[Infowarrior] - Elcomsoft gets 100x increase in WPA2 cracking speed

Richard Forno rforno at infowarrior.org
Sun Oct 12 21:13:07 UTC 2008 

Russian researchers achieve 100-fold increase in WPA2 cracking speed
Oct.12, 2008 in Security

http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/

Russian security company Elcomsoft just posted a press release  
(original PDF) detailing a new method to crack WPA and WPA2 keys:

     With the latest version of Elcomsoft Distributed Password  
Recovery, it is now possible to crack WPA and WPA2 protection on Wi-Fi  
networks up to 100 times quicker with the use of massively parallel  
computational power of the newest NVIDIA chips. Elcomsoft Distributed  
Password Recovery only needs a few packets intercepted in order to  
perform the attack.

The 100-fold increase in speed is achieved with two GeForct GTX280’s  
per workstation; for €599 you can build a network of 20 workstations  
dedicated to “recovering” your “lost” WPA keys. This means that a WPA  
or WPA2 key could be cracked in days or weeks instead of years.

This has prompted security firm GSS to advise their clients to add an  
additional layer of protection to their Wifi networks:

     “This breakthrough in brute force decryption of Wi-Fi signals by  
Elcomsoft confirms our observations that firms can no longer rely on  
standards-based security to protect their data,” said GSS managing  
director David Hobson. “As a result, we now advise clients using Wi-Fi  
in their offices to move on up to a VPN encryption system as well.”

But the question remains how long it will take until the next  
generation of GPU’s or custom-designed chips will break VPN encryption  
as well. 3DES DES encryption can already be broken quite easily with  
custom-built machines, and while AES appears to be better on paper,  
there is no guarantee that there isn’t some hidden flaw in the  
algorithm. GSS agrees:

     Hobson added that the development could spur a step back from  
wireless to wired network connection in sensitive installation, such  
as financial services organisations, particularly concerned about data  
privacy.

Update: This will, of course, mainly affect simple ascii keys. And it  
will only work against static keys; anyone using more complicated  
authentication schemes will not be at risk for now. But since that  
takes a couple of extra minutes when installing, smaller businesses or  
departments often skip setting this up.

More information about the Infowarrior mailing list