Thursday, October 27, 2011

Wi-Fi Security: Cracking WPA With CPUs, GPUs, And The Cloud

Is your network safe? Almost all of us prefer the convenience of Wi-Fi over the hassle of a wired connection. But what does that mean for security? Our tests tell the whole story. We go from password cracking on the desktop to hacking in the cloud.
We hear about security breaches with such increasing frequency that it's easy to assume the security world is losing its battle to protect our privacy. The idea that our information is safe is what enables so many online products and services; without it, life online would be so very different than it is today. And yet, there are plenty of examples where someone (or a group of someones) circumvents the security that even large companies put in place, compromising our identities and shaking our confidence to the core.
Understandably, then, we're interested in security, and how our behaviors and hardware can help improve it. It's not just the headache of replacing a credit card or choosing a new password when a breach happens that irks us. Rather, it's that feeling of violation when you log into your banking account and discover that someone spent funds out of it all day.
In Harden Up: Can We Break Your Password With Our GPUs?, we took a look at archive security and identified the potential weaknesses of encrypted data on your hard drive. Although the data was useful (and indeed served to scare plenty of people who were previously using insufficient protection on files they really thought were secure), that story was admittedly limited in scope. Most of us don't encrypt the data that we hold dear.
At the same time, most of us are vulnerable in other ways. For example, we don't run on LAN-only networks. We're generally connected to the Internet, and for many enthusiasts, that connectivity is extended wirelessly through our homes and businesses. They say a chain is only as strong as its weakest link. In many cases, that weak link is the password protecting your wireless network.
There is plenty of information online about wireless security. Sorting through it all can be overwhelming. The purpose of this piece is to provide clarification, and then apply our lab's collection of hardware to the task of testing wireless security's strength. We start by breaking WEP and end with distributed WPA cracking in the cloud. By the end, you'll have a much better idea of how secure your Wi-Fi network really is.

Test Setup

12:00 AM - August 15, 2011 by Andrew Ku
References in this article to WPA can be read as "WPA/WPA2." Furthermore, the techniques used in this article are unaffected by TKIP or AES encryption.
Desktop HardwareNotebook
(Lenovo ThinkPad T410)
ProcessorIntel Core i5-2500K (Sandy Bridge), 3.3 GHz, LGA 1155, 6 MB Shared L3Intel Core i5-540M (Arrandale), 2.53 GHz, PGA 988, 3 MB Shared L3
MotherboardAsrock Z68 Extreme4-
MemoryKingston Hyper-X 8 GB (2 x 4 GB) DDR3-1333 @ DDR3-1333, 1.5 VCrucial DDR3-1333 8 GB (2 x 4 GB)
Hard DriveSamsung 470 256 GBSeagate Momentus 5400.6 500 GB
GraphicsPalit GeForce GTX 460 1 GB
Nvidia GeForce GTX 590
AMD Radeon HD 6850
AMD Radeon HD 6990 
Nvidia Quadro NVS 3100M
Power SupplySeasonic 760 W, 80 PLUS-
Network CardAirPcap Nx USB AdapterAirPcap Nx USB Adapter
System Software and Drivers
Operating SystemWindows 7 Ultimate 64-bit
Backtrack 5 64-bit
DirectX DirectX 11
Windows DriversAirPcap 4.1.2
Catalyst 11.6
Nvidia 275.33
AirPcap 4.1.2
Linux DriversCatalyst 11.6
Nvidia 275.09.07
Cain & AbelVersion: 4.9.40
Aircrack-ngVersion: 0.70
Elcomsoft Wireless Security AuditorVersion: 4.0.211 Professional Edition
PyritVersion: 0.4.1-dev

The majority of tests in this article were performed in the field, facilitating an exploration of network security under real-world conditions. There were a few situations where the signal strength of our target network prevented us from proceeding further in our experiments, though. In those rare cases, we used our Cisco Linksys E4200, which we set up to use 802.11g at 2.4 GHz.

Network Security: The First Line Of Defense

There's no such thing as guaranteed security for folks connected to the Internet. However, by adding additional layers of protection, it's possible to make a system increasingly difficult to compromise. Banks have multiple safeguards to prevent physical robberies, and well-built networks employ the same thinking to keep digital assets safe. You don't usually see the same thoroughness in home networks, though, because it costs a lot and requires a particular expertise in order to stay one step ahead of of the folks who'd like access to everything behind your firewall.
Instead of a tiered approach to security, most of us are only protected by our routers. That's what separates the local network from the Internet. It prevents strangers from using an IP address to access your system directly. And the router represents the first security layer in your network.
But it isn't just your first line of defense; it's also the most important. Why? Most people believe that you can enhance data security by installing a software firewall and a data encryption scheme like TruCrypt. However, most of us also make at least some of our data available to other users on our networks as a matter of convenience and easy accessibility. Perhaps we do this without even thinking that it could be seen by someone else. Regardless, when we do this, the integrity of our wireless network, protected by certain authentication technologies, is all that keeps our precious information safe from anyone in range and able to circumvent our safeguards. Adding additional security measures to keep Internet-based traffic out doesn't change that fact.
So, sure, streaming a high-def movie from your NAS to an HTPC in the living room might be easier as a result of wireless access. But anyone able to breach those invisible walls can do the same thing. And that doesn't even take into account the damage they can do on the Internet from an address that'd appear to be coming from your own little network.
In the early days of home networking, you could rely on the physicality of wired networking to restrict access. Now, with wireless technology, you have to worry about attacks coming from the Internet (hopefully being stymied by your firewall) and breaches closer to home that might allow an unsavory character right onto your network alongside other trusted devices. There is where stronger wireless security comes into play. That's the easiest way to protect your network from intrusion.
Now, we're assuming that most Tom's Hardware readers aren't setting up their access points and leaving them wide open to the pillaging of neighbors. You're using some sort of security protocol to at least discourage casual Web browsers looking to bum a ride on your bandwidth or amateur script kiddies testing their mettle.

WEP Is Dead, Haven't You Heard?

Wired Equivalent Privacy (WEP) was the first security algorithm used by wireless networks to restrict access. It was originally introduced in 1999 as part of the 802.11 standard. However, it has long been considered to be a "broken" algorithm, and was effectively replaced by Wi-Fi Protected Access (WPA).
If you're still using WEP on an older wireless router, try not to feel too safe. The Wi-Fi Alliance abandoned WEP in 2003 because it's very easy to crack. With $20 and some basic technical know-how, a neighbor can procure your WEP password in about 10 minutes using publicly-available tools. It really is time to upgrade to at least WPA.
The process of breaking a WEP password can vary, but we've seen it done enough times that there's little reason to detail this bit of deviousness here on Tom's Hardware. Think of us like AMC's Breaking Bad. We're not here to show you how to cook meth. But our story hinges on the process. An enthusiast using WEP should know how easy it is to circumvent, and we did it so that you don't have to learn the hard way. To give you an idea of what's involved, we used Cain & Abel, Aircracking-ng, and an AirPcap Nx adapter to find a nearby network's WEP key in about five minutes. The length of the key doesn't affect recovery time, either.
The fundamental problem is that it's incredibly easy to eavesdrop on a WEP network and sniff out the information needed to crack the RC4 cipher backing the protocol. Even if there aren't enough packets traveling between the router and clients inside the network, it's possible to send packets in such a way to simulate reply packets, which then can be used to find the key. It's even possible to forcibly boot users off a router in order to generate packets with authentication information. Scary stuff; avoid it at all costs if security truly matters to you.

Understanding WPA/WPA2: Hashes, Salting, And Transformations

WPA/WPA2, WinZip, WinRAR, Microsoft's native Data Encryption API, Apple's FileVault, TruCrypt, and OpenOffice all use PBKDF2 (Password-Based Key Derivation Function 2.0). The critical element here is that a password won’t directly grant access to whatever it's protecting. You need to generate a key (decryption code) from the password.
This is one of the most critical differentiators separating WEP and WPA. WEP doesn't obscure your password in an effective way. That is a huge security risk because hackers can directly extract it from packets sent during authentication. This makes it easy for those same folks to sit in parking lot or lounge around in a mall and break into networks. Once enough packets are gathered, extracting the key and connecting to the network is easy. WPA is different because the password is hidden in a code (in other words, it's hashed), forcing hackers to adopt a different tactic: brute-force cracking. 
In one of our last security-oriented pieces, we noticed some confusion in the comments section where readers were asking for more clarification on concepts like rainbow tables, hashes, salting, and transformations.
There are two major parts to converting a password value to a decryption key. The first is called salting. It's possible you've heard this term used once or twice. This is a method in cryptography that prevents two systems from using the same key, even though they may share the same password. Without salting, a pair of machines using the same password, even coincidentally, end up with the same key. This is a vulnerability for rainbow tables, which are huge spreadsheets that allow you to look up the original password (provided you know the key). Salting largely nullifies the use of rainbow tables, because every password uses a random value to generate a different key. It also effectively renders password derivation a one-way function, because you can't backwards-generate passwords from keys. For example, SSIDs are used to salt WPA passwords. So, even if your neighbor uses the same password, he's going to have a different key if his router has a different name.
PBKDF2 takes things one step further by using a key derivation function (KDF). The idea itself is pretty simple, but it's a little math-heavy. There are two steps:
  1. Generate data1 & data2 from password and salt.
  2. Calculate key using transformation invocations using a loop, which looks like:
                data1 = SHA1_Transform(data1, data2);
                data2 = SHA1_Transform(data2, data1);
Basically, you input the password and salt (the random bits) in order to generate the first data parameter. This represents the key in it's non-final form. From there, the key is continuously hashed in a cycle, where the next calculation relies on the previous one in order to continue. For every interval, the value of the key changes. Repeat this a couple thousand times and you have the final decryption key. And because you can't go backwards, brute-force cracking requires you to "recreate" the key on every password attempt.
This process accounts for 99% of the computational overhead required in brute-force cracking, so throwing copious compute muscle at that wall is really the only way to chisel it down. Hash cracking lets you to try multiple passwords at a time because the process doesn't employ a key derivation function or salt, making it magnitudes faster. As a practical matter, the impressive speeds you see from hash cracking shouldn't scare you. This form of brute-force hacking is limited in scope, since just about everything secure utilizes salting and a key derivation function. 
To give you a sense of scale, WinZip uses 2002 SHA-1 transformation invocations to generate a key. This value is constant for any password length, up to 64 characters. That's why a 10-character password is just as easy to defeat with AES-256 as it is with AES-128. WPA, on the other hand, uses 16 388 transformations to convert a master key (MK) into what's known as a Pairwise Master Key (PMK). That makes brute-force cracking in WPA 8x slower than it does with WinZip/AES.
WPA relies on a Pre-Shared Key (PSK) scheme. You may enter in a master key (the value that you see in the password field on the router), but you can only "sniff out" the Pairwise Transient Key (PTK) during what is known as a "four-way handshake."
Authentication relies on deriving the PTK from a Pairwise Master Key, which is in turn derived from a master key. It takes about five or six more transformations to go from the PMK to PTK, but WPA cracking speeds are often presented in PMK units, the most computationally-intensive portion of the brute-force attack.

WPA Cracking: It Starts With Sniffing

There are three steps to penetrating a WPA-protected network.
  1. Sniffing: Intercepting packets in order to get the data necessary to perform an attack.
  2. Parsing: Inspect the harvested packets to see if there's a valid handshake. This is the critical step. The information you're trying to capture consumes less than 1 MB, but it's important that it includes packets that contain PTK authentication information. This means that someone needs to log on to the network while you're sniffing.
  3. Attacking: Employ brute-force password cracking.
The entire process of sniffing, parsing, and attacking tends to be modular, but the exact procedure is a little different, depending on the operating system. At the moment, Linux is the preferred route for many networking ninjas, but there are tools in Windows that streamline the process too.
No matter what software route you take, making this happen isn't as easy as typing in the right commands. Getting past the sniffing step is perhaps the most difficult part because it requires a particular type of wireless card. Specifically, you need one that has drivers able to provide access to low-level 802.11 protocol information. The majority of wireless cards don't cut it because they use a driver that filters the RAW 802.11 packets and hides them from the upper layers of the operating system.
But the right equipment doesn't cost an arm and a leg. Many compatible wireless cards cost less than $50. Ultimately, skill is what separates the beginners from hackers. Without giving you the blow-by-blow, these screenshots give you an idea of how easy it can get. In all, I spent about 10 minutes getting the information needed to set up the password attack, which is step three.
There is one caveat worth mentioning. Capturing the authentication information (four-way handshake) requires you to monitor for the packets transmitted when a client attempts to connect with an access point (AP). The act of connecting is what generates the packets that hackers are interested in exploiting. If there are no wireless clients connected, a hacker must wait for someone to establish a connection. Checking your morning email just got a little more real, didn't it?
If a client is already connected, it is still possible to capture the requisite information by forcing a reconnection attempt. How, you ask? By targeting a specific user and booting them off the network with one simple command-line instruction.
After we're done sniffing, we have to use a cracker to brute-force every master key against the PTK. Between Linux and Windows, there are fewer than 10 programs that actually perform the brute-force attack. The majority of them, such as Aircrack-ng and coWPAtty, rely on a dictionary attack. That means you need to provide a discrete database of words to check against. In the end, there are really only two programs that perform truly random brute-force attacks: Pyrit (combined with John the Ripper in Linux) andElcomsoft's Wireless Security Auditor (Windows).
It should come as no surprise that coordinating an attack in Linux is more involved than Windows. Aircrack-ng is used to sniff and parse. Then you switch to Pyrit in pass-through mode via coWPAtty (PMK-PTK conversion) for the brute-force attack. In comparison, Elcomsoft offers a much more fluid experience with its Wireless Security Auditor. Admittedly, that app is so easy to use, a caveman could do it. It sniffs (provided you have an AirPcap adapter), parses, and attacks a WPA-protected network in no more than 10 mouse clicks.
Although cracking is slightly more complicated to pull off in Linux, it's also less expensive. The fully-automated version of WSA runs $1199, but it lets you use up to 32 CPU cores and eight GPUs, it adds sniffer support, and it features support for dedicated cracking hardware like Tableau's TACC1441 (the serious FPGA-based stuff). The standard version is more limited. It's restricted to two CPU cores and one GPU and only costs $399. You do need a third-party app for the sniffing step, though.
OSLinuxWindowsWindows (fully automated)
SniffingAircrack-ngAircrack-ngWireless Security Auditor Pro Edition
ParsingAircrack-ngWireless Security Auditor Std. EditionWireless Security Auditor Pro Edition
CrackingPyrit via CoWAPttyWireless Security Auditor Std. EditionWireless Security Auditor Pro Edition
Software CostFree$399$1199

Brute-Force Cracking
If you want more information on how brute-force attacks work, we suggest that you read page four ofHarden Up: Can We Break Your Password With Our GPUs?. In a nutshell, brute-force attacks involve "guessing and checking" on a much larger and faster scale in an attempt to defeat passwords.
Unlike online banking passwords, WPA doesn't have any authentication restriction. If you're persistent enough, you can keep guessing passwords until hell freezes over.
Available Characters Using The  English LanguagePossible Passwords, Two CharactersPossible Passwords, Four CharactersPossible Passwords, Six Characters
Lower-case 676456 976308 915 776
Lower- and Upper-case27047 311 61619 770 609 664
Lower-case, Upper-case, and Numbers384414 776 33656 800 235 584
All (Printable) ASCII Characters883678 074 896689 869 781 056

Brute-force attacks are only effective when they can check passwords at a high speed, as the number of potential passwords grows exponentially with a larger character set and longer password length (possible passwords =n[password length] , where n is the number of possible characters).
Most of the time, hackers don't know the length of your password, though. That's why they have to perform an exhaustive search of all possible combinations, starting from a list of single-character options.

CPU-Based Cracking: Like Watching Paint Dry

If the guy trying to get into your network is only armed with a conventional desktop processor, don't fret about the security of your WPA-protected network. Those 16 388 SHA1 transformation invocations really bog down brute-force attacks. While we were able to crack WinZip archives at 20 million passwords per second in our previous piece, we're only able to manage about 5000 against WPA using an Intel Core i5-2500K.
Total Search Time Search, Assuming 5000 WPA Passwords/SecondPasswords Between 1 and 4 CharactersPasswords Between 1 and 6 CharactersPasswords Between 1 and 8 CharactersPasswords Between 1 and 12 Characters
NumbersInstant4 minutes6.5 hours7.5 years
Lower-case2 minutes18 hours1.5 years662 263 years
Alphanumeric (including Upper-case)52 minutes140 days1481 yearsNext Big Bang
All (Printable) ASCII characters5 hours5 years48 644.66 yearsNext Big Bang

How's this for a sense of futility? There's really no way to brute-force an alphanumeric password longer than six characters using our Core i5 processor. If you're using the entire (printable) ASCII set, a WPA password longer than five characters is reasonably safe.
The calculations above assume you're running WSA in Windows, because the Linux route yields slightly worse CPU performance. Using CoWPAtty and Pyrit, we're down to 3307 passwords per second.
In the pages to come, we're going to present two numbers from Linux: the result from Pyrit's benchmark command and the figure reported by CoWPAtty using the Pyrit pass-through function. The Pyrit benchmark command is commonly used to highlight GPU performance, but it doesn't figure in the last couple of transformations needed to go from PMK to PTK. There is some overhead there because the PMK-PTK conversion occurs outside of Pyrit.
CoWPAtty and Elcomsoft's Wireless Security Auditor test the speed at which master keys are checked against the PTK information contained within captured packets. As such, those are the real-world numbers you would see in mounting a brute-force attack against a WPA-protected network.

GPU-Based Cracking: AMD Vs. Nvidia In Brute-Force Attack Performance

So, what happens when we put GPUs to work on the same task?

Intel Core i5-2500KNvidia GeForce GTX 460 1 GB
Cores4 (no HT)336
Clock Speed3.3 GHz (base)1350 MHz
Wireless Security Auditor4752 passwords/s18 105 passwords/s
Pyrit Benchmark3949.13 PMKs/s17 771.6 PMKs/s
Pyrit w/CoWPAtty3306.85 passwords/s19 077.15 passwords/s
Time To Crack Passwords Between 1 and 6 Characters (Alphanumeric)140 days, 14 hours (WSA)35 days (Pyrit)
Time To Crack Passwords Between 1 and 8 Characters (Alphanumeric)1480 years, 311 days (WSA)368 years, 319 days (Pyrit)

Compared to CPUs, the performance difference is incredible. A single GeForce GTX 460 manages roughly 4x the performance of a Core i5-2500K.
That Forensic Computers, Inc. Tableau TACC1441 mentioned earlier should have been an indication that GP-GPU computation would outperform desktop CPUs. After all, the FPGA-based accelerator consists of a massively parallel array of processors that operate in concert to attack multiple types of encryption schemes. This is a problem better-addressed by many cores operating concurrently. 
Now, we know how a mid-range graphics card fares against a fairly mid-range CPU. What happens when we start ratcheting up the complexity of our graphics configuration?
It's striking to see how much faster AMD's cards are than Nvidia's. The Radeon HD 6990 sports a greater number of ALUs than the GeForce GTX 590, though. Moreover, it has been shown that there are certain operations AMD's ALUs are able to execute more efficiently.
For some reason, we did have to enable CrossFire to get the second Radeon HD 6990 to appear under WSA (generally, multi-GPU configurations don't need to be running in CrossFire or SLI to operate cooperatively). Both technologies can slow down a brute-force attack because they're designed to help balance GPU workloads. In this case, CrossFire actually works to the detriment of performance. With AMD's multi-card feature disabled, we achieve the expected linear performance scaling in Linux.
Brute-force password cracking in a reasonable amount of time is wholly dependent on the number of cores you wield and the speed at which they operate.
Time To Find Crack...Passwords Between 1 and 6 Characters (Alphanumeric)Passwords Between 1 and 8 Characters (Alphanumeric)
Nvidia GeForce GTX 460 1 GB35 days (Pyrit w/ CoWPAtty)368.9 years (Pyrit w/ CoWPAtty)
Nvidia GeForce GTX 59011.6 days (Pyrit w/ CoWPAtty)122.5 years (Pyrit w/ CoWPAtty)
2 x Nvidia GeForce GTX 5906.5 days (WSA)68.66 years (WSA)
AMD Radeon HD 685020.4 days (WSA)214.75 years (WSA)
AMD Radeon HD 69905.88 days (WSA)62.24 years (WSA)
2 x AMD Radeon HD 69903.08 days (Pyrit w/ CoWPAtty)32.97 years (Pyrit w/ CoWPAtty)

Though not common, a pair of GeForce GTX 590s or Radeon HD 6990s in a high-end gaming rig isn't unheard of. Clearly, passwords consisting of seven characters or more are fairly safe. But bear in mind also that we're also looking at worst-case scenarios. The numbers cited above are indicative of searching for a password between 00 and 99, and the right answer ends up being 99. The correct answer is just as likely to be 00, slashing the compute time.

Nvidia's Tesla And Amazon's EC2: Hacking In The Cloud

Cracking passwords works best on a scale exceeding what an enthusiast would have at home. That's why we took Pyrit and put it to work on several Tesla-based GPU cluster instances in Amazon's EC2 cloud.
Amazon calls each server a "Cluster GPU Quadruple Extra Large Instance" and it consists of the following:
  • 22 GB of memory
  • 33.5 EC2 Compute Units (2 x Intel Xeon X5570, quad-core, Nehalem architecture)
  • 2 x Nvidia Tesla M2050 GPUs (Fermi architecture)
  • 1690 GB of instance storage
  • 64-bit platform
  • I/O performance: 10 gigabit Ethernet
  • API name: cg1.4xlarge

This machine is strictly a Linux affair, which is why we're restricted to Pyrit. The best part, though, is that it's completely scalable. You can add client nodes to your master server in order to distribute the workload. How fast can it go? Well, on the "master" server, we were able to hit between 45 000 to 50 000 PMKs/s.
Computed 47956.23 PMKs/s total.
#1: 'CUDA-Device #1 'Tesla M2050'': 21231.7 PMKs/s (RTT 3.0)
#2: 'CUDA-Device #2 'Tesla M2050'': 21011.1 PMKs/s (RTT 3.0)
#3: 'CPU-Core (SSE2)': 440.9 PMKs/s (RTT 3.0)
#4: 'CPU-Core (SSE2)': 421.6 PMKs/s (RTT 3.0)
#5: 'CPU-Core (SSE2)': 447.0 PMKs/s (RTT 3.0)
#6: 'CPU-Core (SSE2)': 442.1 PMKs/s (RTT 3.0)
#7: 'CPU-Core (SSE2)': 448.7 PMKs/s (RTT 3.0)
#8: 'CPU-Core (SSE2)': 435.6 PMKs/s (RTT 3.0)
#9: 'CPU-Core (SSE2)': 437.8 PMKs/s (RTT 3.0)
#10: 'CPU-Core (SSE2)': 435.5 PMKs/s (RTT 3.0)
#11: 'CPU-Core (SSE2)': 445.8 PMKs/s (RTT 3.0)
#12: 'CPU-Core (SSE2)': 443.4 PMKs/s (RTT 3.0)
#13: 'CPU-Core (SSE2)': 443.0 PMKs/s (RTT 3.0)
#14: 'CPU-Core (SSE2)': 444.2 PMKs/s (RTT 3.0)
#15: 'CPU-Core (SSE2)': 434.3 PMKs/s (RTT 3.0)
#16: 'CPU-Core (SSE2)': 429.7 PMKs/s (RTT 3.0)
Are you scratching your head at this point? Only 50 000 PMK/s with two Tesla M2050s?! Although the hardware might seem to be under-performing, the results are on the order of a single GeForce GTX 590, which of course is armed with two GF110 GPUs. Why is that?
Nvidia's Teslas were designed for complex scientific calculations (like CFDs), which is why they so prominently feature fast double-precision floating-point math that the desktop GeForce cards cannot match. Tesla boards also boast 3 and 6 GB of memory with ECC support. However, the process we're testing doesn't tax any of those differentiated capabilities. And to make matters worse, Nvidia down-clocks the Tesla boards to ensure the 24/7 availability needed in an enterprise-class HPC environment.
But the real reason to try cracking WPA in the cloud is scaling potential. For every node we add, the process speeds up by 18 000 to 20 000 PMKs/s. That's probably not what most folks have in mind when they talk about the cloud's redeeming qualities, but it does demonstrate the effectiveness of distributing workloads across more machines that what any one person could procure on their own. 
Each GPU cluster instance is armed with a 10 Gb Ethernet link, restricting bidirectional traffic between the master and nodes to 1.25 GB/s. This is what bottlenecks the cracking speed. Remember that a single ASCII character consumes one byte. So, as you start cracking longer passwords, the master server has to send more data to the clients. Worse still, the clients have to send the processed PMK/PTK back to the master server. As the network grows, the number of passwords each additional node processes goes down, resulting in diminishing returns. 
Harnessing multiple networked computers to crack passwords isn't a new concept. But ultimately, it would have to be done differently to be more of a threat. Otherwise, desktop-class hardware is going to be faster than most cloud-based alternatives. For example, about a month ago, Passware, Inc. used eight Amazon Cluster GPU Instances to crack MS Office passwords at a speed of 30 000 passwords per second. We can do the same thing with a single Radeon HD 5970 using Accent's Office Password Recovery.

Securing Your WPA-Protected Network

Rest easy. From a practical standpoint, WPA is fairly safe. There are far too many salted key-derived hashes to process. The Wi-Fi Alliance got that portion of the protocol right. Even with a pair of Radeon HD 6990s, we're limited to about 200 000 passwords per second, and that means any alphanumeric password longer than seven characters is almost impossible to crack in under a year. That's a long time to wait for free Internet access from the guy next door (you'd be better off using social engineering to get the password from him; try a 12-pack of Newcastles). After adding a few special keystrokes, brute-force attacks look completely infeasible on passwords longer than six characters. Though, the point is kind of moot considering WPA/WPA2 requires a password longer than eight characters.
Unfortunately, most of us use passwords that include words. As such, those passwords are vulnerable to dictionary-based attacks. The number of words in conversational English is in the tens of thousands. A single GeForce GTX 590 can manage at least 50 000 passwords per second against a WPA-protected network. Even if you add a few variations, you really only need to spend a day or two crunching passwords to break the proverbial lock. Why? Because an entire word is functionally the same as a single letter, like "a." So searching for "thematrix" is treated the same as "12" in a brute-force attack.
Ideally, you should avoid the following if you are trying to make your network more secure:
  • Avoid words from the dictionary. The Oxford English dictionary contains fewer than 300 000 entries if you count words currently in use, obsolete words, and derivative words. That's nothing for a GeForce GTX 590 or Radeon HD 6990.
  • Avoid words with numbers appended at the end. Adding 1 to the end of password doesn't make it a more secure. We can still crunch the entire English dictionary and numbers in half a day with a pair of Radeon HD 6990s.
  • Avoid double words or simple letter substitution. PasswordPassword only doubles the number of words that we have to search. That's still fairly easy, considering how fast we can scan words. Also, p@55w0rd isn't a much more secure password. Password crackers know all the usual shortcuts, so don't take that route. 
  • Avoid common sequences from your keyboard. Adding QWERTY to the dictionary of tested passwords isn’t hard work. That's another shortcut to avoid.
  • Avoid common numerical sequences. 314159 may be easy to remember. It's Pi, after all. But it's also something that's easy to test for.
  • Avoid anything personally related, such as your license plate, social security number, past telephone number, birthday, and so on. We live in a world where a lot of information is public domain. If you have a Facebook or Twitter account, the amount of information available keeps growing.

To the average hacker, WPA holds up remarkably well. Even if you're using a short, random password, the cracking speed we see from GPUs is simply too slow as a result of the high computational requirements for the key derivation function.
The real threat is distributed computing. Buying four Radeon HD 6990s help you reach close to half a million passwords per second. But the cards alone cost nearly $3000. If we went to the trouble of tweaking the Pyrit code, it would be possible to achieve the same performance for $8 by renting 10 EC2 Cluster GPU Instances. If you're unable to scale your code for automation, you can still achieve that level of performance by manually managing the workload across multiple servers.
The current distributed offerings might not offer impressive performance, but their speed isn't what worries us. It's their low price tag. Moxie Marlinspike, a hacker, runs a service called WPACracker, which can be used to crack the four-way handshake capture of WPA-PSK using 400 CPU clusters on Amazon's EC2 cloud. This scaling allows you to crunch through a 135 million word dictionary specifically created for WPA passwords in under 20 minutes. Even though that's ~112 500 passwords per second (equivalent to a single GeForce GTX 590), you only have to pay $17.
Total Search Time Assuming 1 Million WPA Passwords/Second
(Cost using EC2 Reserved Rate)
Passwords Between 1 and 4 CharactersPasswords Between 1 and 6 CharactersPasswords Between 1 and 8 CharactersPasswords Between 1 and 12 Characters
Estimated Cost: $0.74
Estimated Cost: $0.74
2 minutes
Estimated Cost: $0.74
12.75 days
Estimated Cost: $226
Estimated Cost: $0.74
5 minutes
Estimated Cost: $0.74
2.5 days
Estimated Cost: $44.40
3147 years
Alphanumeric (including Upper-case)Instant
Estimated Cost: $0.74
16 hours
Estimated Cost: $11.84
7 years103 981 388 years
All (Printable) ASCII characters2 minutes
Estimated Cost: $0.74
9 days
Estimated Cost: $159.84
231 yearsNext Big Bang

Thomas Roth, a security expert who helped highlight the flaws of the Sony PlayStation Network, seems to be the only person that has publicly demonstrated a properly-scaled GPU distributed cracking network. His setup linearly scales the speed of individual EC2 Cluster GPU Instances by balancing the workload and reducing bottlenecks. So, even though we need about 10 Radeon HD 6990s split among three desktop systems to reach 1 million WPA passwords per second, we can do the same by spending $60 to rent 20 Cluster GPU Instances (the limit was recently increased to 64 servers). The only hurdle is optimizing code in Amazon's cloud. And no, we aren't going to share our code.
ZoomComputational clouds like Amazon's EC2 were originally intended to help developers and scientists solve complex mathematical problems without a heavy investment in building a server farm. I doubt that Amazon had hacking in mind, but the cat's out of the bag. The fact is that it can and will be done. If someone wants onto your network badly enough, your strong password might be the only thing stopping them.
And that's ultimately why you need to change your password strategy. The fact that that most of us use alphanumeric passwords to lock our Wi-Fi networks only serves to weaken them. How many of us know friends or family who never changed their default router passwords, either? We know that AT&T's U-verse routers (identified with SSIDs like 2Wirexxx, where is a number) come with default passwords limited to numbers and are only 10 characters in length. Using a pair of Radeon HD 6990s, you can mow through every possibility in under 14 hours.
Besides using a unique SSID, a WPA password should follow the following rules:
  • Fully random
  • At least eight characters in length.
  • Contain at least one upper-case letter
  • Contain at least one lower-case letter
  • Contain at least one special character, such as @ or !
  • Contain at least one number
For those of you in IT, you're better off investing in an authentication server, which adds another layer of wireless security since the master key is hidden from the user and generated dynamically. This means that the PMK is a fresh symmetric key particular to the session between the client and AP. It infinitesimally increases the complexity of a brute-force attack. In fact, as an IT professional, you should worry more about someone bribing an employee or stealing an unencrypted laptop.
Keeping Perspective
Whenever someone talks about security, it's easy to go overboard. We get so caught up in locking down our information that we forget to ask ourselves if we have anything worth stealing.
To some degree, everyone has information they'd prefer stayed private, which is why we think everyoneshould be putting some effort into keeping intruders out. And the fact of the matter is that most troublemakers will see your locked access point and simply move on. Users in the Netstumbler forums estimate that 10-20% of networks still use WEP encryption. If someone really wants to hijack a network, they'll likely look for a WEP-protected target first. Whether someone is willing to spend hours, days, or even years banging on your WPA-secured fortress will depend on the state secrets hiding on the other side.
The fact of the matter is that most of us aren't high-profile enough to attack, so long as the right protocol is in place. It's often said that a pump-action shotgun is the best tool for home defense, not because it's any scarier than a handgun or rifle, but because the sound of a shell cycling is enough to make any intruder turn and flee. Well, consider WPA your pump-action.
Of course, not everyone agrees that security is necessary. In fact, many people purposely run open Wi-Fi networks. According to a post at TorrentFreak, the legality of holding a network owner responsible for the actions of users remains in doubt. One defendant writes, "Not all unsecured networks are due to a lack of technical knowledge. Some of us leave them open to friends and others out of a sense of community." That's super-generous and all, but if you're using one of those networks, just be aware that you're already rubbing shoulders with the bad guys.

1 comment:

  1. Excellent compilation of information...I knew most of this already but of course, there are things in here I did not know as well...which just goes to add to my quest of wireless security knowledge! thank you for the great post =]