ElcomSoft Co. Ltd., a Moscow-based “password recovery” company, has announced that its software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia. This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms. British security consultancy Global Secure Systems says that this is “extremely worrying” and has indicated that this means that WiFi networks are no longer secure.
Decrypting wireless traffic by guessing the encryption key, a “brute force” decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly). New leaps in computing power has changed this landscape. Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards. The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop). As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily.
David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months.” In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat. Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.