With everybody awaiting WPA3, it’s easy to miss improved WPA2 attacks. Up until recently cracking the WPA2 with pre-shared key required online attack. Well, not anymore.
This new attack doesn’t even require waiting for 4-way handshake – essentially all you need is a few minutes of passive traffic, minimal amount of luck, and a bit of alone time to crack the key – offline. If you are willing to go active capture time goes down to a second and no luck is involved. The only real challenge is offline cracking – and there is no time pressure here.
Without going into too many details, issue is in optional PMKID field that does come in handy for roaming support. Unfortunately, for most routers, PMKID gets sent even if roaming option is off.
There are two “fixes” for this. The obvious one is to increase complexity of your pre-shared key while avoiding ones present in the precalculated SHA-1 tables. We are still talking about brute forcing SHA-1 hash – a non-trivial task if you have long and random password.
Second approach is to disable PMKID field and that would require you to upgrade router’s firmware. Fortunately for me, Mikrotik already has a fix available and thus avoiding it as easy as selecting to Disable PMKID.
Mind you, that’s not absolute protection as weak passwords are still vulnerable no matter how you cut it. But this does prevent offline attack.