Mon Oct 13 02:43:11 UTC 2008

Don't trust wireless encryption …

--

I've been saying this for a long time now, so the recent announcement by Elcomsoft shouldn't actually catch anyone by surprise.

You should not trust wireless encryption!

Elcomsoft have managed a 100 times speedup in cracking WPA and WPA2, simply by leveraging the GPUs of Nvidia graphics cards, which are very powerful computation machines and found in a lot of PCs :-)

Now, at one level, this is only a small speedup. But it's one more nail in the coffin. When a WPA2 crack becomes fast enough to ice its way through your network in “trivial” time, how do you respond? Unless you're running a real OS on your wireless network devices (like OpenWRT or similar) where a software upgrade will probably suffice, most consumer devices are basically unsupported, and unfixable. You have to wait until a new unit comes out with a fixed firmware, and hand over $$$ … again. Or just run your network with known weakness, which is asking for trouble.

My basic advice is to run your wireless network unencrypted; but run a software VPN over the top, for all machines. Something like OpenVPN does an excellent job of being straightforward to install and configure, and has great client-end tools. However, if you have to support more limited devices like iPhones, try IPSec (generally found in the classier “firewalls”, such as pfSense).

If you want to provide service for non-VPN users, run them in through a captive portal so you can present an AUP to them (so you can limit your liability against illicit use of your network) and rate limit them to something that won't break your usage caps, if you have them.

The basic premise of all this, is that when a vulnerability is discovered in a software-based VPN, there will be an upgrade available for your existing infrastructure within a short period of time. If there's a vulnerability in your hardware-based wireless router … you're stuck.