11/11/2008 -- Don't look now, but Wi-Fi Protected Access (WPA), the gold standard for wireless security, might not be so secure. At the PacSec 2008 Conference, held this week in Tokyo, a group of researchers is expected to demonstrate a way to partially crack WPA-encrypted traffic.

Since at least 2004, WPA has been the preferred alternative to the Wired Equivalency Protocol (WEP), an insecure encryption mechanism that's still used by many consumer devices. But WPA -- in spite of a spate of theoretical vulnerabilities -- has been perceived as practically impregnable. Not anymore.

Industry giant Gartner Inc., for one, urged customers to take action. Even in the absence of a verified proof-of-concept -- much less a bona-fide WPA-cracking-exploit -- organizations need to seriously think about shifting away from WPA and toward its successor, WPA2, Gartner said.

For one thing, Gartner analysts John Pescatore and John Girard wrote, it's been a long time coming. "Reports of this new crack are not surprising, and in fact represent the normal cycle of security solutions becoming vulnerable over time," they wrote, noting that "WPA has long been known to be theoretically vulnerable to 'dictionary attacks,' which require massive computational resources not available to most hackers and so are not a serious threat."

The new attack, on the other hand, doesn't require any special resources. It exploits a vulnerability in WPA's Temporal Key Integrity Protocol (TKIP), with the result (sources say) that an attacker can actually crack the TKIP key. This could enable them to read, and perhaps even change, data as it's sent between a wireless access point and client devices.

The upshot, Pescatore and Girard stressed, is that it's time to make the switch to WPA2. "Wherever possible, migrate WLANs from WPA to WPA2. If this is not feasible, use installed WLAN intrusion prevention systems...to monitor WPA usage and detect attempts to compromise TKIP," they wrote. "If no migration to WPA2 is planned and no form of WLAN monitoring is in place, ensure that vulnerable access points are not used in public areas." --Stephen Swoyer