[Cryptography] Current state of WPA2 security for IoT access ?

David Johnston dj at deadhat.com
Tue Apr 26 01:29:23 EDT 2016


On 4/25/16 8:48 PM, Henry Baker wrote:
 >
 >https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access > >A sysadmin 
told me within the last week that WPA2 was easily broken >via Aircrack. 
 > >I wasn't aware of this; is this really true?

PSK is vulnerable to offline dictionary attack. This was known, 
discussed and well understood by the participants at the 802.11i meeting 
when PSK was adopted.

 >The overall question I'm interested in has to do with IoT wifi access. 
If I try to hide a WPA2 access password in an IoT device, someone can 
easily steal the (outdoor) IoT device & "waterboard" it until it gives 
up the WPA2 password.

Yes. Physical access matters. I know what to do about it, but it 
requires silicon area, relatively new technology and an EAP method 
instead of PSK.
Per device revocable credentials would be a practical and deployable 
approach, albeit ineffective if your adversary is stealthy or knows when 
you're out at work.

If you use PSK, use a secure password, or the perp won't even need 
physical access.

 >So what is the current recommendation w.r.t. IoT devices accessing 
WPA2 wireless routers?

Try not to have it matter when it's stolen. Limit the blast zone of the 
loss and use per device passwords that are resistant to dictionary attack.



More information about the cryptography mailing list