Since my article on WPA security and Elcomsoft’s cracking software, I’ve received a
few e-mails asking me to explain wireless security in greater detail. While I can
easily do that, I have a feeling that what most people want is not more details, but
for it to be presented in an understandable manner. So, without further ado, here’s
The Tech Mango’s WiFi Security Analogies that will make you groan!

Having a wireless network is sort of like having a house. In the default “Open”
mode, your house has a 100-meter tall sign saying “party over here!” Anybody can
walk in and start talking… And hear other people’s conversations. Not a good thing
if you frequently discuss sensitive information. There are many ways to keep this
information hidden.

Disabling SSID broadcast. This is perhaps the simplest method and first step towards
a little security. This takes down that 100 meter sign, but everyone driving by can
still see that there’s a house at 123 Main Street. This is because your router or
access point broadcasts what’s known as a beacon… And that includes it’s physical
address. It provides little real security, as any time someone comes to your house,
they ask “Is this Rob’s Party?” Loud enough for all to hear. Not very secretive at
all.

Mac Address filtering. Another method of security is having a guest list for the
party. And while this may seem secure at first, all tech-savvy hackers know this is
little more than a temporary inconvenience. The “bouncer” (router or access point)
relies on stickers saying “Hi, My Name is…”. Hackers can quickly take a magic
marker to these stickers to change their name to someone on the guest list.

While these two methods are generally sufficient to deter those looking for free
internet, it’s little more than a bump in the road for more knowledgeable or
dedicated hackers.

WEP Security. The best way to describe this is a house party where every guest has
to use a secret knock every time they speak. After listening to a few thousand
conversations (which is rather quick on computers), a hacker generally has the knock
figured out and can communicate with everyone else.

WPA security. This security is definitely more thorough… We’ll cover the WPA
Pre-shared key. This is like having a key to the party… And once you’re in the
vestibule taking off your coat, the bouncer demands to have the secret handshake.
Inside, you speak in a language based on the handshakes you’ve done. But this is
where the recognizable analogy ends, as the intricacies of WPA are such that the
main security is the 4-way handshake. And while this can be observed, it will still
take the hacker a while to figure out what the handshake is and how to do it,
practicing in front of a mirror until her gets it. With sufficient password length,
he will never get the handshake down unless it’s a poor choice of password
(specifically, dictionary words).

WPA Enterprise. This the the top level of security you can have. Not only are you
asked for a key and secret handshake, the bouncer asks for your drivers license and
runs it against the DMV database to make sure you really are who you say you are…
And that you’re allowed in. These “credentials” can be revoked at any time… Like
say when you fire an employee. Hence, WPA enterprise is useful in large business, or
enterprise, application. See how the name fits? There are currently no known methods
of hacking this type of network from the outside. You can duplicate someone’s
credentials if you get a hold of them (or specifically, their laptop), but once the
breach is discovered, the fix is as simple as cancelling your credit cards.

VPN. Many security experts theorize that the future of wireless security will go
towards DATA security and de-emphasize LINK security. If the data going over your
network is sufficiently encrypted, it won’t matter what form of security you use.
It’d be like having a guest walking into your open house party, only to discover
that everyone else is speaking in a made-up language that only they know. This is
what a VPN does. It sends the data to another computer in an encrypted manner…
like having your own virtual private network. In fact, this is what it stands for!

There are other ways to make your wireless network more secure…AP Client
Isolation, etc. But for the sake of sparing you my never ending torrent of bad
analogies, I won’t hit upon those here.

The long and short of it is, a WPA Pre-shared Key (especially AES-based WPA2) with a
sufficiently complex and long key is UNHACKABLE with current technology, and will be
for quite the foreseeable future. It’s a never-ending game of cat and mouse with
hackers and security professional, but for now… The cat’s got the edge. Upcoming
technologies, such as 5 Ghz wireless, will keep the trend going. As of right now,
there are no known hacking tools or devices that support the 5-Ghz wireless band.

A few weeks ago, Elcomsoft reported that is had developed a software to harness the power of a GPU to brute-force WPA/WPA2. What that could mean is that, for a scant $1,000 in hardware, one could break the encryption used on wireless networks. While this price may sound prohibitively high, two top GPUs in SLI is fairly common in high end gaming. People dedicated enough to break into corporate networks now have a means to do so.

That’s the theory, atleast.

As one keen commenter pointed out, the reality and sheer mathematics behind it is mind boggling. WPA2 can be 63 characters using lower case, upper case, numbers, symbols, provides 94 choices for each character. If I use a 63 character password, that 63 character password could be one of 1.9 * 10 ^126 possible choices.

If you want to have a 100% chance of brute forcing this key in one year one would still need to execute 6*10^118 trys a second.

It would be faster to attack the 256 bit hash as this only has 1.1*10^77 permutations.

So if one could issue 3.6 *10^69 commands per second one could guarantee a break in one year. Lets assume that it takes 10 flops (floating point operations) to test one key. As of August SETI@HOME is executing an average of 150 terra-flops (150*10^12). Therefore one would still need ~ 2.5 *10^56 SETI@HOME projects to break one key in one year.

The most efficient computer uses 2.8 watts per GFLOP. Therefore it would take 2.5*10^59 watts to break one key. Since the average usages of power for all people on the planet is 15 TW we would need 1.5*10^46 times the current power output of the planet to break one key.

Unless someone is using a weak password, like “aaaaaaaa”, it’s rather unlikely someone would be able to successfully crack WPA2.

Why am I taking the time to point this out? The short explanation is that I’m tired of lesser admins and specialists preaching to me that WPA2-PSKs are insufficient safeguards for wireless security, especially in a business/enterprise setting. This is simply not the case. While it may be optimal to use WPA2 Enterprise set ups in corporate environments, the reality is the many IT departments are run on a shoestring budget. The mark of a good IT consultant is not how fast, powerful, or secure they can make something with an unlimited budget… but how well they can make do on a budget resembling the McDonald’s dollar menu.

Some theorist suggest that link security, such as WEP and WPA, may eventually take a backseat to data security, such as VPNs.

So, for the time being, you can sleep soundly knowing that your WPA2 networks are secure… secure as you make them.