Wi-Fi

For sale: Wi-Fi encryption cracker

A Russian company Elcomsoft is now selling software that tests the strength of WPA and WPA2 PSK passwords. No need to panic. Still we need to look at the motive and possible future repercussions caused by this.

Elcomsoft is selling Wireless Security Auditor, a WPA/WPA2 encryption cracker for PSK passphrases. I’m not that worried because it's an expensive endeavor and it has limited usefulness. Let’s take a look at three reasons why I say that:

  • Prove RoI--The application costs more than $600 US.
  • Unique hardware -- A custom high-end PC with three or four graphics cards is required. (I’ll explain why later.)
  • PSK requirement -- The application uses a process called dictionary attack, which is only effective if simple PSK passphrases are used.

The first two would be show stoppers for most of us, but Elcomsoft isn’t targeting us. They feel this product will be beneficial to larger corporations that are employing wireless networks, as mentioned on their Web site:

“A single weak link poses a valid security threat to the entire corporate network. Wireless (Wi-Fi) networks can provide sufficient security if configured properly and accompanied by an adequate password policy. Elcomsoft Wireless Security Auditor exposes security problems in your wireless network to allow network administrators taking appropriate measures and adopting a proper password policy.”

Where’s the logic?

I’m having a difficult time understanding Elcomsoft’s rational for selling this product. I'm sorry, but the cynic in me sees only two possible explanations: Either Elcomsoft doesn’t understand the corporate wireless environment, or Elcomsoft wants to dissolve itself of any responsibility if the product is used illegally. See if my logic makes sense to you.

Corporations?

If corporate entities are concerned about security, they will be running 802.11i supplemented with components of 802.1X and not use PSK passphrases. Furthermore having to set up each individual computer with the same PSK passphrase is not very efficient if there are hundreds of workstations. So most corporations with wireless networks will not need Wireless Security Auditor to check for weak encryption policies.

Small businesses?

If large corporations don’t need Wireless Security Auditor, then who does? Small businesses or SOHO operations that aren’t using 802.11i/802.1X for authentication might need it, but I doubt it. It’s been my experience that small businesses are even more sensitive to RoI. Especially with the “current economic climate,” most small business owners are not inclined to spend money on what they consider reactive solutions that hurt the bottom line.

So, who then?

I’m not really sure. The individual or organization that would like an application like this already have it or are sophisticated enough to figure it out on their own. This exploit isn’t new, as can be seen by the Robert Moskowitz article "Weakness in Passphrase Choice in WPA Interface," which was published in November of 2003.

One reason to buy

I must admit that Elcomsoft has all but eliminated the main drawback of dictionary attacks. Normally it would take so much time to complete a dictionary attack, that only the most determined attackers would be willing to use it. It was quite ingenious of Elcomsoft to harness the processing power of multiple high-end graphics cards. Elcomsoft has even applied for a patent on what they call GPU acceleration:

“ElcomSoft has pioneered many software innovations that have made it easier to recover passwords protecting various types of resources. For the first time in the industry, the company’s patent-pending GPU acceleration makes its way into Wi-Fi password recovery, reducing the time required to recover Wi-Fi passwords up to a hundred times. Supporting up to four NVIDIA boards such as GeForce 8, 9, and 200, as well as ATI video cards such as RADEON HD 3000 Series and up, Elcomsoft Wireless Security Auditor allows building servers with supercomputer performance at a fraction of the price.”

What now?

Now that we understand what’s available, I’d like to share my concerns. It’s obvious that if something like this fell into the wrong hands it could cause a lot of hardship. I realize the cost is prohibitive for most, but we have to take underground trafficking of software into consideration. How long before Wireless Security Auditor is made available on a BitTorrent channel?

Once that happens I start to worry about unsuspecting consumers who are using simple passwords or even the default password that came with the Wi-Fi equipment. I can hear their arguments now:

“You told me that my Wi-Fi system would be secure if I used WPA/WPA2. So I went through all that trouble upgrading and now you are telling me that I have to come up with a complicated passphrase that’s hard to remember.”

Sound familiar? I even get frustrated, but there’s precious little we can do other than to continue to be vigilant and help each other.

Final thoughts

I don’t want it to seem like I’m crying wolf, because there's no need to be overly concerned. Please just ensure that your Wi-Fi passphrases are complicated, making this attack vector useless. In my next article, I’m going to discuss some options that can simplify the whole process of using complicated passphrases. I’d also like to hear about any tips that you have in that regard as well.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

61 comments
jhoughton
jhoughton

What about all those video cards, i didnt see that and i thought it wouldbe explained!

Neon Samurai
Neon Samurai

I think it started with SETI and similar distributed processing projects. A driver was written so that those math intensive programs could use the video card's processor to run the calculations since it is much faster than the cpu. I'm guessing they use the multiple graphics cards for that same heavy math workload. Instead of your SLI rig processing physiX and 3D related math, it processes the dictionary attack calculations.

Michael Kassner
Michael Kassner

I apologize, I thought the explanation quote from Elcomsoft and the information at their web site would do it. Basically the application uses the graphic processors instead of the computer' main processors. GPUs are very high speed and will be focused on just one task. Dictionary attacks require a great deal of number crunching, which normally takes a considerable amount of time. The graphic processors cut the amount of time down significantly.

Neon Samurai
Neon Samurai

My recommendations remain the same with one change: Before connecting the router WAN port? - change the admin password. If possible, change the admin name also. - use https to admin the router. Disable "admin through http" if possible. If https is not available for administration, return it to your retailer and get a better one. - disable "admin from WAN" and "admin from Wireless". Only someone on your wired network inside your home should be able to view the https admin forms. - change the network name (ssid) to something descriptive but not personally identifiable. I use my password generator to pick eight random characters since the SSID is only a broadcast identifier. - use wpa/wpa2 with AES (tkip is in the early stages of going the way of WEP). - change the wpa/wpa2 aes passphrase to something strong. I use upper, lower, numbers, symbols and a 20 character length from a password generator. If you have twenty or fewer wireless client machines, it's not an issue to manage them. - use mac filtering to reduce the amount of traffic the router listens too. The wireless airwaves are noisy. Mac Filtering should not be relied on as a security layer, just a way to reduce the radio noise. If you don?t have any wireless devices but have a wireless router, turn off the wireless.

pgit
pgit

The way I set things up I never plug into the WAN port, and the router is not the DHCP server. Plugged in as a peer on the LAN, DHCP is passed on elsewhere. It's basically an access point. Of course there is use for an isolated wireless network, I just haven't bumped into that situation. BTW the shortest pass phrase I've set up is 24 characters, and all of them have a slew of unusual characters, >, ), ^, +, } you name it.

Neon Samurai
Neon Samurai

For my own home network I'm ok with the router issuing IP. I have a few other installs though where the router only uses the LAN ports with dhcp disabled. It makes for a nice quick switch and wireless bridge when needed. The trick is getting a router with a physical button that can be mapped to the wifi radio toggle; I can turn the radio on and off as needed that way.

Neon Samurai
Neon Samurai

The first wireless router I bought was the 54gs due to it being affordable when I was living on a unversity student budget. When Linksys stopped providing firmware upgrades for the first generation hardware, I ran through the selection of alternative firmware but most of them support linksys first and other brands second (cough.. Tomato.. cough). ddWRT was my third or fourth try though it has one of the longest supported hardware lists. I'm open to weaning though now that the 350n is a few generations behind and I'm not feeling the need to keep Tomato and all the other firmware as options. Being able to separate the hardware and firmware in one's router opens up a lot of options. I hope the alternative firmware for the NAS200 evolves quickly; or my budget expands to afford the Visionvault.

Michael Kassner
Michael Kassner

I will have to wean you off of Linksys consumer equipment. I hate that button you are referring to. If you don't convert to DD-WRT that button is a total pain in the butt. If I understand you correctly. BrainSlayer found a much better use for it, thank goodness.

Neon Samurai
Neon Samurai

On the 350n it is a black button on the top. On the 54gl, it is the Cisco Systems yellow glowing logo with a button hidden behind it. You'll feel it press in then see it turn white to indicate that it sensed the finger push. My first generation wtr54gs does not have the button but it looks like hardware version 2 onward does. Look for the ones providing the "secure easy setup" function, they should have a physical button on the case somewhere.

Michael Kassner
Michael Kassner

Neon, you are referring to a switch in the config screens not an actual physical switch are you?

Neon Samurai
Neon Samurai

Any of the Linksys routers that have an "easy setup" button and are supported by ddWRT: - wrt54gl - wrt54gs - wrt350n http://www.dd-wrt.com/wiki/index.php/Supported_Devices I hit that list with a control-F when considering new hardware. ddWRT has a setting "use easy setup button to turn wireless on and off" and a checkbox option "turn wireless off at boot". If the router doesn't need wireless, I have it turned off by default when the router boots. I can then turn on wireless when needed and back off again after. I can also schedule times when wireless is to be available.

pgit
pgit

huh, never thought of a physical switch. The one or two times I've had to shut off a transmitter I yanked the unit and put a switch in temporarily. =) Can you list a product or two that has that capability? I'd be interested in using something like that over the cheap stuff people usually want to buy.

---TK---
---TK---

why not hide the SSID?

Neon Samurai
Neon Samurai

A hidden SSID is like standing behind a tree with your hands over your eyes; your only hidden until anyone walks around to your side of the tree. Anyone from the grade eight script kiddie on up to the professional criminal can see the SSID regardless of if it's broadcast or not. The only place you can't see the hidden SSID is in the client "available networks" list. When SSID is broadcast, the client nodes know to listen for it. When they are out of range, they quietly listen for before trying to connect. When not broadcast, the client nodes continually call out for it. That means your pda, notebook and other devices are continually anouncing your network SSID. Now, what John P Evildoer does is run a little program that listens for those devices calling out for a network and answers; "XYZ network? Oh, that's me.. send over the password." Such a tool can harvest a nice long list of network name and password combinations. There is also a matter of ettiquete. For the few other wifi owners in my local area that know enough to look. I want them to know I'm on channel # so they choose a different channel. Too many different networks on the same channel causes problems for the weaker signals. Every now and then, I still have to run a scan to see what channel has the least traffic on it and switch my router over; flakey connectivity becomes crystal clear again. Last, the idea of relying on obfuscation rather than a proper security mechanism makes me itch. If obfuscation is a key component of one's security strategy, it should be reevaluated. The only place obfuscation is of use is for the attacker who is trying to get the job done before that time limited advantage ends.

Michael Kassner
Michael Kassner

We all know hiding the SSID is not any real form of security. In many cases it degrades the efficiency of the network by producing significantly more broadcast traffic from each radio. Also WZC does act oddly more often than not when the SSID isn't broadcast. Still, consumers may see some benefit from it in their home networks as it has a tendency to keep less-determined attackers at bay.

Michael Kassner
Michael Kassner

I actually wish that vendors would remove Wi-Fi capabilities from perimeter gateway routers (DSL especially). It's such an easy attack vector. It also raises expectations. People get a wireless DSL router and automatically expect Wi-Fi throughout the facility. There is not usually any forethought to placing the router in a location that will be beneficial to wireless coverage.

seanferd
seanferd

It is too easy to find and exploit errors in HTML. At the least, you should be able to disble the web interface and use a CLI or a menu system.

Neon Samurai
Neon Samurai

I needed a quick and dirty box to bring four ports inside my network through VPN so I pocked the sx41 from a local vendor's website. The NICs are not mission critical though. I wouldn't dream of crippling the public gigabit NICS with a 10/100 consumer quality router; just my remote management NICS that I don't mind running slower on. The ideal would be a separate network without internet connectivity but it's not an option for the remote rack. The ILOs also don't show any firewalling settings so leaving them open to being hammered by China is not an option. (China is the primary source showing in my logs right now; be that traffic "from" or "routed through".) I also don't need the wireless function. Wireless access defeats the physical security of the locked cage they are in so I'd be buying a wifi router just to disable the function. Buffalo is another option and the inclusion of ddWRT now really gives them a step up I think. Do they have a physical button that can be reallocated by ddWRT for wireless radio on and off? I have to compare the two brands next time I'm in the market for another router at home. Of my two secondary routers, the older has shown that it didn't survive the basement flood so I may be replacing the old first generation 54gs soon.

Michael Kassner
Michael Kassner

Are you referring to those old Linksys BEF routers? I order you to switch immediately if that's the case. They are so slow and under-powered. Buy the GLs and get it over with, LoL. I'm sure, you know those are specifically made for DD-WRT, Also, I have been meaning to talk to you about Buffalo routers. Check them out, they love DD-WRT and have better hardware IMO. In fact I was going to port over my Buffalo Nfiniti 802.11n, but it works so well out of the box I haven't touched it.

Neon Samurai
Neon Samurai

PlanA is to use a four port VPN router from the BEF line. If that won't connect and isn't supported by ddWRT then my planB is a wrt54-something with ddWRT. The ports are not high traffic so they don't need to be maximizing the gigabit switch. Currently, my problem is finding documented evidence that the router will connect to the big cisco box before I go out and expense more hardware. When the admin that does that layer of the network returns from holiday, I can confirm which of my options fit his setup but I'm still looking for third party knowledge while I wait.

Michael Kassner
Michael Kassner

Are the same way. I've written several letters to them referencing that fact. Not sure if they have changed that or not. Used to see all sorts of Actiontec SSIDs any where I went and was scanning.

Neon Samurai
Neon Samurai

I can't tell you the number of Bell/Sympatico routers I see with wifi enabled and wide open by default. The service guy shows up, plugs it in and goes "there you go.. welcome to Sympatico" and the customer is none the wiser. On the other hand, I had one of these routers I had to do a firmware update on (ok, mostly because the newer firmware was available and I'm a version snob sometimes). The firmware updated just fine but blew away most of the router's settings. Sympatico's help was useless but I eventually found a forum posting where someone else had the same issue and listed the arcane steps to setting the stupid appliance back to a simple isdn to ethernet bridge. I'd sure like to see less wide open "bell###" AP's in my wireless scanner though. Like OH Smeg says, the wireless should be turn off unless it's actually being used. Really, it should be turned off by default with the service guy asking "ok, what machines need to be connected and do you have wireless ones?" (Sympatico's choice to start using PPoE back in the day instead of keeping authentication on the service provider's side was the reason I left personally.)

Neon Samurai
Neon Samurai

I can see how exploitable routers outside the customer's own homes is a problem. My thought is that html form interfaces are great as a platform agnostic way to administrate the appliances but the http protocol should be done away with for anything but intentionally wide open websites. If it's an appliance administration form, https and ssh should be the minimum options; I don't care if it's a 30$ three port router, https at least. With cable providers, you also have the added problem of a bus topology; you and everyone else on your cable loop is sharing traffic. Modding a cable box to allow someone to sniff that passing traffic is not uncommon either. There are some great alternative firmware for cable modems that provide fantastic client side features along with the less ethical uses though. With routers in general and definately the ones being provided to consumers; they manufacturers could make a firmware that did a proper setup process locking the device down. Sadly, it's about the money though, providing network appliances with safe settings and removing unsafe things like WEP and clear wifi inconvenience the customer and cost the manufacturer in support call center wages. It remains more important to protect the shareholder equity at the risk of the consumer. For my wireless, I stick to routers supported by ddWRT as I find the firmware makes for much better network management. - issue dhcp ip based on mac - map as many external ports to internal machines as I like instead of one box wide open in a dmz - openVPN and IPsec supported with proven router to router vpn connectivity - and on, and on.. (I was into a linksys firmware the other day and it reminded me of how good I have it now without the minimal firmware on my own appliances.) Offhand, anyone know of a router that easily supports a VPN connection back to a Cisco concentrator? I'm looking at a linksys BEF with vpn support but can't find a specific example of it connected back to real VPN gateway. If I can confirm that it will work, I have a few remote server ports I need to block from the internet by bringing inside my own network through it.

OH Smeg
OH Smeg

All the major ISP's here who provide WiFi Gateway Devices do not supply any Updates for them and in my case at least the Router is a Netgear item that isn't supported by Netgear as it's the ISP's responsibility. I cured the problem permanently by turning the WiFi Side of it off. Col

Michael Kassner
Michael Kassner

Thanks for explaining, Sean. I was a bit confused. Now I understand that's it's not the protocol, it's the fact that specific vendors aren't willing to update devices. That would be frustrating. Can you mention which vendor? Maybe TR can create some momentum in order to help.

seanferd
seanferd

and they do nothing to patch, I tend to see that as a problem. The vulnerability is only accessible from outside the network. It has been know for a long time now, still no firmware update. This is a low-hanging-fruit simple-stupid vuln in a lot of web page administered routers. I'm sure these things could be fixed and secured, it just seems that HTML lends itself to be poorly coded, whether it is cultural or simply more inherent in the language. I do realize that high-end Cisco router IOS has vulnerabilities, but they seem to be fixed eventually, and I don't think they would be as easy to exploit anyway. IMO.

Michael Kassner
Michael Kassner

I'm not of the same mind. You both will have to convince me that the other methods are more secure.

Neon Samurai
Neon Samurai

I can rember requiring a client app for remote admin. You'd be locked to whatever single platform that client app was written for. Since web browsers don't (or shouldn't) care about the platform behind the html tags, it easily makes all administration OS independent. I do wish they would drop port 80 though. Administration should only be through https and devices that allow http admin or don't allow https connections should be returned to the store until the manufacturer's get the hint.

Neon Samurai
Neon Samurai

For legal licensees, 600$ and a triple sli rig may be speedbumps but like anything, it's only the paying customers that will be hindered. If the application is software then a cracked version will eventually turn up. Gamer script kiddies already have monster rigs and criminals are not going to have an issue "acquiring" additional graphics cards. I welcome this product though. Anything that improves user safety through active means benefits all end users.

Michael Kassner
Michael Kassner

Once it's out and about is when I get concerned. It opens up a whole new avenue that has been slowly closing. While war driving I have been noticing that the number of open Wi-Fi networks is gradually decreasing. With this application that attack vector is wide open again.

OH Smeg
OH Smeg

Yes I agree Michael I can not see much of a Valid Reason either for this product. Col

seanferd
seanferd

Such as http://news.cnet.com/2100-1023-978176.html They are fairly well known, though. I read about their stuff frequently. Since all pen-testing can be used for that which it is intended to prevent, it is such a grey area. This wifi cracker is a bit odd-tasting, all the same.

Michael Kassner
Michael Kassner

Glad you think so too. It's the first cracker I know of that's been for sale.

Michael Kassner
Michael Kassner

As Neon pointed out it will motivate people to pay more attention to their password management. At least I hope it will.

Michael Kassner
Michael Kassner

I'm not sure why Elcomsoft is selling this. Still it's another warning to make sure all passwords are complicated as dictionary attacks are becoming simpler. Oh, would you spend $600 US for an encryption cracker?

Tommy S.
Tommy S.

Simply type a password you know a few time in a row. I personally use my normal low security password and type it in 4 times. It gives me 24 characters. But im looking forward to downloading that software on thepiratebay, does anyone know if it was made with the CUDA SDK?

Michael Kassner
Michael Kassner

I'm working on an article about options for this very subject. There are some neat devices out there that might be of interest.

Michael Kassner
Michael Kassner

It makes sense and works. I'm sure I'd get confused or have a brain fart some day though. I use PassWordSafe by Schneier.

gavin142
gavin142

I have several "standard" passwords, but for each I simply use the first character of the first xx words in the chorus of one of my favorite songs, altering the capitalization at specific intervals. example: (no, this isn't one of mine) Star Spangled Banner: (and the rocket's red glare, the bombs bursting in air, gave proof thru the night) >> &trrg,TBBIA,gpttn

Neon Samurai
Neon Samurai

In probably less time that it will take the piratebay download to finish, you could have your own rig assembled from legally obtained software. (let's just assume your planning to steal the software for ethical uses though)

michael_lussier
michael_lussier

Radmon hits with all your fingers for about 30 seconds and then pick out the first number of charactors you need for your key. save a copy of it to your thumb drive as a backup copy. I been known to hide copies in other places as well with obscure names

Neon Samurai
Neon Samurai

It'll keep your passwords nice and safe in an AES encrypted database. You can then close up the security hole of having multiple obscurely named file kicking around everywhere.

seanferd
seanferd

It will end up in the wild. The hardware may be more difficult, especially if some sort of dongle-type thingumie is required.

Neon Samurai
Neon Samurai

I think it was last year that some pentesting genious build an audit box for wireless. (ok, I'm thinking of a specific one as I'm sure there are many now). This guy took a notebook inside a weatherproof case and maxed out the number of internal and USB network dongles. I think he could detect and crack something like twenty wifi AP at a time? Gorgeous little project provided it's used ethically.

Michael Kassner
Michael Kassner

I have to admit that I really love my iPhone. I'm even used to the touchscreen keyboard. I have tried the Blackberry touchscreen version and it's not anywhere as good IMO.

Neon Samurai
Neon Samurai

Is it a scanning ap or just the osX AP discovery tool? Either way, it's a nice small passive sensor you can leave on in your pocket.

Michael Kassner
Michael Kassner

The odd looks go away, at least for me. I think they expect strange behavior out of me.

Michael Kassner
Michael Kassner

I use my iPhone for hunting now. I just wish the battery would last longer.

Neon Samurai
Neon Samurai

When I first started mucking with wireless, I used to leave my notebook on with C&A logging network hits. My Palm T5, bluetooth and VNC client gave me a nice little hand held view of the desktop. The SDIO NIC and a netstumbler type app for Palm replaced the setup soon after. These days, it's an N810 and kismet or airodump (as a basic scanner without the logging command switch).

michael_lussier
michael_lussier

I really got odd looks when I was checking out internal wireless and looking for rouges . I told people I was checking out "Radio-Activity" Also a visit from folks I didn't care to either that didn't think my comment was soo funny.

Michael Kassner
Michael Kassner

I remember that very well. I have spent a lot of time walking with a notebook and antenna. I suspect that I was getting all sorts of quizzical looks as well. The thing I could never get past was how hard it is to read the LCD screen outdoors. That's why I find those commercials rather ironic as the subject is sitting with the sun behind them and happily typing away, right.

Michael Kassner
Michael Kassner

The cracking can be accomplished off line and if the network is active enough it doesn't take long to get enough data points.

Neon Samurai
Neon Samurai

It's a puzzle that keeps on going. By the time you get the thing put together, it's already time to re-audit the network for outdated mechanisms.

Michael Kassner
Michael Kassner

It's not just wireless, any encryption is getting weaker just by the very fact that processor power, efficient algorithms, and very smart cryptographers are banging away at all of them.

Neon Samurai
Neon Samurai

hehe.. WEP in under five minutes. WPA with a little more effort and TKIP about to fall over.. interesting times in the world of wireless.

Editor's Picks