Video Screencast Help
Security Response

Polly Wants a Cracker

Created: 09 Dec 2009 23:10:48 GMT • Updated: 23 Jan 2014 18:30:49 GMT
Henry Bell's picture
+2 2 Votes
Login to vote

Ahoy there ye landlubbers! The high seas of wireless security appear to have gone commercial with the introduction of a paid service that means it just got a whole lot easier for a casual attacker to break into your wireless network. Before going on to talk about how this attack vector can be used, though, we'll quickly cover off some terminology; Wi-Fi standards can be an acronym minefield.

Many moons ago—more than ten years ago, in fact—a move was made to devise a method of securing wireless networks that would provide a level of confidentiality equivalent to that of traditional wired networks. The name Wired Equivalent Privacy (WEP) was given to the system. Unfortunately flaws emerged and it turned out to be trivial to circumvent. WEP is still built in to most Wi-Fi products on the market, but security-wise it was blown out of the water long ago and as such its use is now heavily deprecated. Roll out the successors!

Wi-Fi Protected Access (WPA) was next on the scene, with a new method of key management intended to shore up WEP’s deficiencies (Temporal Key Integrity Protocol, or TKIP, again using the RC4 algorithm). WPA-TKIP was designed to function on hardware originally designed for WEP, with the sole addition of a firmware upgrade, meaning that in-the-field equipment did not have to be junked—a boon for businesses. The new system did indeed provide better security than WEP but eventually attack vectors emerged that allowed short and/or guessable passphrases to be brute-forced by way of comparing the sniffed network traffic with a dictionary of possible keys. WPA was originally intended to be a stopgap method of security, but it too seems to have hung around for longer than originally planned. Next!

WPA2, the rather unimaginatively named successor to WPA, brought with it a full wireless security model that could not be “shoe-horned” into legacy hardware, meaning that equipment upgrades were necessary. WPA2 introduced a more sophisticated encryption protocol based around the Advanced Encryption Standard (AES), which does not suffer from the technical compromises that had to be made when the original version of TKIP was devised. Unfortunately, however, both WPA and WPA2 are vulnerable to dictionary-based attacks when pre-shared keys (PSKs) are used, as is likely in most non-enterprise environments. So, me hearties, where does this leave us?

Having sampled a few minutes worth of your wireless network traffic using a standard laptop computer, an attacker can retreat back to his cave and use automatic cracking software to check possible passwords off against a predetermined list. If he gets a hit, he’s in. Depending on the length of the password, though, this kind of password cracking is rather time-consuming; it also demands a certain level of technical skill. Or, rather, it used to.

A website was launched this week that claims to provide an automated WPA password cracker that uses cloud-computing technology. The site states that anyone can pay the paltry sum of $34 to rent time on a large 400-node computer cluster and check 135,000,000 potential passwords against yours in only 20 minutes. If a match is found then your password is toast, no technical skills required. The attacker will be able to log in, use your network, monitor what you’re doing, and steal personal information. Arrr!

It should be noted that the creator of the WPA cracker is a renowned security researcher who has presented at high-profile security conferences. He states that the system has been designed not for malicious use but instead for security audit and research purposes. It is indeed a great demonstration of how cloud computing changes the game and will likely come in useful for security testing and demonstrations highlighting the importance of secure computing. That notwithstanding, however, the system is certainly open to abuse by malicious individuals. It should also be noted that your author has not yet tested the WPA cracking service himself.

With the advent of automated cloud-based crackers, it’s high time to move to WPA2-AES and minimize your risk of compromise by choosing a passphrase comprised of random characters that is as long as your hardware will allow. This should render dictionary-based attacks infeasible. Wireless passwords typically do not have to be re-entered frequently, so there’s no excuse for them being short and/or guessable.

The availability of high-performance computer hardware on what is effectively an ultra-short-term rental basis is likely to prove to be a challenge for those protected by security protocols and algorithms that are open to brute-force attacks. It can be a good idea to perform an annual “mini security audit” and check out which aspects of your combined security defenses might need an overhaul—or indeed a keelhaul.