Schneier on Security
A blog covering security and security technology.
« 1921 Book on Profiling |
| Pork-Filled Counter-Islamic Bomb Device »
July 27, 2010
WPA Cracking in the Cloud
It's a service:
The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35, you can get the job done in about half the time. Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.
It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.
In related news, there might be a man-in-the-middle attack possible against the WPA2 protocol. Man-in-the-middle attacks are potentially serious, but it depends on the details -- and they're not available yet.
EDITED TO ADD (8/8): Details about the MITM attack.
Posted on July 27, 2010 at 6:43 AM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well, but if you don't use a password that is in a dictionary you'll be ok... I mean, it's not full brute force, it's a dictionary attack, right?
It raises the obvious question,
If "civi-street" services can do this at this cost, what can the NSA or other government agency do in the same length of time?"
Or how about Google, they are finding all the wireless access points they can as part of their "st mapping-recording" efforts, how much more would it cost them to crack them as they went?
As we know for many people just knowing one of their passwords is sufficient short cut to any others.
It raises the interesting prospect of using the passwords like an ID database. That is you might use many different User ID's but just how many different passwords do you use with them. If I know both the User ID and Password, can cross correlate to see if there are any other possible Usernames you might be using more covertly...
I just got an email from Verizon on Friday saying the too many users are still using the default password on their routers.
At the time I questioned if they were really about good security or just losing bandwidth.
It came out of the blue, but this might explain it.
http://www.oxforddictionaries.com/page/... says there are about 250,000 words including obsolete words. How many of those are less then 8 characters? How many are less than 8 characters but are worth padding? The WPA cracking website does not indicate what max number of characters are used. One could only assume it goes from 8 characters to at least 20 since 20 is kind of the suggested lower bound to keep just this kind of thing from happening.
So 250,000 words compared to 135,000,000 in the word list... leads to over 500 iterations for each word, over 1600 iterations if you add the additional 284,000,000 word list. So, this is a nice big dictionary. What about phrases. I wonder how it does on phrases....
The GRC thing seems to be a waste of money. I just use a variant of
cat /dev/urandom | base64 | head -c 12; echo
and convert to all lower-case for easier remembering. Use /dev/random if paranoid and some waiting time is ok.
In light of this type of service...
Most modern home routers have the default password/keys set as a random string/pseudo random derived string; assuming that the method for deriving this string is secure then having the user pick their own passwords looks like a lowering of the security threshold.
The issue is one of having a password that is resistant to cloud attack.
There is a simple (but slightly tedious) solution:
 Encrypt any file with Gnupg, using either AES 256 or Twofish
 Decrypt the file, using the option of
 Copy the 64 character session key and save it in a safe backup, and also on a usb
 Use this 64 character string as your password.
 This can only be broken if 256 bit symmetrical ciphers can be brute forced
(nowhere near current or forseeable cloud capabilities, although they might be 'tempted' into a colossal waste of time trying ;- )) )
The FAQ lists Moxie Marlinspike as contact. That's the guy behind the https implementation weaknesses reported at DefCon2009. He used an online service to gather real world usage data to demonstrate his https weaknesses in the wild. I'm inclined to believe there is a hidden agenda with this service offering.
"In related news, there might be a man-in-the-middle attack possible against the WPA2 protocol. Man-in-the-middle attacks are potentially serious, but it depends on the details -- and they're not available yet."
I think I've figured out how to do it. Due to the fact that the GTK is shared, any authenticated wireless station can send a valid broadcast frame (the press release says that the attacker has to be an insider, in other words that he can successfully complete 802.1X authentication). This makes it possible to perform an ARP poisoning attack. The attacker sends a gratuitous ARP request (broadcast) associating his own MAC address with the default gateway's IP address. All traffic from other wireless clients to the default gateway will then be forwarded to the attacker. The AP will decrypt the traffic, and then re-encrypt it using the attacker's PTK. The attacker can then forward the traffic to the default gw, acting as a man-in-the-middle. All the traffic will be visible as plaintext to the attacker, since the AP handles the decryption (with the victim's PTK) and re-encryption (with the attacker's PTK).
This attack will also work against other clients on the same subnet, by using ARP poisoning to associate the attacker's MAC address with the client's IP address.
I'm not sure why the experts commenting the press release haven't mentioned this possibility.
A dictionary attack doesn't mean dictionary words.
For example, a *good* dictionary might contain keyboard layout pattern entries like:
And so on...
@Gweihir GRC passwords is a free, secure service.
Bruce, most of the "Hole196" exploit details are now available, and I'll have a full write-up based on interviews at Ars Technica on Saturday when the embargo is lifted and the researcher presents his demo at Defcon.
In short, the group keys in WPA/WPA2 lack any authentication or integrity checking. A malicious station can use broadcast messages with the group key that the AP ignores, and which to other stations appear to come from the AP. No key breaking is required. An authenticated user is required, which means an 802.1X-authenticated login, typically.
On one hand, it's no worse than any of the network-based attacks that an insider could carry out. What makes it bad, is that it's untraceable to some extent (proximity is required), and none of the intrusion systems in use now would likely notice attacks made in this manner.
I usually use Diceware for that reason (eg, http://diceware.shiftleft.org , but generate your own instead). A 5-word password like "ned cute beep gogo hague" has about 64 bits of entropy, easily enough to thwart this sort of attack. If you're worried about governments getting involved, just use 10 words instead to match 128-bit AES.
Given the wap/wap2 potential attack problems, how safe is wep, if you are forced into using it, for old devices such as Roku boxes and other WiFi devices that require wep only, in a typical home WiFi system?
Is wep that much worse, provided you use safe passwords?
How do you get decent security from nasty neighbors if you need to use wep ?
Given the wpa/wpa2 potential attack problems, how safe is wep, if you are forced into using it, for old devices such as Roku boxes and other WiFi devices that require wep only, in a typical home WiFi system?
Is wep that much worse, provided you use safe passwords?
How do you get decent security from nasty neighbors if you need to use wep?
I misspelled wpa in previous post.
Do not use WEP if WPA/WPA2 is available.
WEP acts as a "Do not enter" sign, but not much more. An attacker can recover the whole WEP key and gain full access to the network in approximately 1 minute (using statistical attacks , not dictionary attacks that depend on a guessable passphrase). The attacks against WPA/WPA2 are a lot less serious than those against WEP, so use WPA/WPA2 whenever possible. With WEP, the strength of the password doesn't really matter, since the most efficient attack exploits weaknesses in the cryptographic algorithm implementation. With WPA/WPA2 PSK, the password is very important, since the most efficient attack is a dictionary attack.
@ Harvey MacDonald,
"A dictionary attack doesn't mean dictionary words"
Or which dictionary ;) At one time it was called a "catalog search" which is still mor appropriate . With what we now call a "brut force search" being called a "British Museum Attack"
As you say,
"For example, a *good* dictionary might contain keyboard layout pattern"
Or any other "ordered collection" of data.
Which raises an interesting (philosophical if you will) question about our method of deciding what entropy is in any practical sense.
After all at one point in time computers where used to produce "random" but "pronouncable" words for passwords using simplistic rules such as 'CVCVC' and in some cases putting them through secondary filters to check they where actually not in a "known" dictionary and where still pronouncable.
Thus "one mans good entropy is another mans bad entropy" simply because they play by different rules of judgment.
For instance the keyboard "WERTY" is also a "CVCCV" acceptable word...
Thus it can be argued that the strength of your password should be based on knowledge of what an attacker would put in their "attack dictionary"... Which in turn means that an attacker should not have likley words in their "attack dictionary" as they would not be used and are thus a waste of CPU cycles...
Which is a nice start to a downward spiral of second guessing by both parties.
Luckily for most attackers in the general case they don't care because they are not looking for a plaintext match to a single encrypted password but just any match to many many ciphertext passwords (the old "steal the password file" attack).
And that is the advantage this "Cloud" system has, afterall if you are paying hard cash you are likley to be using a real password.
So the cloud owners have a high probability of having a real password "with real value" that they have other info about (the enquirers IP address Credit Card info etc) that enables them to "localize" where the password is for geographicaly so can search another DB (such as googles private Wirless network list)...
A new use for Amazon's EC2 service.
>"but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes."
That's why you are supposed to have a non dictionary key, like mine, which is a string of random garbage, as long as it was willing to take.
And the details about the man in the man in the middle attack are here: Man in the middle howto:
Using cloud computing this is possible:
"I'll demonstrate how to break a WPA-PSK handshake at a speed of ~400.000 PMKs/s, maybe (if I get it finished till then) also at a speed of over 1.000.000 PMKs/s per second."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.