(1) They're cracking pre-shared keys, which is the least secure mode of deployment for WPA2; they can "crack" it because it's essentially password-protected. Modern wireless security use crypto-strong keys derived from secure authentication. That's not how home wireless networks get deployed, but it is how corporate wireless networks are set up.
(2) Nobody who cares about security relies on WEP or WPA; they use 802.11 to set up an insecure last-mile to VPN through. Nobody has broken any popular VPN protocol in the last 5 years.
Its only meant to be kinda close to wired equivalence - if someone really wants to snoop, there are ways to do it with wired as well (even without physically breaking in to the cable).
So yes, you security has to come from other layers (VPN, SSL for web etc).
WPA2 with EAP is end-to-end crypto strong; there's no funky password derivation function to brute-force, the packets are AES keyed randomly after a (most likely) TLS key exchange. I'm not saying I'd choose it --- too many moving parts --- but you can make the argument that modern wireless security is more secure than wired networks.
Yes good point, but its really going beyond what most people should care about. Of course, if it was easy to setup, and the work was not expensive in power/CPU, why not !
Because no operating system secures IP by default, so without something in place, wireless is devastatingly insecure.
The first round of wireless security protocols were a hack, a veneer of security designed to give the perception that 802.11 was "at least as secure" as your office Ethernet, which you'd want to secure with SSL or IPSEC anyways. That strategy failed.
The most recent round of protocols is every bit as sophisticated as IPSEC. It's no longer the design goal to provide something that's "good enough" for normal stuff, and to run VPN over for everything else.
There's a lot of moving parts in WPA2-Enterprise/EAP, and I don't love it. But it's no longer a silly strategy.
I'm not aware of any standards for Ethernet crypto before WEP, so I don't know what they would have borrowed. Something from DOCSIS maybe. Heck, the IEEE didn't even come up with MACsec until recently.
That's what the Wi-Fi Alliance does, they make new protocols. But truly, no ubiquitous wireless protocol should be trusted for any private data. Those protocols are (or should be) only meant for home users.
No offense, but this statement doesn't mean anything at all. Clearly, within the next 10 years, enterprises are going to move en masse to wireless. The cost savings are too high.
The solutions may not look like they do today --- I won't cry --- but the fundamental problem is going to need to get solved. Maybe it'll be opportunistic Teredo/6to4-style network layer security, and maybe it'll be something app layer, but something is going to get done here.
Sounds like they only increased the speed of brute force attacks. Use a strong password and you'll be fine.
EDIT: That said, at least for me, the main reason I need wireless encryption is to prevent neighbors from using it. It would be silly to rely on wireless encryption to safeguard sensitive network activity. That's what SSH, SSL, etc. are for.
From their flowerly press release: "With billions of possible combinations, it can take years to break into a WPA/WPA2 protected network. However, WPA/WPA2 protected networks are not immune against distributed attacks performed with GPU-accelerated algorithms. With the latest version of Elcomsoft Distributed Password Recovery, it is now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100 times quicker with the use of massively parallel computational power of the newest NVIDIA chips."
Now if only I could somehow get Eclipse to use my GPU to do a compile
Elcomsoft is the same place where Dmitry Sclyarov worked when Adobe tried to put him in jail for breaking PDF "encryption": http://www.freesklyarov.org/
I have been using VPNs for years. It's sweet to connect to insecure, possibly malware-intensive, password-grabbing "free" wireless spots that abound around hotels and airports and grab all their bandwidth while everything they get is highly secure cryptographed data.
I say that if they ever get my data, they should at least deserve it.
Does anyone have any hard data on the prevalence of random WiFi hacking? I think the chances of someone trying a GPU-accelerated bruteforce attack on my home network is ridiculously low.
(1) They're cracking pre-shared keys, which is the least secure mode of deployment for WPA2; they can "crack" it because it's essentially password-protected. Modern wireless security use crypto-strong keys derived from secure authentication. That's not how home wireless networks get deployed, but it is how corporate wireless networks are set up.
(2) Nobody who cares about security relies on WEP or WPA; they use 802.11 to set up an insecure last-mile to VPN through. Nobody has broken any popular VPN protocol in the last 5 years.