The Caffe Latte Attack: How It Works

Events
- JupiterEvents
- internet.com/webcasts
Jobs
Partners
Solutions
- eBooks
- Video
Shop

�

Images Events Jobs Premium Services Media Kit

Network Map

E-mail Offers

Vendor Solutions

Webcasts

eSecurity subjects:

Online Threats & Alerts

Vulnerability & Virus Patches

Information Security Resources

Information Security Trends

Security Advisors

Prevention & Risk Management

Security Best Practices

Glossary

Products

Site Map

About eSecurity Planet

IT Management Blog

Technology Jobs

E-Security Planet Webcasts:


	Keeping Your Data Secure from the Outside In

	Beyond Basic Data Security

	more Webcasts...

Search EarthWeb Network

internet.commerce

Be a Commerce Partner
Memory Upgrades
Free Business Cards
Promotional Golf
Computer Deals
Find Software
Online Education
Online Universities
Cell Phones
KVM over IP
Phone Cards
Career Education
Boat Donations
Prepaid Phone Card
Promos and Premiums

esecurityplanet : Prevention & Risk Management: The Caffe Latte Attack: How It Works—and How to Block It

HP Video: Simple SAN Helps School Protect Important Records. See how small and medium organizations can take advantage of enterprise level functionality without complexity at an affordable price.

Rethinking the Datacenter
Sponsored by HP
Today's datacenters need to increase utilization, get control over power and cooling costs, and align with business objectives. Download this eBook to learn about the challenges facing the data center in a world where digital information is growing at a torrid pace and costs are being held in check. Learn more. »

Putting the Green into IT
Sponsored by HP
Electricity use in data centers is skyrocketing, sending energy bills through the roof, creating environmental concerns and generating negative publicity. "Going Green" means looking to technologies like virtualization, energy-efficient chips and racks, and implementing policies that extend beyond the data center. Learn more. »

Managing the Modern Network
Sponsored by HP
In a global economy where information crosses the globe in an instant, and where Web-based applications power business, it's more important than ever to ensure your network is safe from threats and optimized to deliver the data your business needs. »

Evaluating Software as a Service for Your Business
Sponsored by Webroot
Is Software as a Service just hype, or is something really going on here? See if your company can benefit as SaaS tries to change the face of the enterprise. »

Is Your Disaster Recovery Plan Good Enough?
Sponsored by HP
Preparing for a disaster is more often than not part of the storage planning process, and it is one of the most difficult tasks, since it includes local hardware and software, networking equipment, and a test plan. Learn how to get disaster recovery right. »

Related Articles

• Wiretapping Just The Start of VoIP's Security Woes
• Report Details Real Costs of Data Breaches
• McAfee, Cox Team Up On Broadband Security
• Cenzic Virtualizes Security
• Tip of the Trade: E-mail Encryption
• U.S. Lab Falls Victim to Phishing Attack

eSecurity Glossary

biometrics
encryption
keylogger
malware
phishing
RFID
security
spyware
virus
worm

Search for more eSecurity terms ...

FREE Tech Newsletters

The Caffe Latte Attack: How It Works—and How to Block It
December 14, 2007
By Lisa Phifer

The flaws that make WEP vulnerable were documented back in 2001, prompting development of dozens of cracking tools. Until recently, those attacks focused on traffic captured from active networks, requiring proximity to the targeted business. But lately, focus has shifted to off-site clients that are not connected to any network. By exploiting driver flaws, exposed fileshares, and user mistakes, one can easily and invisibly attack Wi-Fi laptops and phones in public venues like airplanes, hotels, and cafes.

This year, insidious new tools like Caffe Latte and Wep0ff have learned how to crack the keys stored on those off-site clients, expanding the reach of WEP crackers far beyond office walls. Now, no matter where employees go, they just might unwittingly "spill the beans" on your corporate WEP key.

Come to me

Most client-side attacks take advantage of two fundamental vulnerabilities:

Wi-Fi clients actively probe for all networks they have associated with in the past. When any AP is found with a known network name (SSID), clients automatically associate to it.

This common-but-promiscuous behavior is the culprit behind well-known evil twin or honeypot attacks we have written about before (see Getting Phished: Why SSID Spoofing Still Matters).

In fact, those older attacks provide the launch pad for new client-side WEP crackers, creating the perfect conditions in which to grab any corporate WEP keys cached by those clients.

Talk to me

All WEP crackers use statistical analysis to guess the key used to encrypt captured traffic. Given enough encrypted traffic, WEP crackers can always derive the key. A WEP-cracking attack therefore starts with locating a source of encrypted packets. It turns out that phished Wi-Fi clients are an awfully convenient and plentiful source.

Specifically, all TCP/IP devices send a least a few packets whenever they connect to a WLAN.

A station using a static IP immediately broadcasts a few gratuitous ARP packets to the entire WLAN. Each ARP packet carries the sender's MAC address and IP address so that other stations will know how to route traffic.

A station using a dynamic IP also sends ARP, after first requesting an IP address from a DHCP server. If no server is found, the station assigns itself an Automatic Private IP Address from the 169.254.0.0/16 subnet and then sends gratuitous ARP.

Tell me your secrets

If a client associates to an AP that uses WEP, it may or may not be required to authenticate itself before associating, using a shared WEP key. However, the AP is never required to prove that it, in fact, possesses the WEP key. This means that a phony AP (aka evil twin) can be configured with the SSID of a corporate WLAN and any key to lure clients. After a client associates to the phony AP, it will send a few ARP packets—encrypted with the corporate WEP key.

A handful of encrypted ARP packets won't be enough to crack the corporate WEP key. So something must cause the client to repeatedly send encrypted ARP packets. One approach is to disconnect or deauthenticate the client, over and over again, but that would take a long time.

According to Vivek Ramachandran, co-author of the Caffe Latte attack demonstrated at Toorcon this October, cracking a WEP key this way takes between 1.5 and 6 days, depending upon the client's use of DHCP. That's theoretically interesting, but of little practical value, since a true hotspot attack must be completed in a much shorter time period—preferably in the few minutes that it takes to purchase an espresso.

Read on to learn how to protect yourself.

Go to page: 1 2 Next

Tools:

Add www.esecurityplanet.com to your favorites

Add www.esecurityplanet.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Prevention & Risk Management Archives

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
Stay up to date! Get real-time news and reviews about the latest innovations in internet technology.
What's The Future Of IT? Find Out By Reading "IT in 2018" Now. Free Registration Required.
HP eBook: Using Business Service Management (BSM) to Manage Your Business Applications
Sophos Whitepaper: Liberating the Inbox--How to Make Email Safe and Productive Again

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions

Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape? Microsoft Article: 7.0, Microsoft's Lucky Version? Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008 Avaya Article: How to Feed Data into the Avaya Event Processor Microsoft Article: Install What You Need with Windows Server 2008 HP eBook: Putting the Green into IT Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1		Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency Avaya Article: Setting Up a SIP A/S Development Environment IBM Article: How Cool Is Your Data Center? Microsoft Article: Managing Virtual Machines with Microsoft System Center HP eBook: Storage Networking , Part 1 Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007 MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts
Intel Video: Are Multi-core Processors Here to Stay? On-Demand Webcast: Five Virtualization Trends to Watch HP Video: Page Cost Calculator Intel Video: APIs for Parallel Programming		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2 MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits
Sun Download: Solaris 8 Migration Assistant Sybase Download: SQL Anywhere Developer Edition Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook		Red Gate Download: SQL Compare Pro 6 Iron Speed Designer Application Generator MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors IBM Article: Collaborating in the High-Performance Workplace HP Demo: StorageWorks EVA4400		Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class Microsoft How-to Article: Get Going with Silverlight and Windows Live MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES