Cafe Latte attack steals credentials from Wi-Fi clients

Cafe Latte attack steals credentials from Wi-Fi clients
Cafe Latte attack steals credentials from Wi-Fi clients

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By John Leyden
18th October 2007

Hackers have refined a new technique for breaking into Wi-Fi networks 
protected by the aging (and increasingly misnamed) Wireless Equivalent 

The so-called 'Cafe Latte' attack aims to retrieve the WEP keys from the 
PCs of road warriors. The approach concentrates its attack on wireless 
clients, as opposed to earlier attacks that cracked the key on wireless 
networks after sniffing a sufficient amount of traffic on a network.

"At its core, the attack uses various behavioral characteristics of the 
Windows wireless stack along with already known flaws in WEP," explains 
Vivek Ramachandran, a security researcher at AirTight Networks, who will 
demonstrate the approach at the Toorcon hacking conference in San Diego 
this weekend (19-21 October). "Depending upon the network configuration 
of the authorised network we will show that it is possible to recover 
the WEP key from an isolated Client within a time slot ranging between 
just a few minutes to a couple of hours."

The attack relies on a laptop's attempt to connect to a WEP-protected 
network as a means to trick it into sending thousands of WEP-encrypted 
ARP (Address Resolution Protocol) requests. When a new computer joins a 
LAN it uses the ARP protocol to make sure it doesn't share the same IP 
address as another machine. This data is then analysed to extract a WEP 

An attacker can then present his machine as a bridge to the internet 
towards prospective victims, inspecting their traffic and potentially 
installing files on compromised PCs.

The shortcomings in WEP have been known for years. In April other 
researchers revealed a technique that might be used to break the 
protocol in under two minutes, far less than needed for the Cafe Latte 

Despite this, WEP remains widely used in consumer, small business and 
retail environments. WPA (Wi-Fi Protected Access) system replaced WEP 
years ago but an estimated 41 per cent of businesses continue to use 
WEP, Infoworld reports.

Early Wi-Fi technology fitted in retail point-of-sale terminals, and 
warehouses reportedly support only WEP. Hackers who obtained millions of 
credit card records from TJX, the giant US retailer, are thought to have 
used these shortcomings to break into its systems.

The Cafe Latte attack also has implications for the development of more 
sophisticated honeypots, according to Ramachandran and Md Sohail Ahmad, 
a colleague at AirTight who helped develop the approach.

"This presentation debunking the age-old myth that to crack WEP, the 
attacker needs to be in the RF (radio) vicinity of the authorised 
network," Ramachandran and Ahmad explain. =C2=AE

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 


Site design & layout copyright © 1986-2014 CodeGods