[Cryptography] Current state of WPA2 security for IoT access ?
David Johnston
dj at deadhat.com
Tue Apr 26 01:29:23 EDT 2016
On 4/25/16 8:48 PM, Henry Baker wrote:
>
>https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access > >A sysadmin
told me within the last week that WPA2 was easily broken >via Aircrack.
> >I wasn't aware of this; is this really true?
PSK is vulnerable to offline dictionary attack. This was known,
discussed and well understood by the participants at the 802.11i meeting
when PSK was adopted.
>The overall question I'm interested in has to do with IoT wifi access.
If I try to hide a WPA2 access password in an IoT device, someone can
easily steal the (outdoor) IoT device & "waterboard" it until it gives
up the WPA2 password.
Yes. Physical access matters. I know what to do about it, but it
requires silicon area, relatively new technology and an EAP method
instead of PSK.
Per device revocable credentials would be a practical and deployable
approach, albeit ineffective if your adversary is stealthy or knows when
you're out at work.
If you use PSK, use a secure password, or the perp won't even need
physical access.
>So what is the current recommendation w.r.t. IoT devices accessing
WPA2 wireless routers?
Try not to have it matter when it's stolen. Limit the blast zone of the
loss and use per device passwords that are resistant to dictionary attack.
More information about the cryptography
mailing list