New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes

New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes

Summary: A new, cloud-based hacking service says it can crack a WPA Wi-Fi network password in just 20 minutes.

SHARE:

A new, cloud-based hacking service says it can crack a WPA Wi-Fi network password in just 20 minutes.

Announced on Monday, the $34 "WPA Cracker" service is a tool for security auditors and penetration testers to test breaking into certain types of WPA networks.

The service leverages a known vulnerability in Pre-shared Key (PSK) networks usually used by home and small-business users.

To use it, the tester first submits a small file that contains an initial communication between the WPA router and a computer. Based on that information, WPA Cracker can then figure out whether the network is vulnerable to a type of attack.

According to the service's website:

WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over five days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.

The service was launched by security researcher Moxie Marlinspike. In an interview with PC World, he said that he got the idea for the service after discussing how to speed up WPA network auditing with other security experts.

The $34 price tag is for the whole cluster. Using half the cluster costs $17, but the job could take 40 minutes.

Topics: Security, Mobility, Networking, Wi-Fi

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • And the site shouldn't be close down, and the owner arrested because...

    ...why?

    How about just running a "rent-a-thief" service instead?
    IT_Guy_z
    • Because....

      Just like it says you use it for testing your own network. Obviously that is not what people will use it for however it's the same reason BitTorrent or P2P isn't illegal because it has a non-illegal use.
      DarkWhiteChocolate
      • Non-illegal?

        That is splitting hairs. I bet this isn't the last time we see these guys in the news.
        djmik
        • Kinda like arresting the cops for running an undercover sting?

          Crooks would not be advertizing this service in ZDNet.
          kd5auq
        • Don't worry about the crooks

          What we need a cloud for, they'll just use a bot net for. Don't worry...
          T1Oracle
        • Nope, not 'splitting hairs'

          Just being very blunt about why this service is
          legal. Now that I have seen this however..... I am
          going to change my plain-text password for my
          wireless router.
          Lerianis10
          • Don't need a password

            It's kind of a PITA, but I just lock my home network with a MAC filter. I have to add the MAC address of a device to my list for it to be able to access the network. Not practical for large networks but it works for me.
            Murfski-19971052791951115876031193613182
          • MAC Filters

            MAC Addresses can be sniffed and spoofed.
            gtatransam@...
    • Because ... it's the INTERnet

      as in INTERnational

      and they set up in a host country that doesn't care as long as they keep paying the taxes and kickbacks to the corrupt third-world government and its officials.

      Pass all of the laws you want. They don't care. They just go somewhere uncivilized, and keep stealing. Shut them down in one place today, and they'll be open again tomorrow in another country that has no extradition.
      oldbaritone
    • Nothing illegal

      The legal challenge could be raised if the application was intercepting data without permission.

      Just as with a hammer and screwdriver, you can build a house or a weapon using the same tools.

      This is just a tool.

      I think the MORE impressive precedent here is that we can effectively outpace Moore's law using cloud computing. So "the cloud" puts a supercomputer in your living room for a few hundred bucks.

      Now anyone can do prime number searches without access to university or government resources, as long as they have the scratch to pay for a few hours (days?) of cloud-time.

      By the way.... like the hammer, screwdriver, and WPA password cracker, prime number searches ALSO threaten encryption, so should we immediately cease and desist?
      jparr
  • wait till the hash cracking services show up

    wha daddy!
    Been_Done_Before
  • For 64 Character Passwords

    Does it work for 64 character passwords that upper and
    lower case letters, numbers, and special characters?
    AMusnikow
    • My thoughts exactly...

      If it is doing a dictionary attack, what when people use long passphrases with multiple words and numbers strung together?

      I wouldn't set-up a wireless network without WPA2 and without at least a 25 digit passphrase, usually longer.

      It would be interesting to know if this service can cater for longer passphrases or not. If it is just doing single words and common phrases, then it won't help much...

      As an aside, I though I would have to tell my girlfriend about secure passwords, as she doesn't like or understand computers. But I caught her typing in her password the other day, it was well over 30 characters! :-O
      wright_is
  • WPA-PSK cracking isn't practical with a 11 character random password

    WPA-PSK cracking isn't practical with a 11 character
    random password, and I don't care how big your cloud is.
    This is a non-issue so long as you have even the most
    basic PSK complexity.
    georgeou
    • Headline should have been "... can crack [b]weak[/b] Wi-Fi passwords...

      Exactly. So why wasn't the title of the post "New cloud-based hacking service can crack [b]weak[/b] Wi-Fi passwords in 20 minutes"?
      jy113
  • RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes

    That's why if security is an issue, you should stick to wired networks, which are faster and more secure than wifi.
    gtatransam@...
  • RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes

    actually, using a longer key makes the job much more difficult as well as using other items which I'll not reveal here. Yes there's really no fool proof way of protecting your data no matter what anyone encouraging you to cloud compute says.

    This is a major problem with cloud computing. You're only as safe as their weakest link and it's usually a sys admin who uses system as the username and password as the password for a firewall system because they're too lazy to keep things on record somewhere else.

    Mike
    docmurdock
  • RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes

    i'd like to see it crack the stepped key alogorithm and provide stable access credentials, even knowing hte sodding start key and syncing the step speed its damn near impossible to maintain a stable connection, also given that you would need the full firmware data access for each and every make and model of wifi access point running in none protected mode, this is only usefull for cracking things like the home hub which you can normally achieve with a free program and a pentium 3 666mhz lappy in under 40 mins so i dont see the point in wasting money on designing this let alone making it available

    not to mention that looking at the website offering the service it requires you to capture the signal before uploading it for them to tell you the key, great so long as the person didnt setit up with more than one key which changes every few hours /
    nanotm
  • Go Cloud Computing

    Yes, lets put our data in the cloud.

    Lets put our computing and processing in the cloud.

    Lets all access the Internet via Cable broadband and WiFi.

    Lets all pretend that cloud computing is so great.

    Regarding cracking WPA, try not using PSK?
    Raid6
  • I LOVE Ham Radio!

    Amateur Radio callsigns make great passwords -like

    ZD8mm&CO2om!TU6xmd

    Crack THAT with your 135-million-word dictionary!

    And on the sticky note to remember it are the words
    Mary&Carlos!Tocsin

    People watching over your shoulder probably won't get it, unless they're using a video camera and can replay it several times.
    oldbaritone