Slashdot Mirror
Elcomsoft Claims WPA/WPA2 Cracking Breakthrough
secmartin writes "Russian security firm Elcomsoft has released software that uses Nvidia GPUs to speed up the cracking of WPA and WPA2 keys by a factor of 100. Since the software allows them to network thousands of PCs, this anouncement effectively signals the death of wireless networking in business networks; any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether."
"Brute Force Attack will take up to 128299838271 years" at 500,000 passwords a second. ElcomSoft is claiming a 20x improvement in speed, but that won't make a dent into an exponential-sized problem. See http://lastbit.com/pswcalc.asp for calculation.
This doesn't surprise me. Anyone who wasn't already assuming that anything you sent via wireless was already in the hands of your enemies (unencrypted) is a bit naive.
Game! - Where the stick is mightier than the sword!
With good keys, even a 100x increase in cracking speed is still not fast
Don't use a little 8-character passphrase. Use long keys, and don't just leave them in place forever. Change them periodically.
'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%'... if you're reading this, it didn't work.
Most businesses I've seen have had easily guessable passwords, used open relays, or WEP encryption. Many don't change their keys even after firing someone. Saying that this is a "death knell" is serious hyperbole since, for many companies, convenience trumps hardened security.
That said, the biggest risk is still always going to be insiders and former insiders who won't need to crack into the wireless network: they will already know how to get access.
Integrate Keynote and LaTeX
There is no special flaw or exploit in use. They just throw more transitors at a special problem.
Everybody who really want to crack into some network (think NSA or industrial espionage) could have used FPGAs for even bigger gains.
And for joe sixpack, weeks on a small cluster is still not a viable way for free internet...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks. I'm not saying that WPA is as bad as WEP, but how come they can't copy/paste something as good as good old-fashioned SSL?
SSL has withstood the tests of time, over, and over, and over, and over again. SSL is the gold standard for encryption. It's used on every HTTPS website, it's used for SSH, it's used as part of kerberos, IMAPS, POPS, TLS, and just about every other good-quality security tool.
So why are wireless chipset manufacturers trying to re-invent the wheel, when it's widely known that these kinds of wheels are FRIGGEN HARD to re-invent well?
Start with normal, unencrypted wireless. Getting that to work was solved long ago. Embed an SSL engine into your wireless device, with a randomly generated private key. Provide a means to access the public key, and copy/paste that key into your high security wireless driver. If you want to be paranoid, your local driver generates a private/public key pair as well, and that can be copy/pasted to your wireless device.
Done! Now you *KNOW* that if you are accessing the Internet through the driver, you are doing so through the correct wireless hotspot. Who cares about wireless MITM attacks at that point? The SSL protocol *ASSUMES* that there are MITM attempts, and foils them quite effectively, over the equally open and unsecured Internet.
Seriously, folks. This is a problem that was solved over a decade ago. Why are we doing this again?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I wonder how long it would take for the entire Folding@Home grid would take to crack a single WAP/WAP2 key. Can anyone do the math?
Your evaluation period for Productivity 1.0 has ended. Please purchase more coffee to continue using this product.
In terms of quantity of seperate attacks, partner networks and outsiders are the biggest risk. In terms of records stolen per breach (still arguably not the biggest risk, since Verizon didn't report cost/record) insiders were top.
http://www.verizonbusiness.com/resources/security/databreachreport.pdf [pdf]
Proof that the best solution, by far, is to use wires. Wireless is fine when you don't care what's being sent over them (browsing, etc), but for any serious business or otherwise sensitive information, I want to be plugged into an actual, physical network. Not that it's 100% secure, of course, but at least your information isn't flying around in the air waiting for someone to decrypt it, and given time, *anything* can be decrypted.
I will never own a wireless router in my home for that reason.
This is seriously overhyped. #1:
This anouncement effectively signals the death of wireless networking in business networks;
Bullshit. The underlying encryption is based on AES*. AES is not a toy algorithm, and is designed to defend against specialized cracking hardware, and all other known attacks. It is *plenty* strong enough to hold up to a 100X increase in cracking speed, as long as you use good keys, which hopefully you are in a business environment.
I'm willing to believe that a key handling vulnerability might exist in WPA, or a flaw in AES, but the notion that brute force has brought about the death of WPA in business networks is just absurd. At best, this is a reminder to use good keys.
any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether.
Do you think your VPN software has a better underlying algorithm than AES?
* Unless you're using TKIP, which is a toy algorithm, which exists for backwards hardware compatibility, and in my experience isn't used by anyone who cares about security... But even there, the potential attack vectors are through algorithm weaknesses, not brute forcing the keys.
The article says that 3DES has been broken. I think they are mistaken. DES was cracked by a brute force attack but 3DES is still considered secure.
How is their distributed processor system going to crack a 128-bit key that has 128 bits of entropy? Maybe the solution is to update the wi-fi software to make it easier to generate, transport, and install, truly random keys.
Mea navis aericumbens anguillis abundat
Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm
These are especially good for wireless routers since you normally don't need to type them yourself and they don't get changed that often. (Of course, you should still change them once in a while.)
Businesses that are serious about their security use one of the many types of WPA-Enterprise. The method described in this article only applies to WPA-Personal which is targeted at home users.
Those businesses that do use WPA-Personal can simply institute a policy that requires better passwords to secure them against this exploit.
Some businesses will continue to use WPA-Personal with poor passwords, and that's fine, but those businesses are probably not too worried about security and have many other bigger vulnerabilities.
So, the claim that "this anouncement effectively signals the death of wireless networking in business networks" is ridiculous.
Weird that this article seems to call down doom for WPA in general and particularly in the enterprise.
a) 100x increase, even using 10,000 machines seems insignificant if you are using the maximum WPA key length employing uppercase, lowercase and punctuation? Even a 30 char password seems to last far longer than most of us will be alive. So at worst all this changes is the minimum key length that can usefully be employed on WPA.
b) In the enterprise in my experience you either use no encrypting and rely on protection at other layers (VPN, SSL, etc) or you use a RADIUS based system that hands out a new key for each session. This seems even less likely to be affected by this. Unless...and I admit I've never checked this...they keys being used have some weakness (short, not very complex, etc...) which, again at worst seems to be a wake-up call for hardware vendors if nothing else.
So wrt wireless this is interesting but hardly industry changing.
Hah! My company is okay- we're only using MAC filtering for our security, none of this insecure WEP/WPA crap.
All of this is already available as a GPL'ed tool that has been out for about a month. See http://pyrit.googlecode.com
....that's the difference.
So long as people use convenient passphrases for their security then no amount of fancy algorithms will save them.
This realization is why the US Government eventually dropped all the regulations they used to have on exports of strong encryption.
No sig today...
... Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
Using GPUs to crack is not "new", it's a well known tachnique. Furthermore, an increase of a factor a 100 is insignificant relative to the number of years it would take to crack a key, hence the crypto is not weakened, dispelling their whole "death of wireless networking" doommonger bullshit. The only thing this actually does is speed up already feasible attacks against bad passphrases, nothing new, and certainly not a "breakthrough".
My Dearest Friend,
I am the Minister of the Nigerian Ministry of Butt-loads Of Networked Nvidia PCs (NMBNNP). We would like to test this software, but in order to determine if the software has successfully cracked the password, we need your login password, so that we can verify.
Afterward, you will be granted unlimited access to the NMBNNP grid.
Oh, and please send your bank information, as well.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
wpa2 with a shared key is only crackable with a brute force attack. Assuming that an alphanumeric character is used for each character of the attack, then for a key of length 8 (the minimum) the attack takes 26+26+10+10=72^8 (lowercase+uppercase+numbers+shifted num keys) time which is 7x10^14. A factor of 100 isn't a big deal - it reduces it to 7x10^12.
Even worse, if the key is longer than the minimum, say 14 digits, then the number of brute force keys are 1x10^26 and improving that to 1x10^24 isn't going to make much of a difference at all.
The WIFI at my workplace is available, there is little if any security and the traffic isn't encrypted; why? well it has always been associated with being insecure, so when WIFI was rolled out it was placed on the Big I instead of the little i and to get anywhere internal you must bring up a VPN tunnel to work, add some poisoned routing information on both sides to account for the networks being used (internal versus internal) and you have some hope of preventing someone from bridging i to I.
You shouldn't use WIFI for anything that you wouldn't want to share openly and even if you believe that what you are doing is secure you should know that someone could still be capturing your session and working on it offline; the vendors haven't helped either, most wireless routers will 'work' right out of the box, purchase at worst-buy, plug it into your cable modem and in 60 seconds your on, I can't tell you how many networks I've found this way, most still have the default admin account set (just google the model number being advertised by the network)
and your in....
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
These guys are late to the party.
FYI, Adam Bregenzer released an open source framework at DEFCON this year that provides pseudo-automatic multithreading, distributed password cracking capabilities AND takes advantage of existing commercial cloud computing services (ala Amazon, et. al.). The framework is easily adaptable to any number of computationally intensive applications, though he provided hard numbers and demonstrations from his work using coWPAtty and John the Ripper.
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Bregenzer
A "100x" increase in the speed of cracking an encryption system is not necessarily impressive, or indeed meaningful.
It sounds like a lot, and would be if it were a situation of "It used to take 100 years to crack a password, now it takes 1." Ok well that just moved the problem from something impossible or at least totally worthless (the technology will be outdated by the time you get the answer) to something potentially useful for a determined attacker.
However, that isn't the sort of timescale we are talking about for modern encryption. We are instead talking about amounts of years that are generally expressed with exponents. Ahh, well now that changes things. If an encryption system currently takes 10^14 years to crack and you've sped up cracking 100 times so it now only takes 10^12... Well that still doesn't get you anything. You are talking many times longer than the universe has been around. Even an increase of 1,000,000 times doesn't get you anywhere near anything useful.
So while announcements like this are cool in an academic sense, they have no real application or threat.
SSH is not dependent on SSL/TLS - it's just that one particular implementation of SSH (OpenSSH) is dependant on the OpenSSL library for its cryptographic primitives.
More details
Cracking WEP/WPA will hardly be the end of business WiFi.
For instance: The company where I'm working has operated for years on the assumption that WiFi's own encryption is just a warning sign and trivially broken.
They have the WiFi on its own subnet with its own firewall. Get on (with the WEP key) and you can only reach the nameserver, VPN server, and SSH server. Use an encrypted tunnel or you might as well be standalone.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way