Feeds

Turbo-charged wireless hacks threaten networks

Graphics cards encryption skulduggery

Protecting against web application threats using SSL

The latest graphics cards have been used to break Wi-Fi encryption far quicker than was previously possible. Some security consultants are already suggesting the development blows Wi-Fi security out of the water and that corporations ought to apply tighter VPN controls, or abandon wireless networks altogether, in response.

Russian firm ElcomSoft has applied GPU acceleration technology to its password recovery tool to allow PCs or servers running supported NVIDIA video cards to break Wi-Fi encryption up to 100 times faster than is possible by using conventional microprocessors. Recovery times for Wi-Fi keys are increased by a factor between 10 to 15 in the use of Elcomsoft Distributed Password Recovery in combination with a regular laptop featuring NVIDIA GeForce 8800M or 9800M series GPUs.

By running the same software on a desktop with two or more NVIDIA GTX 280 boards installed, this figure increases to a factor of 100.

We've known for years that the previous generation of wireless encryption, WEP, was vulnerable to brute force attack. The infamous compromise of TJX, which resulted in the compromise of at least 45.7m credit card records, has been traced back to a hack in a weak security retail network with older point of sale terminals running WEP.

Elcomsoft advance makes WPA and WPA2 encryption open to attack. In fact, the software is specifically designed to support "passport recovery" on Wi-Fi networks running either WPA or the newer WPA2 encryption.

The software needs to intercept only a few packets in order to perform a brute force attack, where a huge number of possible passwords are tried in an attempt to stumble upon the correct code. ElcomSoft positions the tool as a means of auditing corporate Wi-Fi networks for inappropriately weak passwords.

The firm is also marketing its technology to forensic and government agencies, as well as data and password recovery services.

The raw horsepower of graphics chips, normally used as 3D graphic accelerators by gamers, can also be applied for a variety of other number-crunching password-breaking uses beyond uncovering WiFi passwords. Elcomsoft Distributed Password Recovery can also be used to recover Windows startup passwords, crack MD5 hashes, and unlock password-protected documents created by Microsoft Office or PDF files created by Adobe Acrobat, according to ElcomSoft.

More about Elcomsoft's tool can be found here.

Security agencies have demonstrated the use of plasma TV components in password cracking. High performance FPGA (Field Programmable Gate Array) chips were applied to crack standard GSM transmissions in as little as 30 seconds, during a demonstration by security researchers Steve Mueller and David Hulton at Black Hat in Washington back in February.

Although government agencies have probably applied similar approaches for some time the programming of FPGA is a tricky process, involving getting to grips with a specialist hardware programming language. Elcomsoft's approach by contrast relies on off-the-shelf software and readily available components.

Security consultancy Global Secure Systems said that the development means Wi-Fi networks - even those running the latest encryption algorithm - can no longer be considered to be secure.

"This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data," said GSS managing director David Hobson. "As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well.

"Brute force decryption of the WPA and WPA2 systems using parallel processing has been on the theoretical possibilities horizon for some time - and presumably employed by relevant government agencies in extreme situations - but the use of the latest NVidia cards to speedup decryption on a standard PC is worrying."

Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data privacy. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.