WPA Cracker, a service that bills itself “as cloud cracking service for penetration testers and network auditors,” has been making waves the past few days as breathless newswires report that “New Cloud-based Service Steals Wi-Fi Passwords“. Not quite: It just makes an already known vulnerability slightly more accessible to the common man, but what ne’er do well is really going to hand over their private info via Amazon Payments to crack a WPA-PSK password, particularly when there are simpler methods such as readily available rainbow tables?
To be clear, the service doesn’t break into Wi-Fi networks; it only runs a dictionary-based attack on handshakes that have to be recorded by an individual with at least some technical savvy.
Glenn Fleishman goes into another reason enterprises don’t have too much to worry about with this new development:
Let me be clear: this is a clever and worthwhile addition to penetration testing (pentesting) and network security, and I would gladly pay $34 to prove to someone smug that his or her company password was vulnerable. But it is not a generic nor dangerous attack on WPA. Smart companies, likely millions of them, already use account-based network authentication in the form of WPA/WPA2 Enterprise, which is not vulnerable to this form of brute-force attack. WPA/WPA2 server-side support is de rigeur in the enterprise network infrastructure, and available from third parties, as well as built into Microsoft Server and Mac OS X Server operating systems. Home users and small-business users are most likely to employ simple passwords.
In fact, there could be a silver lining. As Luke O’Connor notes, explaining the importance of strong passwords and security practices to management is never quite as easy as it should be. Showing decision makers that their password can be cracked by a simple web service in 20 minutes for under $40 can make quite an impact.