The Caffe Latte Attack: How It Works�and How to Block It - Page 2

By Lisa Phifer

December 12, 2007

Hotspot users beware: in the time it takes to sip a latte, this attack can crack your corporate WEP keys.

Hurry it up, will you?


Ramachandran and colleague Md Sohail Ahmad decided to search for ways to make the client much more verbose. The Caffe Latte paper that the pair submitted to Toorcon described multiple ways to accelerate this attack.


By applying different WEP cracking techniques (FMS, Korek, PTW) to various frames (DHCP, ARP, 802.11), the authors had managed to bring the average cracking time down significantly. The worst-case configuration (client using static IP and no authentication) ran about nine hours, while the best case (client using DHCP and shared key authentication) took as little as 20 minutes. "That was better, but still not fast enough to be a coffee shop attack," said Ramachandran.


Then Ramachandran and Ahmad noticed a vulnerability that could be exploited more consistently across every client configuration. Any station that receives an ARP request automatically responds with an ARP reply. It must be possible to generate a valid encrypted ARP request without knowing the WEP key, but how?


Upon connecting, the client transmitted several correctly encrypted gratuitous ARP requests.

An attacker can flip a few bits in one of those captured packets, changing that gratuitous ARP into an ARP request, addressed to the client.


By sending that forged ARP request repeatedly, the client can be stimulated into replying with thousands of correctly-encrypted ARP replies.





The final version of the Caffe Latte tool developed by Ramachandran and Ahmad can use this refined methodology to recover cached 128-bit WEP keys from any client in roughly six minutes.


I'll tell you no lies


This attack works because not only is WEP vulnerable to statistical analysis, but it does nothing to cryptographically protect packet integrity. In other words, recipients have no way to detect when a valid packet has been captured and replayed, as-is or with modification.


Every WEP-encrypted packet carries a Cyclic Redundancy Check (CRC) that is used to spot transmission errors. But, it has long been known that a sender could change both the data payload and the CRC to create a valid packet. Caffe Latte uses this bit-flipping technique to modify the Sender MAC and Sender IP Address contained in a gratuitous ARP header, turning that captured packet into an encrypted ARP request, addressed to the victim client.


Because the victim cannot tell that those forged ARP requests are bogus, it replies with a WEP-encrypted ARP response, as defined by the ARP protocol. Over and over and over again.


Prove it


Ramachandran and Ahmad demonstrated Caffe Latte on October 21, 2007, at Toorcon [PPT]. With fellow AirTight Networks employee Rick Farina, they also produced a real-time video of the attack being launched against an Apple iPhone. With their permission, several snapshots from that video appear below to help us illustrate the Caffe Latte attack.


1. Monitor hotspot WLAN traffic to identify potential corporate SSIDs.




2. Start capturing all traffic generated by target clients.


3. Use phony AP with corporate SSID and any WEP key to lure target client.


4. Extract gratuitous ARP Request from capture file.



5. Send ARP Request to Caffe-Latte, generating bit-flipped ARP Request flood.



6. Run Aircrack-NG (or your favorite WEP cracker) on corporate SSID and capture file.


7. After analyzing roughly 55-60K ARP Responses, crack 128-bit WEP key.



Learning self-defense


"We wanted to educate people by demonstrating that this threat exists," said Ramachandran. "But we did not want to give a point and click tool to hackers. The best defense is to stop using WEP."


That is sound advice. But for corporate users, decisions about whether to use WEP are made by the employer not the employee, so individual users should take the following precautions to avoid falling victim to Caffe Latte:


1. Narrow the window of opportunity by disabling Wi-Fi adapters when not in use. Many laptops and other devices now have a physical on/off switch for Wi-Fi. Use it.


2. Reconfigure your client to avoid reconnecting automatically to Preferred Networks. That way, you won't be tricked into connecting to any AP without your consent, and you will realize that a corporate SSID showing up in a public hotspot is not legitimate. (This is particularly important for iPhone users and other with devices that lack an on/off switch for Wi-Fi.)

3. If manual connection management is too inconvenient, then run a host-resident Wireless IPS. A host WIPS like those described here can profile SSIDs and APs used in specific situations. For example, a "Work" profile could let you connect to your corporate SSID at the office, while switching to a "Hotspot" profile could make sure that you ignore that corporate SSID outside the office.

4. Install the Wireless Client Update for 32-bit versions of Microsoft Windows XP with Service Pack 2 (KB 917021). This update stops clients from probing for Preferred Networks that broadcast their SSIDs when the configuration option "Connect even if the network is not broadcasting" is disabled.



Enterprise-level defense


As corporate WLANs migrate away from WEP, what can employers do to deter this attack? Caffe Latte does its dirty work outside the office, well beyond the reach of an Enterprise WIPS. However, there are a few Band-Aids that can be applied to stem the blood loss.


To use a Caffe Latte-cracked WEP key, attackers must determine the geographic location of the corporate WLAN. Opaque (random) SSIDs make that just a little bit harder, although geographic coordinates for many SSIDs can be obtained from

WEP key rotation can reduce the time period during which a cracked key remains useful. But realize that someone running Caffe Latte against workers lunching at your local sandwich shop will probably use a cracked key in minutes or hours, not days or weeks.

Never depend exclusively on WEP for network access control or data confidentiality. For example, combine WEP with SSL captive portal or VPN authentication to stop an attacker with your WEP key from entering upstream networks.


Be smart, be safe


Ultimately, the most effective way to neutralize Caffe Latte is to stop using WEP altogether.


Wi-Fi Protected Access uses cryptographic integrity checks to detect bit-flipping. And neither WPA nor WPA2 are directly vulnerable to data key cracking. While not impervious to other attacks, WPA and WPA2 are very strong when used correctly. Even WPA PSK dictionary attacks pale in comparison to the gross simplicity and speed of WEP cracking.


Corporate WLAN administrators have now been warned—again. Hopefully, Caffe Latte will put the final nail in WEP's coffin, encouraging foot-draggers to finally migrate away from that fatally flawed protocol.



Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, implementation, assessment, and testing of NetSec products and services for over 25 years.


Pages: 1 2

Comment and Contribute
(Maximum characters: 1200). You have
characters left.