The Ruckus Room

The annual Defcon event is notorious for introducing new cracks, attacks, and hijacks to the computer and network security industries. Known as an edgy, irreverent group of security misfits, Defcon often introduces fresh Wi-Fi security weaknesses and exploits.

One of the highlights this year was a "new" MS-CHAPv2 vulnerability found by security researchers: Moxie Marlinspike (his hacker handle) and David Hulton. The primary vulnerabilities for the MS-CHAPv2 attack include PPTP VPNs and “WPA2-Enterprise.”

Aerohive's Matthew Gast posted an excellent and detailed explanation of how it all works.

Marlinspike also explains the attack in considerable detail on his blog, but here’s the reader's digest version: 

Though the MSCHAPv2 protocol looks complex with a lot of “digital hand-waving,” there’s only one real unknown: the MD4 hash of the user’s passphrase, which creates three data encryption standard (DES) keys. Because of weaknesses in the DES key construction, it is possible to “divide and conquer” the keys and easily recover the third DES key.

The remaining two keys can be reduced to a total complexity of 2⁵⁶, making it effectively a single DES encryption. Using specialized DES cracking hardware—which has been made available to everyone as a service on Cloudcracker—DES can be cracked in less than a day, averaging half a day. This applies equally to all MS-CHAPv2 implementations, regardless of password length and complexity.  

The Impact on Wi-Fi

When we hear WPA2-Enterprise with MS-CHAPv2, we immediately think PEAPv0/MSCHAPv2 or EAP-TTLS/MSCHAPv2. And the security news headlines to-date have been intentionally ambiguous because major vulnerabilities make for good news. However, fear not. The widely used and highly trusted EAP-TTLS and PEAP with MSCHAPv2 implementations are not vulnerable to this attack.

Like most other recommended EAP types, PEAP and TTLS each begin by building a TLS tunnel using the authentication server’s (AAA/RADIUS server) X.509 certificate. Then MSCHAPv2 is used within that secure tunnel. Because the TLS tunnel establishment is highly secure (as long as you validate the server certificate!!!), attackers have no access to the less-secure MSCHAPv2 exchange.

So why do the headlines include WPA2-Enterprise? Cisco’s Lightweight EAP (LEAP) utilizes a MS-CHAPv2 variant for [pseudo] mutual authentication. However, the Wi-Fi industry has already done an admirable job of flogging LEAP for its known weaknesses. Even Cisco has taken the right steps to steer users away from LEAP. However, some organizations still use LEAP because previous vulnerabilities focused on offline dictionary attacks—they need to wake up! Based on this new attack, network engineers that still rely on LEAP should realize that long passwords no longer suffice.

Unfortunately, outdated Wi-Fi security protocols are thrown in the vulnerability mix because it’s more newsworthy that way. But, the real reason for Hulton and Marlinspike’s research is that PPTP VPNs are still very widely used, even though there were already known vulnerabilities. Sadly, IT organizations have not heeded the warnings of high-fanfare (and high cost) network breaches in the past. Now is the time to heed them. 

So What?

Lightweight EAP’s use of MS-CHAPv2 has been subject to offline dictionary attacks for several years—popularized by Joshua Wright’s ASLEAP. Hulton and Marlinspike’s research has exposed more fundamental vulnerabilities with MS-CHAPv2, regardless of password complexity. But the use of MS-CHAPv2 with WPA2-Enterprise and PEAP or EAP-TTLS is still very secure. It’s still perfectly safe to use weaker protocols like PAP, CHAP, MS-CHAP, and MS-CHAPv2 within a secure, encrypted TLS tunnel.

If your WLAN is still using LEAP, you are already violating security best practices. And if you’ve been relying on strong passwords to avoid dictionary attack, this new vulnerability should hasten your change to a new EAP method.