The Caffe Latte Attack: How It Works -- and How to Block It
December 12, 2007
Hotspot users beware: in the time it takes to sip a latte, this attack can crack your corporate WEP keys.
The flaws that make WEP vulnerable were documented back in 2001, prompting development of dozens of cracking tools. Until recently, those attacks focused on traffic captured from active networks, requiring proximity to the targeted business. But lately, focus has shifted to off-site clients that are not connected to any network. By exploiting driver flaws, exposed fileshares, and user mistakes, one can easily and invisibly attack Wi-Fi laptops and phones in public venues like airplanes, hotels, and cafes.
This year, insidious new tools like Caffe Latte and Wep0ff have learned how to crack the keys stored on those off-site clients, expanding the reach of WEP crackers far beyond office walls. Now, no matter where employees go, they just might unwittingly "spill the beans" on your corporate WEP key.
Come to me
Most client-side attacks take advantage of two fundamental vulnerabilities:
Wi-Fi clients actively probe for all networks they have associated with in the past. When any AP is found with a known network name (SSID), clients automatically associate to it.
This common-but-promiscuous behavior is the culprit behind well-known evil twin or honeypot attacks we have written about before (see Getting Phished: Why SSID Spoofing Still Matters).
In fact, those older attacks provide the launch pad for new client-side WEP crackers, creating the perfect conditions in which to grab any corporate WEP keys cached by those clients.
Talk to meAll WEP crackers use statistical analysis to guess the key used to encrypt captured traffic. Given enough encrypted traffic, WEP crackers can always derive the key. A WEP-cracking attack therefore starts with locating a source of encrypted packets. It turns out that phished Wi-Fi clients are an awfully convenient and plentiful source.
Specifically, all TCP/IP devices send a least a few packets whenever they connect to a WLAN.
A station using a static IP immediately broadcasts a few gratuitous ARP packets to the entire WLAN. Each ARP packet carries the sender's MAC address and IP address so that other stations will know how to route traffic.
A station using a dynamic IP also sends ARP, after first requesting an IP address from a DHCP server. If no server is found, the station assigns itself an Automatic Private IP Address from the 169.254.0.0/16 subnet and then sends gratuitous ARP.
Tell me your secrets
If a client associates to an AP that uses WEP, it may or may not be required to authenticate itself before associating, using a shared WEP key. However, the AP is never required to prove that it, in fact, possesses the WEP key. This means that a phony AP (aka evil twin) can be configured with the SSID of a corporate WLAN and any key to lure clients. After a client associates to the phony AP, it will send a few ARP packets—encrypted with the corporate WEP key.
A handful of encrypted ARP packets won't be enough to crack the corporate WEP key. So something must cause the client to repeatedly send encrypted ARP packets. One approach is to disconnect or deauthenticate the client, over and over again, but that would take a long time.
According to Vivek Ramachandran, co-author of the Caffe Latte attack demonstrated at Toorcon this October, cracking a WEP key this way takes between 1.5 and 6 days, depending upon the client's use of DHCP. That's theoretically interesting, but of little practical value, since a true hotspot attack must be completed in a much shorter time period—preferably in the few minutes that it takes to purchase an espresso.