
Unfortunately, that makes the “Hole196″ attack —named for the page where the vulnerability is specified in the IEEE 802.11 standard—difficult to detect and almost impossible to defend against. In fact, the researchers don’t have a fix for WPA2 —and they don’t believe there is one. The only defense may be to start layering other security measures, such as VPNs, under the WiFi protocol. That’s fine for laptops running WiFi. But it’s likely to be a challenge to implement on scanners, card readers and other wireless devices that retailers commonly use.
Leave a Reply
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required?
-Ed
