ie8 fix

Between the Lines

Larry Dignan, Andrew Nusca and Rachel King
Home / News & Blogs / Between the Lines

New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes

By | December 8, 2009, 9:31am PST

Summary: A new, cloud-based hacking service says it can crack a WPA Wi-Fi network password in just 20 minutes.

A new, cloud-based hacking service says it can crack a WPA Wi-Fi network password in just 20 minutes.

Announced on Monday, the $34 “WPA Cracker” service is a tool for security auditors and penetration testers to test breaking into certain types of WPA networks.

The service leverages a known vulnerability in Pre-shared Key (PSK) networks usually used by home and small-business users.

To use it, the tester first submits a small file that contains an initial communication between the WPA router and a computer. Based on that information, WPA Cracker can then figure out whether the network is vulnerable to a type of attack.

According to the service’s website:

WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over five days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.

The service was launched by security researcher Moxie Marlinspike. In an interview with PC World, he said that he got the idea for the service after discussing how to speed up WPA network auditing with other security experts.

The $34 price tag is for the whole cluster. Using half the cluster costs $17, but the job could take 40 minutes.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Between the Lines”

Topics

WPA, Password, Hacking, Network, WPA Cracker, Network Security, Wi-Fi, Wireless And Mobility, Networking, Andrew Nusca

Andrew J. Nusca is associate editor of ZDNet and editor of SmartPlanet.

Disclosure

Andrew Nusca

Andrew J. Nusca does not hold any investments in the technology companies he covers.

Biography

Andrew Nusca

Editor

Andrew J. Nusca is an associate editor at ZDNet and editor of SmartPlanet. As a journalist based in New York City, he has written for Popular Mechanics and Men's Vogue and his byline has appeared in New York magazine, The Huffington Post, New York Daily News, Editor & Publisher, New York Press and many others. He also writes The Editorialiste, a media criticism blog.

He is a New York University graduate and former news editor and columnist of the Washington Square News. He is a graduate of the Columbia University Graduate School of Journalism. He has been named "Howard Kurtz, Jr." by film critic John Lichman despite having no relation to him. He lives in his native Philadelphia with his wife, cat and Boston Terrier.

Follow him on Twitter.

22
Comments
Add Your Opinion

Join the conversation!

Just In

RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes
dsfwrryd39-24353606884083056179624163738940 Updated - 5th Nov
In order to discovered such present originally from technoratic, ravens jerseys wonderful running a blog rrnternet cheap authentic nfl jersey site, protect it from punctures packers jerseys high.
View in thread
0 Votes
+ -
And the site shouldn't be close down, and the owner arrested because...
IT_Guy_z 8th Dec 2009
...why?

How about just running a "rent-a-thief" service instead?
0 Votes
+ -
Because....
DarkWhiteChocolate 8th Dec 2009
Just like it says you use it for testing your own network. Obviously that is not what people will use it for however it's the same reason BitTorrent or P2P isn't illegal because it has a non-illegal use.
0 Votes
+ -
Non-illegal?
djmik 8th Dec 2009
That is splitting hairs. I bet this isn't the last time we see these guys in the news.
0 Votes
+ -
Kinda like arresting the cops for running an undercover sting?
kd5auq 8th Dec 2009
Crooks would not be advertizing this service in ZDNet.
0 Votes
+ -
Don't worry about the crooks
T1Oracle 8th Dec 2009
What we need a cloud for, they'll just use a bot net for. Don't worry...
0 Votes
+ -
Nope, not 'splitting hairs'
Lerianis10 8th Dec 2009
Just being very blunt about why this service is
legal. Now that I have seen this however..... I am
going to change my plain-text password for my
wireless router.
0 Votes
+ -
Don't need a password
Murfski 14th Dec 2009
It's kind of a PITA, but I just lock my home network with a MAC filter. I have to add the MAC address of a device to my list for it to be able to access the network. Not practical for large networks but it works for me.
0 Votes
+ -
MAC Filters
gtatransam@... 14th Dec 2009
MAC Addresses can be sniffed and spoofed.
0 Votes
+ -
Because ... it's the INTERnet
oldbaritone 15th Dec 2009
as in INTERnational

and they set up in a host country that doesn't care as long as they keep paying the taxes and kickbacks to the corrupt third-world government and its officials.

Pass all of the laws you want. They don't care. They just go somewhere uncivilized, and keep stealing. Shut them down in one place today, and they'll be open again tomorrow in another country that has no extradition.
0 Votes
+ -
Nothing illegal
jparr 15th Dec 2009
The legal challenge could be raised if the application was intercepting data without permission.

Just as with a hammer and screwdriver, you can build a house or a weapon using the same tools.

This is just a tool.

I think the MORE impressive precedent here is that we can effectively outpace Moore's law using cloud computing. So "the cloud" puts a supercomputer in your living room for a few hundred bucks.

Now anyone can do prime number searches without access to university or government resources, as long as they have the scratch to pay for a few hours (days?) of cloud-time.

By the way.... like the hammer, screwdriver, and WPA password cracker, prime number searches ALSO threaten encryption, so should we immediately cease and desist?
0 Votes
+ -
wait till the hash cracking services show up
Been_Done_Before 8th Dec 2009
wha daddy!
0 Votes
+ -
For 64 Character Passwords
AMusnikow 8th Dec 2009
Does it work for 64 character passwords that upper and
lower case letters, numbers, and special characters?
0 Votes
+ -
My thoughts exactly...
wright_is 15th Dec 2009
If it is doing a dictionary attack, what when people use long passphrases with multiple words and numbers strung together?

I wouldn't set-up a wireless network without WPA2 and without at least a 25 digit passphrase, usually longer.

It would be interesting to know if this service can cater for longer passphrases or not. If it is just doing single words and common phrases, then it won't help much...

As an aside, I though I would have to tell my girlfriend about secure passwords, as she doesn't like or understand computers. But I caught her typing in her password the other day, it was well over 30 characters! shocked
0 Votes
+ -
WPA-PSK cracking isn't practical with a 11 character random password
georgeou 8th Dec 2009
WPA-PSK cracking isn't practical with a 11 character
random password, and I don't care how big your cloud is.
This is a non-issue so long as you have even the most
basic PSK complexity.
0 Votes
+ -
Headline should have been "... can crack weak Wi-Fi passwords...
jy113 16th Dec 2009
Exactly. So why wasn't the title of the post "New cloud-based hacking service can crack weak Wi-Fi passwords in 20 minutes"?
0 Votes
+ -
RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes
gtatransam@... 14th Dec 2009
That's why if security is an issue, you should stick to wired networks, which are faster and more secure than wifi.
0 Votes
+ -
RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes
docmurdock 14th Dec 2009
actually, using a longer key makes the job much more difficult as well as using other items which I'll not reveal here. Yes there's really no fool proof way of protecting your data no matter what anyone encouraging you to cloud compute says.

This is a major problem with cloud computing. You're only as safe as their weakest link and it's usually a sys admin who uses system as the username and password as the password for a firewall system because they're too lazy to keep things on record somewhere else.

Mike
0 Votes
+ -
RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes
nanotm 14th Dec 2009
i'd like to see it crack the stepped key alogorithm and provide stable access credentials, even knowing hte sodding start key and syncing the step speed its damn near impossible to maintain a stable connection, also given that you would need the full firmware data access for each and every make and model of wifi access point running in none protected mode, this is only usefull for cracking things like the home hub which you can normally achieve with a free program and a pentium 3 666mhz lappy in under 40 mins so i dont see the point in wasting money on designing this let alone making it available

not to mention that looking at the website offering the service it requires you to capture the signal before uploading it for them to tell you the key, great so long as the person didnt setit up with more than one key which changes every few hours /
0 Votes
+ -
Go Cloud Computing
Raid6 14th Dec 2009
Yes, lets put our data in the cloud.

Lets put our computing and processing in the cloud.

Lets all access the Internet via Cable broadband and WiFi.

Lets all pretend that cloud computing is so great.

Regarding cracking WPA, try not using PSK?
0 Votes
+ -
I LOVE Ham Radio!
oldbaritone 15th Dec 2009
Amateur Radio callsigns make great passwords -like

ZD8mm&CO2om!TU6xmd

Crack THAT with your 135-million-word dictionary!

And on the sticky note to remember it are the words
Mary&Carlos!Tocsin

People watching over your shoulder probably won't get it, unless they're using a video camera and can replay it several times.
0 Votes
+ -
RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes
me@... 21st Dec 2009
This type of brute-force attack does not apply to WPA/WPA2-Enterprise networks, which use 802.1X authentication. Even small businesses and consumers can now easily implement this advanced security using outsourced services like AuthenticateMyWiFi: http://www.NoWiresSecurity.com
0 Votes
+ -
RE: New cloud-based hacking service can crack Wi-Fi passwords in 20 minutes
dsfwrryd39-24353606884083056179624163738940 Updated - 5th Nov
In order to discovered such present originally from technoratic, ravens jerseys wonderful running a blog rrnternet cheap authentic nfl jersey site, protect it from punctures packers jerseys high.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix