Cafe Latte attack steals data from Wi-Fi PCs

A security researcher has found a new way to attack WEP-enabled clients.

If you use a secure wireless network, hackers may be able to steal data from your computer in the time it takes to have a cup of coffee.

At the Toorcon hacking conference in the US this coming weekend, security researcher Vivek Ramachandran, will demonstrate a technique he's developed to attack laptops that use the WEP (Wired Equivalent Privacy) encryption system to log on to secure wireless networks.

Developed in the late 1990s, WEP was the default method of securing Wi-Fi networks. Though the WPA (Wi-Fi Protected Access) system replaced it, about 41 percent of businesses continue to use WEP. That percentage is even higher among home users, security experts say.

That's unfortunate because WEP has been riddled with security problems. In fact, WEP was blamed for the recent TJX Companies data breach in which thieves were able to access 45 million credit- and debit-card numbers.

To date, however, researchers have tended to focus on exploiting WEP flaws in order to break into wireless networks. That generally meant that the attacker would roll up near the WEP-encrypted router, crack the WEP key used to encrypt network traffic and then log on to the network.

Ramachandran, a senior wireless security researcher with AirTight Networks, has taken a look at the client side of things and developed a way of tricking a WEP-enabled client into thinking that it is logging on to a network that it already knows.

His technique, which he calls the Cafe Latte attack, allows an attacker to circumvent firewall protection and attack the laptop or to set up a "man-in-the-middle" attack and snoop on the victim's online activity. "Until now, the conventional belief was that in order to crack WEP, the attacker had to show up at the parking lot," he said. "With the discovery of our attack, every employee of an organization is the target of an attack."

There are several steps to Cafe Latte, all of which exploit known flaws in the WEP architecture. First, the attacker programs a laptop computer to act like a malicious wireless network, setting up shop in an Internet cafe or an airport. The malicious PC then begins communicating with other Wi-Fi laptops in range, figuring out the name of the WEP-enabled routers that these laptops are programmed to look for and then cracks the keystream encryption code required to send messages to the victim's laptop.

Knowing the keystream only gets the attacker halfway. To truly crack the WEP encryption key and read messages coming from the victim, the attacker must somehow trick the victim into sending a large amount of information -- about 70,000 messages, actually -- to the malicious network. Those messages could then be analyzed and cracked using WEP-cracking tools.

Cafe Latte does this by taking advantage of the way the Internet's ARP (Address Resolution Protocol) ensures that two computers do not share the same IP (Internet Protocol) address. ARP is used when a new computer joins a LAN to announce the IP address it will be using and to ensure that no other machine shares that address. These network messages are ignored by the victim's PC unless it shares that address. Then it sends a message back to the attacker's PC saying that the IP address in question is already being used.

Once the attacker gets a response from the victim's PC, he knows he has guessed the correct IP address and he can bombard the victim's PC with the same message, essentially saying over and over again "I'm joining the network and I'd like to use this IP address. Are you already using it?"

As the victim's laptop continues to reply, "Yes, I am," the attacker eventually stores up enough samples of encrypted messages to be able to figure out the WEP key. Now messages from the victim can be read by the attacker.

"It's definitely a novel attack," said Jon Ellch, a Wi-Fi security researcher who also goes by the name johnny cache. While an attacker could use this WEP key to log on to the victim's WEP network, the real danger here is from the man-in-the-middle attack, which would let the attacker see everything the victim is doing on the Internet, he added.

Still, a victim might notice that something was up during the estimated 30 minutes that Cafe Latte requires in order to crack the WEP key, Ellch said. The attack would have a better chance of succeeding if the laptop were simply turned on and trying to connect to the Wi-Fi network in the background, he said. "If they're trying to do something with the Internet, obviously it's not going to pan out so well."

See the Toorcon hacking conference Web site for more details.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?