EXTRA: Wi-Fi encryption not safe? PANIC!

Welcome to a special IT Blogwatch EXTRA: as Richi Jennings watches bloggers' reactions to the Russian hackers who claim to be able to crack WPA2 Wi-Fi encryption. Not to mention 41st Reality...

Dan Raywood reports:

Wi-Fi logo
WiFi is no longer secure enough to protect wireless data ... A Russian's firm's use of the latest NVidia graphics cards to accelerate WiFi ‘password recovery' times by up to an astonishing 10,000 per cent proves that WiFi's WPA and WPA2 encryption systems are no longer enough to protect wireless data.


Companies can no longer view standards-based WiFi transmission as sufficiently secure against eavesdropping to be used with impunity.

John Leyden adds:

The latest graphics cards have been used to break Wi-Fi encryption far quicker than was previously possible. Some security consultants are already suggesting the development blows Wi-Fi security out of the water and that corporations ought to apply tighter VPN controls, or abandon wireless networks altogether, in response.


We've known for years that the previous generation of wireless encryption, WEP, was vulnerable to brute force attack. The infamous compromise of TJX, which resulted in the compromise of at least 45.7m credit card records, has been traced back to a hack in a weak security retail network with older point of sale terminals running WEP. Elcomsoft advance makes WPA and WPA2 encryption open to attack.


The raw horsepower of graphics chips, normally used as 3D graphic accelerators by gamers, can also be applied for a variety of other number-crunching password-breaking uses beyond uncovering WiFi passwords.

John Murrell harks back:

In July, a red-faced Nvidia announced it would be eating up to $200 million in repair, return and replacement costs because some significant number of its notebook graphics chips made it into the market with a flaw in the die/packaging material that caused a high failure rate.


Despite its troubles ... Nvidia still has at least one loyal fan base, though not one it would want to embrace — hackers ... Seems the massively parallel processing capabilities of the graphics chips also lend themselves well to brute-force cracking, and the euphemistically named “password recovery software” sold by Russian firm Elcomsoft puts that power in the hands of the ill-intentioned masses.

Kelly Hodgkins is cautious:

The article unfortunately lacks some key details about the configuration of the WPA/WPA2 encryption that was hacked and the length of time it took for the encryption to be broken; leaving us a little in the dark about the extent of this threat. Nonetheless, individuals and companies that rely on wireless networking may want to follow this report to see if it is confirmed or debunked.

Wouldn’t want you to bury your head in the sand and sit complacent while your neighbor’s kid with his uber-gaming rig hacks into your Wi-Fi network and steals Sarah Palin’s email. That could land you up to 5 years in jail. D’oh!

Devin Coldewey waxes euphemistically:

If you’re really in a hurry to “recover” that password from the WPA-secured wi-fi network you’re “sharing” with a neighbor, you’re going to be waiting a long time for that brute force crack to work on your old traditional processor. Why not make yourself a tool using NVIDIA’s parallel processing environment CUDA and run it on a nice GeForce GTX 280 series? That’ll decrease your wait time by quite a bit.


That’s not to say you can just grab passwords out of the air, of course, and WPA is still as secure as it was yesterday, but if someone sets their mind to cracking your network, it’s going to take them about a hundredth of the time now if they set it up right. Not exactly the best PR, but I think NVIDIA will take what they can get.

Huu Nguyen reminds us that it's not just Wi-Fi:

Sold as a "password recovery" solution for $600 (5 clients) to $5000 (2500 clients), Elcom Distributed Password Recovery is a software that allows its users to crack passwords from many applications. Among the "crackable" formats: Microsoft Office, PGD (PGP Disk with conventional encryption), OpenDocument, PDF (user and owner passwords) Quicken, WPA, WPA2 and many more.

And finally...

RSS feed icon
Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon