A Russian company has started selling a cheap system for cracking WPA encryption keys, but should companies using Wi-Fi be at all worried?
Security consultancy GSS certainly thinks so, and put out a media comment article to sum up the feelings of its managing director, David Hobson. Normally, we don't bother with comment/response pieces to news stories, but given that GSS has been the only company to make the uncomfortable point that the system could be used for ill purposes (it is, officially, a tool for recovering passwords not cracking them we should state), we'll indulge them.
"Let's not beat about the bush here. If a user builds a custom PC with four high-end graphics cards and installs the £599 software, they then have a machine capable of tumbling wireless keys out of the ether and decrypting then in a matter of hours rather than months," said Hobson.
Assuming the system works as claimed (as Hobson says it uses the power of multiple Nvidia or ATI graphics processors to crunch possible key combinations in combination with a packet sniffer), at worst it only affects WPA/WPA-PSK users using keys of 8 characters. How many companies use keys of that basic length? Very few, and if they do then it is trivial to increase them to a grown-up number of characters, or just make sure authentication is also turned on.
The people who should be worried are probably ordinary consumers, many of whom still use default passwords for access to Wi-Fi access points, even if they use longer keys. But the chances of a system of this ilk being used to wardrive ordinary punters seems little more than a theoretical risk.
What we now know is that short keys, like short passwords, are not secure. But we knew that already.