Slashdot Mirror
Elcomsoft Claims WPA/WPA2 Cracking Breakthrough
secmartin writes "Russian security firm Elcomsoft has released software that uses Nvidia GPUs to speed up the cracking of WPA and WPA2 keys by a factor of 100. Since the software allows them to network thousands of PCs, this anouncement effectively signals the death of wireless networking in business networks; any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether."
"Brute Force Attack will take up to 128299838271 years" at 500,000 passwords a second. ElcomSoft is claiming a 20x improvement in speed, but that won't make a dent into an exponential-sized problem. See http://lastbit.com/pswcalc.asp for calculation.
This doesn't surprise me. Anyone who wasn't already assuming that anything you sent via wireless was already in the hands of your enemies (unencrypted) is a bit naive.
Game! - Where the stick is mightier than the sword!
With good keys, even a 100x increase in cracking speed is still not fast
Don't use a little 8-character passphrase. Use long keys, and don't just leave them in place forever. Change them periodically.
'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%'... if you're reading this, it didn't work.
Most businesses I've seen have had easily guessable passwords, used open relays, or WEP encryption. Many don't change their keys even after firing someone. Saying that this is a "death knell" is serious hyperbole since, for many companies, convenience trumps hardened security.
That said, the biggest risk is still always going to be insiders and former insiders who won't need to crack into the wireless network: they will already know how to get access.
Integrate Keynote and LaTeX
There is no special flaw or exploit in use. They just throw more transitors at a special problem.
Everybody who really want to crack into some network (think NSA or industrial espionage) could have used FPGAs for even bigger gains.
And for joe sixpack, weeks on a small cluster is still not a viable way for free internet...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks. I'm not saying that WPA is as bad as WEP, but how come they can't copy/paste something as good as good old-fashioned SSL?
SSL has withstood the tests of time, over, and over, and over, and over again. SSL is the gold standard for encryption. It's used on every HTTPS website, it's used for SSH, it's used as part of kerberos, IMAPS, POPS, TLS, and just about every other good-quality security tool.
So why are wireless chipset manufacturers trying to re-invent the wheel, when it's widely known that these kinds of wheels are FRIGGEN HARD to re-invent well?
Start with normal, unencrypted wireless. Getting that to work was solved long ago. Embed an SSL engine into your wireless device, with a randomly generated private key. Provide a means to access the public key, and copy/paste that key into your high security wireless driver. If you want to be paranoid, your local driver generates a private/public key pair as well, and that can be copy/pasted to your wireless device.
Done! Now you *KNOW* that if you are accessing the Internet through the driver, you are doing so through the correct wireless hotspot. Who cares about wireless MITM attacks at that point? The SSL protocol *ASSUMES* that there are MITM attempts, and foils them quite effectively, over the equally open and unsecured Internet.
Seriously, folks. This is a problem that was solved over a decade ago. Why are we doing this again?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I'm still stuck using WEP thanks to crappy wireless drivers for Linux.
Only the desperate ones and the computer geeks (a small amount of our population) will be ever so willing to give stuff like this a try as most people will just think "Oh, its passworded" and move on. Unless there's someone deliberately trying to hack your network for something (e.g. big business documents, identity theft), WEP suffices in most situations.
Plus, my DS can't connect. ;c
I wonder how long it would take for the entire Folding@Home grid would take to crack a single WAP/WAP2 key. Can anyone do the math?
Your evaluation period for Productivity 1.0 has ended. Please purchase more coffee to continue using this product.
In terms of quantity of seperate attacks, partner networks and outsiders are the biggest risk. In terms of records stolen per breach (still arguably not the biggest risk, since Verizon didn't report cost/record) insiders were top.
http://www.verizonbusiness.com/resources/security/databreachreport.pdf [pdf]
new use for them..
Proof that the best solution, by far, is to use wires. Wireless is fine when you don't care what's being sent over them (browsing, etc), but for any serious business or otherwise sensitive information, I want to be plugged into an actual, physical network. Not that it's 100% secure, of course, but at least your information isn't flying around in the air waiting for someone to decrypt it, and given time, *anything* can be decrypted.
I will never own a wireless router in my home for that reason.
This is seriously overhyped. #1:
This anouncement effectively signals the death of wireless networking in business networks;
Bullshit. The underlying encryption is based on AES*. AES is not a toy algorithm, and is designed to defend against specialized cracking hardware, and all other known attacks. It is *plenty* strong enough to hold up to a 100X increase in cracking speed, as long as you use good keys, which hopefully you are in a business environment.
I'm willing to believe that a key handling vulnerability might exist in WPA, or a flaw in AES, but the notion that brute force has brought about the death of WPA in business networks is just absurd. At best, this is a reminder to use good keys.
any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether.
Do you think your VPN software has a better underlying algorithm than AES?
* Unless you're using TKIP, which is a toy algorithm, which exists for backwards hardware compatibility, and in my experience isn't used by anyone who cares about security... But even there, the potential attack vectors are through algorithm weaknesses, not brute forcing the keys.
The article says that 3DES has been broken. I think they are mistaken. DES was cracked by a brute force attack but 3DES is still considered secure.
How is their distributed processor system going to crack a 128-bit key that has 128 bits of entropy? Maybe the solution is to update the wi-fi software to make it easier to generate, transport, and install, truly random keys.
Mea navis aericumbens anguillis abundat
The reality is that most businesses and home users don't want to deploy a Certificate Authority to make use of SSL. WEP, WPA, and WPA2 are "cheap" encryption solutions. If you are really worried about it, there are existing cert based solutions available that are independent of the wifi router/access point.
Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm
These are especially good for wireless routers since you normally don't need to type them yourself and they don't get changed that often. (Of course, you should still change them once in a while.)
Businesses that are serious about their security use one of the many types of WPA-Enterprise. The method described in this article only applies to WPA-Personal which is targeted at home users.
Those businesses that do use WPA-Personal can simply institute a policy that requires better passwords to secure them against this exploit.
Some businesses will continue to use WPA-Personal with poor passwords, and that's fine, but those businesses are probably not too worried about security and have many other bigger vulnerabilities.
So, the claim that "this anouncement effectively signals the death of wireless networking in business networks" is ridiculous.
Weird that this article seems to call down doom for WPA in general and particularly in the enterprise.
a) 100x increase, even using 10,000 machines seems insignificant if you are using the maximum WPA key length employing uppercase, lowercase and punctuation? Even a 30 char password seems to last far longer than most of us will be alive. So at worst all this changes is the minimum key length that can usefully be employed on WPA.
b) In the enterprise in my experience you either use no encrypting and rely on protection at other layers (VPN, SSL, etc) or you use a RADIUS based system that hands out a new key for each session. This seems even less likely to be affected by this. Unless...and I admit I've never checked this...they keys being used have some weakness (short, not very complex, etc...) which, again at worst seems to be a wake-up call for hardware vendors if nothing else.
So wrt wireless this is interesting but hardly industry changing.
Hah! My company is okay- we're only using MAC filtering for our security, none of this insecure WEP/WPA crap.
can I get this software on The Pirate Bay? It's not like breaking into neighbour's network to use it for free is going to be worth an EUR 600 investment.
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
All of this is already available as a GPL'ed tool that has been out for about a month. See http://pyrit.googlecode.com
....that's the difference.
So long as people use convenient passphrases for their security then no amount of fancy algorithms will save them.
This realization is why the US Government eventually dropped all the regulations they used to have on exports of strong encryption.
No sig today...
One word. RADIUS Try googling "cracking RADIUS" sometime and see how much information you can find.
... Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
Using GPUs to crack is not "new", it's a well known tachnique. Furthermore, an increase of a factor a 100 is insignificant relative to the number of years it would take to crack a key, hence the crypto is not weakened, dispelling their whole "death of wireless networking" doommonger bullshit. The only thing this actually does is speed up already feasible attacks against bad passphrases, nothing new, and certainly not a "breakthrough".
My Dearest Friend,
I am the Minister of the Nigerian Ministry of Butt-loads Of Networked Nvidia PCs (NMBNNP). We would like to test this software, but in order to determine if the software has successfully cracked the password, we need your login password, so that we can verify.
Afterward, you will be granted unlimited access to the NMBNNP grid.
Oh, and please send your bank information, as well.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
DES is one of the most analyzed algorithms in history and no weaknesses have been found. The key for 3DES is plenty big enough to prevent brute-forcing.
AES has some advantages (eg. speed) but 3DES is as secure as it gets.
No sig today...
WPA2 works fine in linux; it's your own ineptitude that has use "stuck using WEP". Stop making excuses for your inability to learn.
It's about being able to connect to the machines behind the NAT, and hack them.
wpa2 with a shared key is only crackable with a brute force attack. Assuming that an alphanumeric character is used for each character of the attack, then for a key of length 8 (the minimum) the attack takes 26+26+10+10=72^8 (lowercase+uppercase+numbers+shifted num keys) time which is 7x10^14. A factor of 100 isn't a big deal - it reduces it to 7x10^12.
Even worse, if the key is longer than the minimum, say 14 digits, then the number of brute force keys are 1x10^26 and improving that to 1x10^24 isn't going to make much of a difference at all.
It's interesting that the summary says that this is the absolute end, then goes on to describe a workaround. My company uses IPsec in their wifi. I guess I can see why now.
But for the summary to say that this is the absolute end of the world, when some networks in use today are already immune, that seems a bit arrogant.
The WIFI at my workplace is available, there is little if any security and the traffic isn't encrypted; why? well it has always been associated with being insecure, so when WIFI was rolled out it was placed on the Big I instead of the little i and to get anywhere internal you must bring up a VPN tunnel to work, add some poisoned routing information on both sides to account for the networks being used (internal versus internal) and you have some hope of preventing someone from bridging i to I.
You shouldn't use WIFI for anything that you wouldn't want to share openly and even if you believe that what you are doing is secure you should know that someone could still be capturing your session and working on it offline; the vendors haven't helped either, most wireless routers will 'work' right out of the box, purchase at worst-buy, plug it into your cable modem and in 60 seconds your on, I can't tell you how many networks I've found this way, most still have the default admin account set (just google the model number being advertised by the network)
and your in....
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
Just declare GPU's a munition ( like supercomputers are ) and restrict access/require registration.
Then incorporate chip level DRM/TPM so only 'approved' applications can run.
Hey, its for the children, right?
---- Booth was a patriot ----
Their approach seems to be doing nothing but speeding up brute-force searching for the key. If it's a "bad" key, like a simple word, this will speed up the search greatly. If it's a "good" key then speeding up the search 100 times is, for all practical purposes, meaningless. Get back to me when you've achieved a 100 * 100 * 100 * 100 * 100 * 100 *100 * 100 faster search.
If you're using one of the 1000 most popular SSIDs and one of the 172000 most popular passwords, you're already in trouble. There's a 33 GB file out there that has your WPA hash, and it's just /seconds/ to get owned.
Change your SSID. Change it now. Randomly generate a password and save it in a file; if you can remember it, someone, somehow, can guess it.
If the solution is VPN encryption, anyone care to explain how this would be accomplished on a home network?
The flesh of the wireless user, that is. Or their brains. With the "personal" version of WPA or WPA2, the user enters a password or a passphrase, and the key is essentially a sophisticated hash of the password. As many have already pointed out, the article basically describes "automated password guessing". This is basically the same tool that we used in the old days to "recover" passwords from the hashes in the password file. Try a password, check if the hash match. Repeat with many plausible passwords. With more CPU, or with parallel processing in the GPU, they can make much more elaborate guesses than simply trying all the words in the dictionary, or adding numbers, or changing cases. In these days and age, anything that relies on a password or a passphrase and exposes a hash should be viewed with suspicion. If the key was generated by a meat-based processor like your brain, then it can certainly be discovered in a "small" number of guesses, where small is millions or billions, i.e. small for the computer. In fact, if your brain can remember the key, it can probably be discovered. This does not just apply to wireless. Pretty much anything based on passwords or passphrases should be considered insecure. -- Louarnkoz
-1
Deleted
How many morons were actually using wifi on business networks anyway?
Businesses that implement 802.11 use 802.1x authentication anyway, so a more feasible attack on WPA is more likely to be a threat to personal networks than corporate ones (most of which don't use wireless anyway).
Please, why are you inserting logic into a security discussion? What we need is MORE security theater please, because that will stop the terrorists!
These guys are late to the party.
FYI, Adam Bregenzer released an open source framework at DEFCON this year that provides pseudo-automatic multithreading, distributed password cracking capabilities AND takes advantage of existing commercial cloud computing services (ala Amazon, et. al.). The framework is easily adaptable to any number of computationally intensive applications, though he provided hard numbers and demonstrations from his work using coWPAtty and John the Ripper.
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Bregenzer
A "100x" increase in the speed of cracking an encryption system is not necessarily impressive, or indeed meaningful.
It sounds like a lot, and would be if it were a situation of "It used to take 100 years to crack a password, now it takes 1." Ok well that just moved the problem from something impossible or at least totally worthless (the technology will be outdated by the time you get the answer) to something potentially useful for a determined attacker.
However, that isn't the sort of timescale we are talking about for modern encryption. We are instead talking about amounts of years that are generally expressed with exponents. Ahh, well now that changes things. If an encryption system currently takes 10^14 years to crack and you've sped up cracking 100 times so it now only takes 10^12... Well that still doesn't get you anything. You are talking many times longer than the universe has been around. Even an increase of 1,000,000 times doesn't get you anywhere near anything useful.
So while announcements like this are cool in an academic sense, they have no real application or threat.
Anybody else notice that they have a patent pending on GPU support for their product?
Since when is using the NVIDIA SDK patentable?
First, WPA2 (a.k.a. RSN, IEEE802.11i) supports multiple authentication methods. This article seems to be referring to WPA-PSK (and WPA2 Personal). Most enterprises don't use PSK/personal mode, as it does not scale, and those enterprises certainly should not be concerned by this.
Second, as has been said very well above, assuming that good passphrases are chosen, a 20x increase is insignificant. So, even if you *are* using wpa-psk, if you choose a good passphrase, you have nothing to worry about.
Last (but not least), a guy named Dan Harkins (author of RFC2409 - IKE) came up with an algorithm that is currently being added to .11s (mesh networking) that fixes this problem, so that you can use lame dictionary words for PSKs, and still not be susceptible to this sort of attack. Dan's a very smart guy, and his solution is quite impressive. The algorithm is called Simultaneous Authentication of Equals (SAE), and if you have an IEEE account, you can get a peek here:
http://www.ieeexplore.ieee.org/xpl/freeabs_all.jsp?isnumber=4622621&arnumber=4622764&count=146&index=142
These elcomsoft guys should be embarrassed. This press release is lame to the extreme.
Wireless will always be used.
There is low/no value content.
Most internet traffic....
Wireless no WPA....
There is transient value content.
There is personal value content.
Some internet traffic....
Wireless WPA....
There is institution/state content.
There is criminal/paranoid content.
Keep it on trusted/secured cable.
Most intelligence has a very short actionable lifecyle....
Intelligence with a long shelf-life will be controlled or used.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
SSH is not dependent on SSL/TLS - it's just that one particular implementation of SSH (OpenSSH) is dependant on the OpenSSL library for its cryptographic primitives.
More details
MC Frontalot resolved this issue in his landmark audio treatise, "Secrets from the Future." Why are we having this discussion again?
In Soviet Russia, the network decrypts you!
So, they are using a GPU for a speed boost, nothing specially new , they are speeding bruteforce which bruteforce, k , but how is that specific to WPA2? Err?
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Sodding lameness filter won't let me post a 2048 bit PGP public key as an example.
(NOT my public key, by the way. One just generated a few minutes ago as an example.)
Guaranteed! This comment 100% Anthrax free!
If you use EAP-TLS with Radius
And by who, I mean non-retard who.
... and it's nealy impossible to find an unencrypted network. Everyone knows that they need to encrypt or their internet connection will be hyper-abused by strangers.
Even the "free wireless" cybercafes have a daily changing password to prevent abuse from the people living above the shop, etc.
So yeah, in NYC people are definitely smarter about it than in the sticks..
Cracking WEP/WPA will hardly be the end of business WiFi.
For instance: The company where I'm working has operated for years on the assumption that WiFi's own encryption is just a warning sign and trivially broken.
They have the WiFi on its own subnet with its own firewall. Get on (with the WEP key) and you can only reach the nameserver, VPN server, and SSH server. Use an encrypted tunnel or you might as well be standalone.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This is NOT a Wi-Fi Protected Access (WPA) specific attack; it's for any authentication scheme that relies on PSK or Password complexity which affects many VPN solutions as well. If anything, WPA probably has one of the more resilient PSK schemes in use because it was deliberately designed with 100 rounds of SHA-1 hashing to make brute force attacks much more expensive. This affects some VPN and some WPA wireless security implementations.
It generally affects home users who use the home implementation of WPA which uses pre-shared keys (PSK) which are just longer passwords. Some businesses also use WPA in PSK mode so they're affected to. Some VPN authentication mechanisms like PPTP VPN and some IPSEC VPN implementations that rely on passwords or PSKs are also at higher risk.
It has zero affect enterprise mode WPA deployments which use TLS protected authentication such as PEAP or EAP-TLS. Internal LAN authentication schemes such as NTLM and LDAP are also significantly weakened. SSL authentication schemes are not vulnerable to this particular attack.
http://www.formortals.com/Home/tabid/36/EntryID/119/Default.aspx
People which use weak password, never use combination of lowercase/uppercase. They mostly use lowercase. 26^10=141167095653376 ; combine that with the fact that they use name of kids, name of parents, name of pets, and even if not not all combo are represented in the space : you go down to what is "readable" for example "pollux" is probably more represented among weak paswword than "gpkqwxz".
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Comment removed based on user account deletion
if the Russian Mafiya decides to devote a few hours on a 500,000+-machine botnet to cracking your WAP password, you're screwed.
Which is not really news. If you're sufficiently important a target to merit such attention, you should probably be taking a lot more precautions than WAP encryption in the first place, though it doesn't scale to drive-by attacks on random low-value targets (i.e., the average user). If the payoff is merely probing your network, sending spam from your ISP account and/or pwning your unpatched Windows PCs, your WAP network is safe for now.
whoami: As my primary day job, I deal with enterprise and carrier-grade AAA installations for banks, managed service providers, telcommunications carriers and governments. I've studied and trained other professionals on the administration and technicalities of enterprise wired and wireless deployments using IEEE 802.1x with EAP-TLS, EAP-TTLs, EAP-PEAPv0/1, EAP-WhateverCrackpotExtensionTheyThinkofNext, in conjunction with WPA, WPA2, WEP (= "no", with a rolled up newspaper to reinforce that point). AES, TKIP and even the humble PSK (which has its purpose: outside the enterprise).
The blurb can only be described as slander and technological incitement of hatred for commercial gain. I hope Elcomsoft burns for this travesty.
I'm going to state very simply why 802.1x + EAP + WPA2-AES (or TKIP for that matter) can be secure. Not just secure "enough". truly DoD-grade secure. period. basta.
Point 1: 802.1x. Designed by the IEEE, it enables true enterprise authentication, with a focus on extensibility. You can use any method ranging from lowly PAP (username + password) to multi-factor, fancy shamsy, SMS token based OTP hardware token derived password to authenticate yourself, as long as it has a supporting Extensible Authentication Protocol that's properly implemented and reviewed. (Forget anything done by Cisco on this IMO). 802.1x only cares about two things: "Who are you?" and "what are you allowed to do?". It allows the answers to be different every time, even if they're always phrased the same.
An enterprise admin not doing at least authentication, should not be operating a network, wired, wireless or otherwise. would anyone in their right mind setup a no-auth VPN? If you have an unauthenticated local or remote connection to your corporate network accessible outside a physically secured area (open RJ-45 ports in the guest loung count for this), then step away from the keyboard and hand in your network admin badge and go write AAA on the whiteboard until you figure out what it's actually for.
Part 2: EAP. Extensible Authentication Protocol. A subcomponent used in 802.1x. but seen in other places too (check your dial-up settings). What it can do varies by protocol implementation (extensibility is not just for markup languages. At least this time it's capitalised correctly!). EAP-MD5 is about as secure as MD5 is (in other words: not very) for protecting passwords, if not less. EAP-TTLS, EAP-TLS and EAP-PEAP are at the other end of the security spectrum, implementing the very well understood TLS algorithm. Sound familiar? Check your browser's security settings. Hey look, It's SSL 3.1! It's good to see a familiar face in these authentication parts...
What are we using SSL/TLS for, you might ask. Well in this case, we're using it for two things. Safe authentication (equivalent to the bog standard https login) and.... KEY EXCHANGE! Guess what? You can have any WPA key you want. you still won't see what key I'm getting, the first time... the second time (whenever that may be) and should you get mine (in a parallel universe), the one on my PDA is different altogether. Welcome to the wonderfully secure world of fully automated, rotating keys, dynamically generated and unique to each connection for a configurable rotation time at an 802.1x-enabled access point near you (http://wi-fi.org/).
Last, but not least, we get to the nitty gritty: WPA/WPA2. WEP was broken. we know that. WPA and WPA2 were based on well-tested security principles from the outset, with all the security bells and whistles. WPA2-AES uses defence-grade encryption, because people asked for it. It's the same AES you see everywhere else, with configurable bit lengths to boot. The encryption algorithms are out there for inspection by anyone. Any real flaws would have been found faster than it takes to crack your mother's WEP key and then nothing 802.1x or wireless could have been FIPS certified (there is enough stuff out there that is). If you feel paranoid anyway despite all this reassurance you can tap into that secure TLS we
For large networks you use a radius server. not a pre shared keyword.
If you want better updatime you go with cabeling anyway, because wireless can fail without ginving a clue what is going on.
It is a misunderstanding that with wifi you don't have any connection problems because there are no cables.
KeePass is an excelent tool for creating and keepng track of passwords. It is multiplataform, easy to use, portable (on the "no instalation required" sense), uses a simple file oriented database protected by common libraries and can keep a lot of informations about each password, what includes a quite porwerfull hierarchical organization for them.
Just a small rant: Can't those multiplataform tools use /dev/urandom where it is available? Some systems already have a tool that turns mouse and keyboard events into randomness, and it is better than yours since it is always on and can work with a much bigger amount of events.
Rethinking email
That's Vice-President Palin to you ... ;)
... I'll have a Pan Galactic Gargle Blaster with a side of Plutonium Nyborg
It takes like 5-10 seconds for a router to confirm the validity of a WPA key you've entered, therefore bruteforce password crackers are not EVEN POSSIBLE to use with a wireless router. This post is nonsense.
SOMEONE USED A GPU TO HACK A RAR FILE PASSWORD, THE WORLD IS OVER!!!
Does this give pirateers with wifi connections plausible deniability?
We just use an open wireless network w/ a VPN client. No need to mess around with silly WPA/WPA2 stuff.
To a nail, every person with a hammer looks like a problem.