back to article Service cracks wireless passwords from the cloud

A security researcher has unveiled a low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary. The WPA Cracker is a cloud-based service that accesses a 400-CPU cluster. For $34, it can run a password against all 135 million entries in …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    WTF?

    I dont know whether...

    ... to stand in awe of these guys, or to vomit.

  2. Dave 129

    That settles it...

    Time for a new wireless router that will properly handle WPA2, unless there is something better now? Man I really hope so!

    My poor Linksys WRT54Gv8 is really showing it's age now :(

    1. Tim Bates

      DD-WRT?

      Might be able to get WPA2 support using DD-WRT instead of the crap Linksys firmware... Tried that?

    2. ElNumbre
      Stop

      Doesn't support WPA2?

      Eigh?

      If you're having troubles with WPA2, have you tried an alternative firmware, particularly Tomato, OpenWRT or DD-WRT? I've had a variety of WRT54G's and they all support WPA2-PSK. Haven't got a certificate infrastructure for the Enterprise level version, but certainly the menu's are there in DD-WRT for that. Plus, if your router is out of warranty and you're considering buying another one, might be worth an experiment.

      In other news, is it really worth panicing about this unless you're an Enterprise? So many home users are still running WEP which doesn't require a $34 investment, that unless you're after company secrets rather than "free" internet access, you're better off driving down the road a bit.

    3. Anonymous Coward
      Anonymous Coward

      custom firmware

      The WRT54G routers are ripe for custom firmware. Well recommend checking what is out there.

      I'm on a lower version than that, 3 or 4, but with dd-wrt custom firmware on there my router is a lot better - loads more features - I have 2 SSIDS running on it, for example. I will upgrade to an N one eventually but I'm hoping to still use dd-wrt on that too. There's more than just the encryption method for securing it anyway, there's allow only registered MACs, etc..

    4. Arnold Lieberman
      Go

      WRT54

      Try installing another firmware like DD-WRT or Tomato (my favourite) for better functionality. There's life in the old dog yet (as long as you've got a version with a decent amount of flash memory).

  3. Anonymous Coward
    Anonymous Coward

    My password is "12345678"

    Try this page to beef up your passwords:

    https://www.grc.com/passwords.htm

    1. Tim Bates
      Thumb Down

      Because it's Steve Gibson, I'll pass.

      You'd still need to pass those through a cracker to see if they are weak. Long does not mean strong. A page of zeros is probably not real strong for example.

      Steve does sort of explain where those strings come from, however he fails to explain it in enough detail for anyone to determine if he's cocked it up... Given his history of getting it wrong and then being a dick about it, I think I'll just pass.

  4. Anonymous Coward
    Black Helicopters

    I do know whether...

    to Cat 5 cable my whole house and turn off my WiFi router. I guess even a BlueTooth keyboard is none too safe either? That'll have to go.

    1. Wommit
      Pint

      Wire the house

      Higher speeds and no contention.

      It might annoy the SO though. This might be a benefit, it might not.

      A pint, for when you've finished and it's a job well done.

    2. JimC
      WTF?

      I Cat 5'd my house

      and a ******** rat has got under the floorboards and eaten half the cables...

  5. Roger Heathcote 1
    Thumb Down

    Pah.

    No biggie if you use a secure password (25 + fairly random chars), doubly so if you change your ssid to something they won't have precomputed keys for.

    Also, I don't see how this will help crack radius so surely only domestic / small biz WiFi would be vulnerable no?

  6. Nexox Enigma

    Mmmmmm Wireless...

    @ WPA2 comment:

    As far as I know, this attack works the same against WPA and WPA2, though I'm not sure if the rainbow tables would be the same. It only works against networks using a pre-shared key (like almost all home users,) while 802.1x / WPA Enterprise would be immune. It should also be relatively safe to setup an access point to a restricted network and use a vpn to access the rest of your network. Of course both of the secure options are well beyond the reach of the average user, plus the vpn option will require an extra step each time you connect, and 802.1x generally requires radious, the free daemons for which are all considerably less fun to configure than your average isp-level sendmail install. Either way, lots of work for a couple of home users.

  7. Richard Boyce
    FAIL

    Anyone who is worried by this has misunderstood

    If you put an idiot or complete novice in charge of Fort Knox, attackers won't attack the building. They'll simply con the idiot and walk in. Then the idiot will blame the building for its lack of security.

    This service tests whether the wireless network has an idiot or complete novice in charge of it. They are not cracking proper passwords. By proper password, I mean something that can't be readily guessed and added to the dictionary that's being used.

    If your neighbour is using a password like "letmein" or something else likely to be in the service's dictionary, then this test can be used to warn the neighbour. But don't expect the neighbour to thank you. They might just be alarmed, change their password to something equally dumb, and complain to the police that you've been hacking them.

    If you're using a more secure password like "jaootns&33dsf", don't bother wasting your money using this service to test it. All the service will tell you is that your password couldn't be figured out because it wasn't a dumb password that's in the dictionary.

    Senior people involved in the new laws about file sharing should take note because their wireless passwords are sure to be tested.

  8. Anonymous Coward
    FAIL

    It's not hard...

    ... to make a good password.

    If you can't be bothered with random chars then use a whole memorable sentence not a single word.

    1. Anonymous Coward
      Anonymous Coward

      similar

      Think of a memorable sentence, then use the first letter of each word to form the password...

      Though it can be embaressing if you're seen to mumble "oh I do like to be beside the seaside" each time you sit at your desk.

  9. Jason Togneri
    FAIL

    @I do know whether...

    Well, quite apart from security and visibility, there's also the added caveat that wires always were, and always will be, faster than wireless.

    1Mbps wired = no wireless

    10Mbps wired = 10Mbps wireless (realistic throughput of 4Mbps)

    100Mbps wired = 54Mbps (realistic throughput of 36Mbps)

    1000Mbps wired = 270Mbps (realistic throughput of maybe 80Mbps)

  10. Anonymous Coward
    Anonymous Coward

    Minor snag:

    If you need that service to crack someone's wireless, you are less likely to have cloud access.

    But then, even a five day cracking session is no biggie for some, just a question of planning. How often do you change your WPA(2) passwords? If security is important to you then wifi is a means of last resort. Wired has always been and for the foreseeable future will remain faster, more reliable, and better secured. So in that sense, making this clear to the masses is a public service.

  11. Anonymous Coward
    Big Brother

    pazzwurds ain't no good

    as 'the bad guys' are (seriously) hoovering(*) up all WPA/WPA2 wifi traffic on selected targets, storing it in their yottabyte arrays, until the next vuln comes around (like linux RNG bias attack last year) then re-processing the data.

    WiFi crypto is doing its job, DELAYING data disclosure. best advice is to use a non trivial SSID - the first 1000+ 'standard' id's are rainbowed, and use a memorable pass phrase. Pros are staring to use WiFi intrusion detection hardware, actively looking for a bad or pirate node trying to merge into their network. WPA & WPA2 are still just WEP with patches, something next generation will be needed soon! remember supposedly everything is going WiFi plug & play 'auto-config' soon. Yikes! (as usual XKCD got there first http://xkcd.com/416/ )

    (*) should hoovering be dysoning in this modern era?

  12. Dr Patrick J R Harkin

    My password is very secure

    It's "mickeydonaldgoofyplutoheweydeweylouieminnielondonmammamia" It said in the book that a secure poassword has at least seven characters, a capital and a memorable number.

  13. Anonymous Coward
    Anonymous Coward

    Hacked WiFi = Your IP = Proof

    Given that an IP address alone is proof enough for ambulance chasing lawyers such as ACS:Law to "prove" copyright infringement and soon the government will use IP evidence alone to shut down alledged filesharers connections then the consumer becomes liable for the security of their Internet connection, and anything which happens over it. And WiFi is the weakest link.

    Therefore robust industry grade WiFi security is required because you will be personally liable for anything that happens on your hacked WiFi connection.

    My BT Router supplied router had WEP enabled by default with the WEP key stuck on the back. So I guess the consumer is supposed to keep uptodate with all the latest WiFi vulnerabilities, patch and reconfigure as required. I'll make sure my gran is subscribed to CERT bulletins!

    Time to abandon WiFi. The risks of unlimited fine and a jail term, if someone hacks it, or one of your mates pops round wit their laptop, and downloads a copyrighted song are just too great.

  14. Anonymous Coward
    Anonymous Coward

    They have got balls

    what happens if someone uses it to crack a system they are not authorised to use, are they an accomplice in the process?

    If someone steals a safe, and then takes it to a locksmith to open, is the locksmith liable if they open the safe?

  15. Robert Ramsay

    Well...

    Thank fuck I didn't bother with that wireless rubbish!

  16. Anonymous Coward
    Anonymous Coward

    All fine....

    But what about hubs that come with pre-defined passwords like the BT Homehubs where they don't use words but a mix of characters and numbers?

    Also got to wonder if they vet their clients?

    Surely this should only be for those wanting to check security on their own or clients network not some lowly little teen hacker??

    Anon as my wireless is on....

  17. Doug Glass
    Go

    The Only Security ...

    ... is to believe there is NO security, and act accordingly.

  18. Robert Carnegie Silver badge

    "My password is very secure" Not any more eh?

    Thank you for sharing your very secure password with us. I don't believe it's the real one however.

    The idea of sending your password to a cracking service to check whether it's in their database is hysterically funny - think about it. Likewise using a memorable phrase, unless it's only memorable to you. These people must have dictionaries of well known quotations, which is nice because I'm looking for such a thing. A network secured with the words "Ask not what your country can do for you", "Clunk click every trip" or "The quick brown fox jumps over the lazy dog" is not really secured.

    1. Anonymous Coward
      Thumb Down

      "My "My password is very secure" Not any more eh?

      Robert, would I be right in guessing you are American since you completely missed the joke, probably because it wasn't posted with a Joke Alert icon

      1. Robert Carnegie Silver badge

        snowwhiteberlintakemybreathaway

        ...back at you. And what joke? :-P

        I wanted to remind some more enthusiastic members of the drawback of inventing a really good password, you can't tell people how good it is.

  19. James O'Shea

    Bah, humbug

    My WPA2 code is, errm, unlikely to be cracked using a dictionary attack.

    1 I used a phrase, not a word.

    2 I picked a phrase which was significant to me, but not necessarily to someone else.

    3 I picked that particular phrase 'cause i knew its transliteration (_NOT_ translation) into a certain obscure language, one which doesn't use the Latin alphabet. (Good luck figuring out which one...)

    4 I then deliberately misspelled all the words in the phrase, in a way that made sense to me.

    5 I sprinkled in a few numbers and symbols and changed some caps to lower case and some lower case to caps.

    Result: a 18-digit phrase which is absolutely guaranteed to not be in any dictionary and which will make no sense to anyone else. And which I tweak every ever so often by adding or subtracting a number or a symbol or changing the case of a letter. Or some combination of the above. It used to be a _15_ digit phrase. I could have achieved good results by simply using the same phrase in English but adding the variable caps, numbers, and symbols.

  20. DEAD4EVER
    Megaphone

    wireless networks

    hum cracking wireless networks to get access whatever next. seriously people in this world cant leave things alone for 2 mins cant leave other peoples connections alone hackers have no life they must be bored bunch of sad lot

  21. Sam Liddicott

    'James O'Shea

    Thats a cool technique.

    What pass phrase did you end up with?

    1. James O'Shea

      double bah

      something memorable.

  22. Danny 14

    Ive used transposition for years

    I use a memorable telephone number (or two back to back) and transpose them. So the numeric keypad of 789456 shifted to the 6key on the keyboard would become 678yui

    easy peasy and not very crackable. All I need to do is remember the transposition start point (and use a qwerty keyboard - it is VERY slow on a laptop where I need to think...)

  23. Dannyboy617

    What's the name of the server?

    Does anyone know whose 400 CPU cloud computing service these folks are using? I presume it's a little beefier than EC2.

  24. Chris Pollard

    long, random, written down

    because, after-all, if they are in my house I've got more to worry about than them stealing my wifi password....

  25. egeier
    Go

    Easily use WPA/WPA2-Enterprise/802.1X

    This type of brute-force attack does not apply to WPA/WPA2-Enterprise networks, which use 802.1X authentication. Even small businesses and consumers can now easily implement this advanced security using outsourced services like AuthenticateMyWiFi (http://www.NoWiresSecurity.com).

This topic is closed for new posts.

Other stories you might like