WPA encryption may not be safe for much longer

I’ve stated before how important it is to encrypt your wireless network.  I’ve also suggested going with at LEAST WPA (wireless protected access).  Now, it looks like that won’t be enough.  A security researcher has figured out a way to crack a WPA password with a brute-force attack using Amazon’s Elastic Compute Cloud service.

According to Reuters, the researcher will be releasing the software at the Black Hat conference that’s happening later this month in Washington, D.C.

Amazon says that using their services to hack into an unauthorized network is against their terms of service, but if it can be done in just a few minutes and you don’t run down the street every day doing it, who’s going to know?  Of course, the rub is that you need access to the internet to be able to hack into access to the internet.  Is there a point?  Maybe if you’re using an expensive cellular service and want to connect to someone else’s wireless to save yourself some money.

The same advice I’ve given in the past about the password being only useful to stop the casual user and not the determined hacker still applies.  You should have a password because you don’t want someone getting in.

The big downside to this is that the WPA method that was cracked, PSK (pre-shared key), is the one used on consumer-level equipment.  More robust methods generally require a special server running on your network to handle them and possibly special software on your computer.

I guess we’ll see another encryption method next year (this is a prediction and not based on anything I’ve read or heard).  Computing power is getting so great that we need to greatly expand the size of the keys used to protect our networks.  WPA uses a 256-bit key.  Maybe we need to have 10,000-bit keys (but you’ll need to use a paragraph-long passphrase to create it as it’s only as good as the length of the passphrase).

Comments are closed.