[Martin Beck] and [Erik Tews] have just released a paper covering an improved attack against WEP and a brand new attack against WPA(PDF). For the WEP half, they offer a good summary of attacks up to this point and the optimizations they made to decrease the number of packets needed to roughly 25K. The only major risk to WPA so far has been the coWPAtty dictionary attack. This new attack lets you decrypt the last 12 bytes of a WPA packet’s plaintext and then generate arbitrary packets to send to the client. While it doesn’t recover the WPA key, the attacker is still able to send packets directly to the device they’re attacking and could potentially read back the reaction through an outbound connection to the internet.
[photo: niallkennedy]
[via SANS]