Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Graphics Security Software Wireless Networking Hardware

Elcomsoft Claims WPA/WPA2 Cracking Breakthrough 349

secmartin writes "Russian security firm Elcomsoft has released software that uses Nvidia GPUs to speed up the cracking of WPA and WPA2 keys by a factor of 100. Since the software allows them to network thousands of PCs, this anouncement effectively signals the death of wireless networking in business networks; any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether."
This discussion has been archived. No new comments can be posted.

Elcomsoft Claims WPA/WPA2 Cracking Breakthrough

Comments Filter:
  • by Daimanta ( 1140543 ) on Sunday October 12, 2008 @02:26PM (#25346577) Journal

    True, buy most people will use a alphanum pass with 10 characters or less.

    (26*2+1)^10 = 839299365868340224

    Which is a lot more crackable.

  • Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks.

    "Seem" is the key word in this paragraph.

    The claimed attack is nothing more than a brute force search on WPA/WPA2 pre-shared keys, a search that will fail if the keys are well-chosen. It has no effect whatsoever on WPA or WPA2 when used with any of the EAP authentication modes. But PSK requires the network admin to choose a key, and the key is typically chosen by typing in a passphrase. If that passphrase is weak, then given enough computation power an attacker can guess it. Big surprise.

    WPA and WPA2 ARE just as solid as SSL. The only difference is that everyone knows that if you're doing SSL you should use a good random number generator to help generate your key pair and to generate the session keys.

  • by Qwavel ( 733416 ) on Sunday October 12, 2008 @02:41PM (#25346673)

    Businesses that are serious about their security use one of the many types of WPA-Enterprise. The method described in this article only applies to WPA-Personal which is targeted at home users.

    Those businesses that do use WPA-Personal can simply institute a policy that requires better passwords to secure them against this exploit.

    Some businesses will continue to use WPA-Personal with poor passwords, and that's fine, but those businesses are probably not too worried about security and have many other bigger vulnerabilities.

    So, the claim that "this anouncement effectively signals the death of wireless networking in business networks" is ridiculous.

  • by Anonymous Coward on Sunday October 12, 2008 @02:42PM (#25346681)
    Uh, where are you getting that number? (26*2+1)^10 works out to 1.7488747 * 10^17 [google.com]. Wouldn't it be more like ((26*2)+10)^10, assuming no spaces?
  • by mlts ( 1038732 ) * on Sunday October 12, 2008 @02:53PM (#25346743)

    I personally recommend KeePass for password generation. It can generate 63 char passwords for WPA/WPA2 keys with cryptographically random unpredictability as it uses keyboard/mouse movements as part of seeding. Because its done on the local machine, there is no chance of the password being leaked as compared over the web. With a 63 character password, that is far more entropy than the 128 or 256 bits keys used for AES, so for someone to guess a password of that length, they either have to be able to brute force AES at full strength, or find a weakness in the algorithm's implementation.

    I generate a KeePass password, save it to a USB flash drive, then paste it into my router's config. I then take the USB flash drive to the physical machines and do a copy and paste of the 63 char key into their network preferences. This is a lot easier than typing it. Should I lose the key... not hard to fix -- generate another one and rekey the 3-4 machines on my network. Because the WPA/WPA2 key is easily resettable with physical access to the machines, there is no reason to go less than the maximum character length, and it doesn't matter if the password gets forgotten, as long as you remember your router and machine's access passwords. (This for a home network. Businesses should use a RADIUS server where all the machines are not reliant on a single shared encryption key.)

    If you have to use fewer characters, I'd say never use fewer than 20 characters, but even that is cutting it thin, factoring in Moor's law, botnets, and usage of GPUs for additional number crunching.

  • by Deekin_Scalesinger ( 755062 ) on Sunday October 12, 2008 @03:15PM (#25346857)
    I'll second KeePass and its UNIXy-OSXy variant KeepassX (the DB file that it stores passwords in can be read on all three platforms). In addition to its password generating abilities, it makes a handy home for my network/web logins. Sourceforge has both programs in all their gleaming, open source goodness.
  • by secmartin ( 1336705 ) on Sunday October 12, 2008 @03:16PM (#25346867)
    When used with any authentication scheme that is *not* PSK-based, WPA is still pretty secure. VPN connections are perfectly fine as well, as long as you don't choose a simple guessable pre-shared key...
  • Already GPL'ed ... (Score:4, Informative)

    by Anonymous Coward on Sunday October 12, 2008 @03:18PM (#25346873)

    All of this is already available as a GPL'ed tool that has been out for about a month. See http://pyrit.googlecode.com

  • Re:F@H (Score:2, Informative)

    by Anonymous Coward on Sunday October 12, 2008 @03:20PM (#25346883)

    For a ballpark:

    total time / number of active cpu's

    From another comment:

    Brute Force Attack will take up to 128299838271 years at 500,000 passwords a second.

    And F@H has well over a million users (but less than 2, and many inactive), so I'll highball guesstimate at 2million.

    The result: 64,150 years, optimistically.

  • by databeast ( 19718 ) on Sunday October 12, 2008 @03:26PM (#25346923) Homepage

    Better yet, use 802.1x (WPA + RADIUS) which completely avoids all the key-exchange weaknesses of WEP and WPA.

  • by pipatron ( 966506 ) <pipatron@gmail.com> on Sunday October 12, 2008 @03:57PM (#25347127) Homepage
    If you run a debian-ish system: aptitude install pwgen
  • by GrenDel Fuego ( 2558 ) on Sunday October 12, 2008 @03:58PM (#25347139)

    EAP-TLS is used for the key exchange process. The encryption used for the connection can either be TKIP, which uses rotating RC4 keys or CCMP which uses more secure AES encryption keys.

    CCMP is the more secure choice, but is incompatible with older wireless cards. If you care about the security of your network, you are better off choosing hardware that supports CCMP.

  • by Ironsides ( 739422 ) on Sunday October 12, 2008 @03:59PM (#25347157) Homepage Journal
    He's pushing out the new key over the network using the existing key. I record all data over the network starting with key XX1. Say he gets to key XX3 when I finally crack key XX1. I use key XX1 to decrypt all the data I have recorded from the wireless, I get key XX2 by decrypting it and then I also get key XX3.
  • Re:We're okay (Score:1, Informative)

    by Anonymous Coward on Sunday October 12, 2008 @04:30PM (#25347419)
    So all I have to do is listen to a couple of packets, set my machine to use one the MAC addresses on your network and I am in? Cool. Now I just need to figure out where the headquarters of "anonymous coward, inc." is.
  • by rtfa-troll ( 1340807 ) on Sunday October 12, 2008 @04:32PM (#25347443)

    You would trust some random other person's web site to generate a critical password? I admit it's probably better than what many people do, but it's almost certainly not acceptable in a commercial situation.

    Other's have already provided some downloadable solutions, but here's a solution which should be available on most modern operating systems. Just get to a command line and type the following.

    dd if=/dev/urandom bs=200 count=1 | tr -cd 'A-Za-z0-9!@$#%_'; echo

    Use /dev/random if you want even better quality randomness (probably not really needed). Note that you can control the the character set to match the place you are using by editing the tr command and the length by either taking a section of the password or by doing it multiple times and sticking them together. This is nicer than systems which feed through uuencode or base64 in that it should provide an even distribution between different characters in your character set.

    On the other hand; should you be trusting a random slashdot poster :-)

  • by Hork_Monkey ( 580728 ) on Sunday October 12, 2008 @05:02PM (#25347715)
    If you're setting up a 200 device wireless network with WPA PSK, you're doing it wrong.
  • by dr.ka0s ( 549707 ) on Sunday October 12, 2008 @05:35PM (#25347995)

    These guys are late to the party.

    FYI, Adam Bregenzer released an open source framework at DEFCON this year that provides pseudo-automatic multithreading, distributed password cracking capabilities AND takes advantage of existing commercial cloud computing services (ala Amazon, et. al.). The framework is easily adaptable to any number of computationally intensive applications, though he provided hard numbers and demonstrations from his work using coWPAtty and John the Ripper.

    https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Bregenzer [defcon.org]

  • by tftp ( 111690 ) on Sunday October 12, 2008 @05:37PM (#25348015) Homepage

    Your example password is not random. Look at the letters of it, one by one, and you will notice that each next letter is either in direct physical proximity (QWERTY-wise) to its predecessor, or in a similar proximity for the other hand. This is a serious weakness because password crackers will exploit it in an instant.

  • Also (Score:4, Informative)

    by Sycraft-fu ( 314770 ) on Sunday October 12, 2008 @05:39PM (#25348029)

    A "100x" increase in the speed of cracking an encryption system is not necessarily impressive, or indeed meaningful.

    It sounds like a lot, and would be if it were a situation of "It used to take 100 years to crack a password, now it takes 1." Ok well that just moved the problem from something impossible or at least totally worthless (the technology will be outdated by the time you get the answer) to something potentially useful for a determined attacker.

    However, that isn't the sort of timescale we are talking about for modern encryption. We are instead talking about amounts of years that are generally expressed with exponents. Ahh, well now that changes things. If an encryption system currently takes 10^14 years to crack and you've sped up cracking 100 times so it now only takes 10^12... Well that still doesn't get you anything. You are talking many times longer than the universe has been around. Even an increase of 1,000,000 times doesn't get you anywhere near anything useful.

    So while announcements like this are cool in an academic sense, they have no real application or threat.

  • by spinkham ( 56603 ) on Sunday October 12, 2008 @06:25PM (#25348397)

    WPA-TKIP was built as a "transitional" standard. It is good enough for today, but we expect that to not last for very long.

    WEP=breakable by your grandma.
    WPA-TKIP = very little security margin, was designed for a 5 year "transitional" period to move to AES. Not recommended for long term or high security use.
    WPA2-AES = strong.

  • Not correct (Score:2, Informative)

    by omuls are tasty ( 1321759 ) on Sunday October 12, 2008 @07:04PM (#25348633)

    SSH is not dependent on SSL/TLS - it's just that one particular implementation of SSH (OpenSSH) is dependant on the OpenSSL library for its cryptographic primitives.

    More details [snailbook.com]

  • by Winckle ( 870180 ) <markNO@SPAMwinckle.co.uk> on Sunday October 12, 2008 @07:06PM (#25348651) Homepage

    The wii supports USB keyboards, you should give it a try.

  • by Maguscrowley ( 1291130 ) <`moc.liamg' `ta' `yelworcsugaM'> on Monday October 13, 2008 @01:21AM (#25351475)
    First, that goes over the 63 printable character limit. Second, losing that key means that you have to reset the device in order to put in a new key and redo all the settings.

    For a large network in say a hospital*, this kind of downtime is unacceptable since many essential things, including security systems and mobile stations for taking vitals. I imagine that the fear of this kind of downtime would either be enough to convince people to swallow the cost of installing ethernet wiring or ensure that SOMEONE will be able to remember the password. I'm going to assume that the reason for going wireless is to avoid swallowing that cost, so that leaves them in hoping that the memorable pass can't be formed from a dictionary/combo attack and the ssid isn't on a rainbow table somewhere.

    *I remember from my time in a mental institution: fucking everything was connected and dependent on their wifi. Security handsets, the mobile nursing units that were used every day to do our vitals AND commit them to our file [yes, my records were going through wifi ... not cool], front desk information, the security cameras and the like. Note that if you were on suicide watch or had just got admitted, that means that when you took a piss, you could wave to the camera knowing that the image of you was being broadcast on WiFi. Great ... I also, upon being transferred to partial, found that I could move fairly far away from the building, off the premises actually, and could launch an attack. It was WPA. An easy social engineering target (underpaid IT staff) confirmed my observations and reasoning as to the bottom line inspiring the WiFi. Every floor was even the same network, when really there was no reason for the same UNIT to share the same network. The nurses did not have logins, though each unit did. What's more, only the head nurse could "technically" log nurses and mental health staff into the network. The mobile testing stations (dell inspirons with their proprietary software installed and some USB connected medical devices) never left any single unit even!!! There was every good reason to separate the networks except that the entire system was inspired by laziness. I never bothered trying to crack the WPA encryption, because I saw little point in getting into the network. Except maybe getting my file, which cost me $50 to print out ... bastards.
  • by PReDiToR ( 687141 ) on Monday October 13, 2008 @12:25PM (#25357047) Homepage Journal
    This is either utter ignorance, or a mediocre troll (in the nicest way, of course).

    Firstly, get rid of this idea of a "standard password". Get PasswordHasher [mozilla.org] and use your NEW standard password to access some highly complex passwords at no extra brain power.

    Next, your next door neighbour can't plug into your router from their sofa if you use a cable and see you moving home pr0n between your laptop and your desktop.
    If you're using WiFi then all that lovely data could be shared with them, if they have a sniffer program running and your network key.

    Other things that go over your network in plain text that could be sniffed by your neighbour: Notice the httpS:// on Slashdot.org? Me neither. Your password would have been in a packet that they sniffed. Same for any site you visit. URLs to your bank, your fave pr0n sites, the software you're using and which versions. If they are as good as me (and I'm not even that good at this crap), they could wait for your browser to look for an update, have an already altered version of the last update with a backdoor in it, hijack the DNS request and punt you a file that rootkits your box. If your post wasn't a troll, you might need this: Rootkit [wikipedia.org].

    Seriously, why do you think everyone talks about wireless security as if it was important? Are you the only one that is "in the know" and they are all wrong?

    Exceptions do apply. NX, VPNs, SSH, and other encryption can be sent over totally open WiFi because the encryption is done before stuff hits the network card.

Money is better than poverty, if only for financial reasons.