WiFi security reaches critical security low

helmutcheese · 11 Oct 2008 at 17:41

QUOTED :

" WiFi is apparently no longer secure enough to protect wireless data. Global Secure Systems has said that a Russian's firm's use of the latest Nvidia graphics cards to accelerate WiFi 'password recovery' times by up to an astonishing 10,000 per cent proves that WiFi's WPA and WPA2 encryption systems are no longer enough to protect wireless data.

David Hobson, managing director of GSS, claimed that companies can no longer view standards-based WiFi transmission as sufficiently secure against eavesdropping to be used with impunity. He also said that the use of VPNs is arguably now mandatory for companies wanting to comply with the Data Protection Act.

He said: "This breakthrough in brute force decryption of WiFi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data. As a result, we now advise clients using WiFi in their offices to move on up to a VPN encryption system as well. "

Good old Nvidia CUDA

http://www.tcmagazine.info/comments.php?shownews=22225&catid=5

ORIGINAL SOURCE : http://www.scmagazineuk.com/WiFi-is-no-longer-a-viable-secure-connection/article/119294/

tolien · 11 Oct 2008 at 17:42

no one's ever argued WPA was secure though - it's just a case of brute forcing the passphrase and you're in, and if you can throw enough CPU time at that...

helmutcheese · 11 Oct 2008 at 17:44

tolien said:
no one's ever argued WPA was secure though - it's just a case of brute forcing the passphrase and you're in, and if you can throw enough CPU time at that...

That's not the point of above m8.

Using CUDA they can now do it up to 10,000% faster than with a CPU.

What could have took days could take no time at all now.

wij · 11 Oct 2008 at 17:48

Nothing like the press to state the bleeding obvious is it

Just need the BBC to do a bit of doom mongering and every simpleton out there will suddenly thing terrorists are sat outside their house stealing their wifi and bank details!

dbmzk1 · 11 Oct 2008 at 17:53

How long is it going to take to crack something like this though? Still could take days if not longer?

bPrGUQQyPvB7vLqyASogoLtxa5FgBYbNkIHLAoaeICVCf5xi1f1rMUaipiqTSoy

helmutcheese · 11 Oct 2008 at 17:56

I did not know CUDA was being used for it so its news to me and others I bet.

helmutcheese · 11 Oct 2008 at 17:58

dbmzk1 said:
How long is it going to take to crack something like this though? Still could take days if not longer?

bPrGUQQyPvB7vLqyASogoLtxa5FgBYbNkIHLAoaeICVCf5xi1f1rMUaipiqTSoy

Who knows !, You could get a manually guess some large passwords 1st try or 1 year later but if you can speed it up by up to 100,000 then its better than a kick to the Nutz IMO.

Surfer · 11 Oct 2008 at 17:58

oh dear so i should change my access key to smt like ^^^

bigredshark · 11 Oct 2008 at 18:08

Surfer said:
oh dear so i should change my access key to smt like ^^^

No, you should use a moderate length non dictionary phrase and stop worrying about the end of the world, if you're that paranoid then use a wired connection. Nobody in reality sits outside you're home hacking your wireless and stealing your bank details, anybody who's into that would be sitting in the high street looking for badly protected business networks where there's far more to steal.

Even if they were hacking your wireless, your online banking is still SSL protected and (for most banks) you never enter your entire password anyway (the old characters 3, 7 and 9 routine).

If the guy next door is doing it to steal your wifi then changing it to a 50 character random passkey will only increase the time it takes to crack slightly (and even then it may not - it's a brute force attack after all so unless they do a dictionary attack 'theskyisblue' is as good a password as 'fdSpnFR%df4~')

tolien · 11 Oct 2008 at 18:11

helmutcheese said:
That's not the point of above m8.

Actually it is:

Using CUDA they can now do it up to 10,000% faster than with a CPU.

Using CUDA, you turn a graphics card into several highly-parallel CPUs that are good at a handful of tasks. With a machine with (probably) hundreds of very fast CPUs (the GTX 280 has 280 stream processors in there), a password gets easy to brute-force. This is news how?

bigredshark · 11 Oct 2008 at 18:17

tolien said:
Actually it is:

Using CUDA, you turn a graphics card into several highly-parallel CPUs that are good at a handful of tasks. With a machine with (probably) hundreds of very fast CPUs, a password gets easy to brute-force. This is news how?

You're both partly right. The idea that if you throw enough CPU time at encryption you'll crack it is nothing new, that somebody has written a program which will allow you do that easily with common desktop (or even notebook) hardware is news though. Nobody except the exceptionally talented geek was going to code that himself, if it's a tool which is freely-ish available though, that changes the threat.

tolien · 11 Oct 2008 at 18:20

I'm pretty sure there's an API for CUDA, a la OpenCL.

Actually the point I was getting at was the claim that WPA/WPA2 was secure before - CPUs getting fast enough to brute force a passphrase was always going to happen anyway, and it's been known for ages that GPUs had a tonne of raw processing power for some tasks. I guess joining the bits together is new, but that's about it.

As suggested in the comments, most VPNs would be vulnerable to this too - the "fix" is to change the keys often enough that brute force isn't feasible.

helmutcheese · 11 Oct 2008 at 18:21

tolien said:
Actually it is:

Using CUDA, you turn a graphics card into several highly-parallel CPUs that are good at a handful of tasks. With a machine with (probably) hundreds of very fast CPUs (the GTX 280 has 280 stream processors in there), a password gets easy to brute-force. This is news how?

Tell you what, I wont post any more in this section, 99% due to your attitude each time.

FrenchTart · 11 Oct 2008 at 18:32

helmutcheese said:
Tell you what, I wont post any more in this section, 99% due to your attitude each time.

Just read the comments bellow the article to see how FUD-like it is.

littlepuppy · 28 Jan 2009 at 14:24

helm,

Please keep posting, very interesting...

Skidilliplop · 28 Jan 2009 at 14:42

helmutcheese said:
That's not the point of above m8.

Using CUDA they can now do it up to 10,000% faster than with a CPU.

What could have took days could take no time at all now.

most WPA keys can be cracked in under 10 mins using a standard Quad core. The fact you can now do it in 0.1 seconds if you spend a few hundred quid more is kind of irrelevant as no one is going to waste that kind of money.

Not that it's an issue as i don't know any companies that use databases over wifi anyway as the ltency plays havoc with them. and databases are where the info is gonna be that needs protecting.

If you want into a network you can get in. That's always been the case. The purpose of stuff like WPA is to make your network inconvenient to hack in the hope that what someone might be after will cost them more in effort and equipment and risk than it's realistically worth.

StephenLawUK · 28 Jan 2009 at 17:30

With a little time you can find sites with freeware designed for bruteforcing using your GPU, only took me a couple minutes of googling to read up on cracking passwords. Using effective rainbow tables numerical/alphabetical passwords up to 15 chars long can be cracked in less than a min using GPU accelerated bruteforcing, however 16 chars and above can still hold up or just take considerably longer to crack.