WPA/WPA2 Cracking With CPUs, GPUs, and the Cloud

wintertargeter writes "Yeah, it's another article on security, but this time we finally get a complete picture. Tom's Hardware looks at WPA/WPA2 brute-force cracking with CPUs, GPUs, and Amazon's Nvidia Tesla-based EC2 cloud servers. Verdict? WPA/WPA2 is pretty damn secure. Now to wait for a side-channel attack. Sigh...."

brute farce

[constpointertoconst]

Secure from brute force attacks != secure. Hello, exploits!

http://www.wi-fiplanet.com/news/article.php/3784251/WPA-Vulnerability-Discovered.htm [wi-fiplanet.com]

Re:brute farce

[Hatta]

That's why we use WPA2/AES.

Re:

[failedlogic]

I'm considering setting up WiFi in my small apartment so I don't have cables going all over the place. To PS3, printer, desktop and laptop. If I setup my computers for WPA2/AES and change the key on a regular basis, is this considered secure enough? The printer and PS3 won't be on 24/7 so no one can run through 500 pgs and a couple of toners on me.

Its difficult to figure out all the ongoing wireless standards and security when you don't work in the industry.

Re:

[elsJake]

Just use keys longer than 23 chars , alphanumeric + special chars , and use a nonstandard SSID for the network (treat as a password, it's used to salt the key derived from your PSK). All this on WPA2/AES and you should be considered secure.

Re:

[Joce640k]

If I setup my computers for WPA2/AES and change the key on a regular basis, is this considered secure enough?

Yes.

Only WEP is truly broken. WPA and WPA2 are only vulnerable to weak passwords.

Re:

[bogie]

Like the quote in the article said its "more of a pinhole than a crack". It needs very specific circumstances and also need you to use TKIP vs AES. I'm not sure about as of today but in regarding to that article WPA with AES=secure.

The real problem isn't anything to do with WPA, its with companies like Verizon who in modern times have the stupidity to use WEP. If its not WPA2 compatible throw it in the garbage.

Re:

[yuhong]

Yep, the main lesson I think is that it shows how bad CRC32 is as an integrity check.

Re:

[yuhong]

FYI, there is a new attack on TKIP that can recover the temporal key after capturing 2^38 packets (for comparison, WEP's IV is 24-bit):
http://infoscience.epfl.ch/record/165984 [infoscience.epfl.ch]

Re:if it is so damn secure

[sakdoctor]

"We", pretty much do. The underlying algorithm is AES, used in ssh, https, bitlocker, GPG, and so on.

The Only Solution

[MightyMartian]

Ultimately the only solution is to have a segregated WiFi network. I've set one up in one of our offices, with the others to follow soon. If one our workers needs to access internal network resources from our WiFi network, he's got to do what he'd do if he was in a coffee shop or an airport, establish a VPN connection to the internal network. There simply isn't any other solution so far as I can tell. You have to treat WiFi as a potentially hostile entry point.

Re:

[h4rr4r]

I hope you are doing the same or something similar with wired then. No locking switch ports by MAC address is not good enough. Dead easy to spoof the MAC address of the machine I unplugged to get my evil device in.

Re:

[omglolbah]

That requires physical access to the corporate office though.
Wireless doesnt.

Most places that is a fairly important difference.

Re:The Only Solution

[h4rr4r]

Anyone with a set of overalls a handtruck/cart and a cardboard box can get into pretty much any office.

Re:

[NoNonAlphaCharsHere]

You've been watching too much Burn Notice.

Re:

[moonbender]

From my experience, that much is true if you've seen a single episode.

Re:The Only Solution

[h4rr4r]

Nope, just had to chase a verizon man out of my server room a couple weeks ago.

The receptionist let him in because it said verizon on his jacket and someone kept letting him through doors after that. He was on the wrong floor and would have disconnected live equipment had I not chased him our with a rack rail.

Re:

[crashumbc]

and the other 10 times he would have all the time he needed.

Re:

[Bengie]

Can't enter our server rooms with out special electronic keys. Not getting past our receptionists without a guest pass and someone to vouch for you to sign off on the guest pass.

Re:

[Bengie]

Sounds like a game of cat and mouse../snicker.....So.. if a rat hooks a fiber to it's head, would it be a rat with a freak'n laser on its head?

Re:

[Bengie]

Having a programmer pull double duty as a receptionist would be instant death to any company. Most programmers around here have that standard dry sarcastic humor that would probably cost the company money if we had to interact with real people. Great bunch to work with.

Who needs access to the server room?

[SonofSmog]

Yawn! There is CAT 5 running all over most office buildings. Physical access is always the least secure and easiest to get my hands on heh.

Re:

[skids]

That's why it's important to know the MAC address of the electronic card reader at the reception desk.

Re:

[Surt]

Whether or not he's been watching too much Burn Notice, Burn Notice is right about that one. You can get into about 90% of offices that way. It's actually happened (twice!) at mine, and the building is poorly designed (as recently as 20 years ago!), so improving security is difficult. Anything older than 15 years (pre-9/11) is probably similarly difficult to physically secure.

Re:

[realityimpaired]

The building I work in was designed/built in 1971, and it's easy to physically secure... there's no actual office space on the ground floor (that's retail space that we rent out), and you need two keycards to actually get anywhere in the building: the building pass which you need to get past security after hours and use the elevators (retail space and elevators shut down from 6pm - 7am and on Sundays), and the office pass, which opens the doorway into your office area. More secure floors have a 2nd security

Re:

[mcrbids]

Ttight security is *expensive*. Special electronic keys (and the associated administration) costs thousands of dollars. Few organizations actually have sufficiently valuable data to justify this expense. Smaller organizations rarely do.

So far, so good. The tough part is that as an organization grows, it reaches a point where it will start to make sense to incorporate these additional expenses. But what triggers this decision? There's no automatic formula involved, and a growing organization has to carefully

Re:

[kiwimate]

No, actually, I'd say it's more that you have made the error of thinking that because it's dramatized it bears no resemblance to [csoonline.com] reality [csoonline.com]. Social engineering is a big [social-engineer.org] deal [cio.com], to the extent that in places where security is paramount it's a major component in vulnerability assessment and penetration testing.

Re:

[MightyMartian]

The fact is that gaining physical access to active Ethernet RJ45 port is significantly more difficult than sitting outside an office and hacking into a WiFi network. Yes, you're right, physical security can be an issue, but it is a much more difficult target, and thus simply does not worry me as much. If your scenario were that common, then you'd best be considering the physical security of your servers. After all if a guy in coveralls can plug in a CAT5 cable, then surely he can make it into the server

Re:

[localman57]

The other thing, is that if somebody hacks you from outside, it's your fault. If they hack you from inside, it's whoever let them in's fault.

Re:The Only Solution

[BitZtream]

Who's fault it is isn't relevant. If you're concerned with fault, you must be a manager rather than something useful. The goal is to keep things private and secure, not make sure you get to point the finger somewhere else. If you're pointing the finger, you've already failed even if you're too stupid to realize it.

Re:

[John Da' Baddest]

Not at all. You assume this is an after-the-fact discussion. From an architectural point of view this perspective makes perfect sense. (You're probably too stupid to have thought of that... :-)

Re:

[localman57]

Who's fault it is isn't relevant. If you're concerned with fault, you must be a manager rather than something useful. The goal is to keep things private and secure, not make sure you get to point the finger somewhere else. If you're pointing the finger, you've already failed even if you're too stupid to realize it.

This kind of thinking is, in my opinion, exactly opposite of good security. Companies who take a "Security is everybody's responsiblity!" attitude are doomed to fail. Something that is everybody's responsibility is no-one's responsibility. Being able to identify whose fault it is is a side effect of knowing whose responsibility it is. My responsibility to secure the network. The receptionist's responsibility to vet the people coming into the building. The facilities/security person's responsibility t

Re:

[SecurityTheatre]

The problem is, deciding that nobody should care about security opens up a bunch of potential vulnerabilities.

Most companies have a side door that is accessible to employees with a badge. This is where we target to gain physical access to a building during a penetration test. Almost everyone will hold the door for you if you look busy and are reasonably respectable looking. Most companies can't afford to secure every door, or won't do it due to parking situations, etc.

The other attack we commonly engage

Re:

[maxwell demon]

I'd expect the server rooms to be considerably harder to access than general offices. After all, I've one been at a job interview where I was asked to solve some problem for a test. While I did so, the interviewers left the room. I think it wouldn't have been too hard to plug something into an Ethernet port during that time. OTOH, getting into the server room would not have been possible, especially not alone.

in some office buildings the building maintenance

[Joe_Dragon]

in some office buildings the building maintenance can get in to any room and some they are guy that must change the light blubs / fluorescent light bulbs.

Any ways it's easy to say that I need to check out a leak or any other issues to have cover story to get in they can say the office under you has the issue.

Re:

[BitZtream]

In any secure setup, that guy can't get into server rooms without one of the operations guys watching him.

At least, thats the way its been everywhere I've managed.

Don't care whats going on in the server room, you don't go in without an authorized employee. If this is not policy, you're doing it wrong, period.

Re:

[maxwell demon]

How would an attacker cause a fire or a massive water leak in the server room?

see what I did there?

[Thud457]

OK, here's how you do it:

1. have you mother feign car trouble and ask to use the restroom
2. while she's there, she leaves a remote-control smoke bomb in the trash.
3. find a sysadmin that's out on vacation (?wtf, that can't be right?)
4. make up a gift basket, hide some elemental sodium (hah! really?! Florida's pretty damn humid...) in it
5. send gift basket (4) to absent sysdamin (3), where it gets left sitting in the server room until his return
6. trigger smoke bomb (2)
7. smoke (6) triggers sprinkers
8. water from sprinklers (7) ignites elemental sodium (4) starting a two-alarm conflagaration
9. sneak into gangster's warehouse disguised as fireman
10. steal wifi

Re:

[localman57]

By hacking the network. :-)

Re:

[MooseTick]

air conditioners, bathrooms, water pipes a floor above can start to leak. Sometimes those need to be dealt with quickly to contain.

As far as fire, haven't you ever seen the dukes of hazard? They could shoot bows and arrows with dynamite on the ends and blow things up and catch them on fire.

Re:

[arth1]

It's fairly common to have interviewers leave a room during a test. That doesn't mean you're not observed. There is a high chance that there is an inconspicuous camera pointed at you, to observe how you behave when you think you're alone. Anything from snooping to nasty personal habits can weigh in on whether you get a job offer, or what the job offer will be.

Re:

[Surt]

I'd actually argue that's probably untrue at most work sites. For example, in every one of the last 5 buildings I've worked in, sharing a ride in the right elevator could get you into an area with an rj45 port, whereas getting into the server room required passing a badge access door that was only used by 5 people who all knew each other, with an expectation that anyone else would be escorted.

Re:

[swillden]

The fact is that gaining physical access to active Ethernet RJ45 port is significantly more difficult than sitting outside an office and hacking into a WiFi network.

Easier than breaking WPA2? Nonsense.

Barring some newly-discovered weakness in the protocol (very unlikely at this point), breaking WPA2 essentially requires breaking AES or the public-key algorithm you're using for your 802.1x EAP-TLS certificates (no business would use PSK, right?). The only practical way to get in is to get hold of a client certificate by compromising a machine with access (e.g. a laptop). Unless of course your target keeps their client keys on password-protected smart cards. Then y

Re:

[bill_mcgonigle]

Then you're going to have to nab an employee, take their card and "motivate" them to give you the password.

Find lowest-paid employee and pay them double their yearly salary for the password. If you don't have the budget for that, you're not really involved in industrial espionage.

Re:

[swillden]

Then you're going to have to nab an employee, take their card and "motivate" them to give you the password.

Find lowest-paid employee and pay them double their yearly salary for the password. If you don't have the budget for that, you're not really involved in industrial espionage.

Yep, that should do the trick very neatly.

I don't think that qualifies as "easier than gaining access to an RJ-45 port", though.

Re:

[MightyMartian]

And when is the last time in your company that an outsider sporting nothing more than a handcart was given access to physical network resources? It simply isn ot in the same level of risk as a WiFi network.

Re:

[arose]

When was the last time in your company that an outsider sporting nothing more then a laptop cracked your properly secured wireless network?

Re:

[crashumbc]

I did refrigeration for 8-10 years. You can walk into just about anywhere. NOBODY EVER says anything, in fact of the 1000's of places I walked into, I don't think anyone ever challenged me. Maybe, 1 out of 20 times someone ask "can I help you?" I 'd say "I'm fine just here looking at the A/C" and then was totally ignored after that...

Re:

[IceCreamGuy]

I respectfully disagree, it's very easy to put a policy in place which states that any visitor to the office needs to have a representative from within the company vouch for them and act as an escort on premises. If everyone knows the policy it's not very difficult to enforce, all it takes is proper training. It's a pretty small price to pay if your data is important enough to worry about it in the first place.

Re:

[h4rr4r]

It is easy to put such a policy in place. It is near impossible to get people to actually follow that policy.

Re:

[IceCreamGuy]

Again, I disagree, and I'll add that I'm basing this off of personal experience. With proper training any reasonable policy should be able to be implemented, the hard part is actually making sure that people are trained and understand the repercussions. "Hard" is the operative word, it's not "impossible," and can even be easy if you do it a lot. If you have important data, like medical records, credit card numbers, socials and people don't follow simple policies like that, then they should be terminated. If

Re:

[h4rr4r]

I said near impossible not impossible.

I am sure anyone could do the same in 99% of businesses. Get a maintenance uniform and go into an unused conference room, that would work almost everywhere.

Re:

[SecurityTheatre]

Medical records?

Hah!!

Hospitals, by and large, have the worst security of any companies or institutions that I have done security testing for. by far.

Finding servers in accounting with blank passwords and then realizing later that they share a subnet with heart monitors makes one wonder WTF they are doing.

But it wasn't just one hospital, I've been to five and all were similar. Yuk.

At least they're improving.

Re:

[kmoser]

Usually they can only get as far as the receptionist, unless they're able to social-engineer their way even farther. Although I have seen plenty of offices in which the reception area is open to the rest of the office and there is often no receptionist.

Re:

[MightyMartian]

IPSec ought to do the trick. Mind you, I'm less worried about physical security in general.

Re:

[afidel]

802.1x is easier to deal with than IPSEC because you can make exceptions for equipment that does not support the protocol.

Re:

[gnick]

Dead easy to spoof the MAC address of the machine I unplugged to get my evil device in.

True. But that implies that you already have a security breach (even if that breach is a disgruntled employee or a bunch of employees wondering why the exterminator is hooking his laptop up to the network.) It's a lot easier to sit in the parking lot sniffing wireless traffic then it is to lob the weighted end of a long piece of CAT5 through an open 2nd story window and land it in an open port belonging to a machine that you've divined the MAC address for and spoofed.

Re:

[NoNonAlphaCharsHere]

Ofcourse, the difference iz that you need physical access to plug something in. With wireless, I don't even have to be on the same floor of the building.

Re:

[BitZtream]

If you're that concerned about your wired connections, you're using IPSEC in which case, you're done.

TL;DR! I didn't get the whole picture

[erroneus]

... so ... yeah...

Too long, didn't read. I didn't get the complete picture. What I do know is that the weak link continues to be people and, more specifically, decision-making people.

"Someone give me 'Easy Security' damnit!!"

Side channel attack?

[liquidweaver]

It's not possible remotely. I'd like to know how a side channel attack could be executed against a wireless target? Magic? "Hey, do you mind if I hook up my oscilloscope to you router for a few hours? Why? No reason."

Re:

[synthesizerpatel]

When the kids down the street asked to hook their scope up to my router I didn't even consider this as a potential explanation.

Thanks!!!!

Re:Side channel attack?

[localman57]

In that case, I'd like to ask if we could have your wife come in and do some testing at the mattress store where I work. Any time after closing would be fine.

Re:

[failedlogic]

Hmm .... I didn't know Motels are now referred to as mattress stores. Suppose John's don't explaining to the cops they are paying a woman to go to a mattress store. Just sayin'.

Re:

[h4rr4r]

Clearly you just put the leads on crossbow bolts and fire them into the router.

Re:

[Sarten-X]

Wasn't that done in a movie?

Re:

[Anonymous Coward]

I think they mean things like timing and size of packets.

Informative article

[drobety]

I find this article about security to be informative. Always good to be reminded to look at how secure we think we are.

However, I didn't appreciate that, without NoScript, the web page on which the article sits would have pulled in scripts from over 25 sources from around the web...

Re:

[spire3661]

ANd I received every one of those scripts AND NOTHING BAD HAPPENED. And even if it did im fully backed up. If you have to run NoScript then you are doing things on a machine you shouldnt be browsing on , arent properly backed up, and are paranoid. NoScript IS NOT worth the hassle when i have to backup my data anyways.

Re:

[drobety]

Right, as long as no alert warns that "SOMETHING BAD HAPPENED", then obviously NOTHING BAD HAPPENED.

Re:

[SecurityTheatre]

"If you have nothing to hide".....

overused (and poor) mantra.

Re:

[MPAB]

I think it's because of two things:

In the earlier days of the internet, a lot of sites wouldn't accept passwords longer than eight characters or with spaces in them. I think because of the way they were saved. What's worse is that some sites would accept the password at registration, but filter it when signing in; thus locking out the user forever.

And nowadays there's too many sites that ask such nonsense as "Must be longer than 6, shorter than 10, have 3 numbers, one capital letter". My phone company asks

Re:

[sexconker]

With respect to the "dictionary attack," as pointed out recently on XKCD, use of a few random words would be a lot tougher for a computer to figure out than random letters/numbers/characters put together.

Absolutely not. That XKCD comic was just fucking wrong. As usual with XKCD.

Raw entropy only matters when your search pattern is random.
Any attack that hopes to succeed on non-trivial passwords on a non-astronomical time scale will not be using a random search pattern. It will be using a dictionary-based attack, and will try single words, 2 words, 3 words, ... up to some length of characters, well before trying patterns like 7{`G2we7+_+1\aW/.

While a four-word password may have a large amount of digital en

Re:

[hawguy]

I think you're missing the point of the XKCD comic... There are around 3000 commonly used words in English (xkcd assumed 11 bits per word, or 2048 words). A 6 year old child has a vocabulary of between 2500 and 5000 words [wikipedia.org].

If user uses a 5 word password there are 3000^5 = 2.4E17 different combinations

In your 12 character, mixed case (52) + numeric (10) + symbols (20 common symbols?) password there are 83 possible symbols, so that's 1E25 combinations.

So technically, your "random" password may be 500,000 ti

Re:

[reiisi]

If that was "s1mpl3 sub5t1tut10ns" you're maybe doing okay. Either s1mpl3 or sub5t1tut10ns by themselves are going to be a little easy to hit with rainbow tables.

But I would probably expect $ub5t1tut10ns to last longer in an attack than "I date Sally."

"I date Sally's calendar." is better than "I date Sally."

"I date banana shipwreck." is better than either, but I would still use leetspeak to tighten it up.

Summary: WPA with a good password is unhackable

[Dr. Spork]

This was really informative and good. If I were protecting valuable data, I'd use WPA and a 10-character pass and I'd be protected against hackers with today's leetest gear for the rest of the existence of the universe. That's actually a pretty amazing statistic given just how hackable everything else is these days. Well done, designers of WPA!

Re:

[skids]

Well done, designers of WPA

I'd say "adequately done, designers of WPA." They did after all neglect to make the 4 way handshake a DH exchange. Fortunately there's always WPA-enterprise.

Re:

[MtViewGuy]

That's why my Wi-Fi router is protected with a 12-character (alphanumeric) password under WPA2 that is really hard to figure out. The chances are not good that a hacker could crack that 12-character password in a couple of hundred years using today's laptop hardware.

Hole 196, people.

[Khyber]

Are you guys this late in the game or what? WPA2 is crap and was blown open fairly easily.

Re:

[liquidweaver]

Easy on the hyperbole there, trigger. http://arstechnica.com/business/news/2010/07/wifi-hole196-major-exploit-or-much-ado-about-little.ars/2 [arstechnica.com]