Google WIFI sniffing trial

[John Connor]

The lawsuit was brought after Google said its cars, which photographed neighborhoods for Street View and identified Wi-Fi networks as part of its mapping, mistakenly vacuumed up e-mail messages, user passwords and other communications from 2008 to 2010. As much as $10,000 is being sought for each affected Wi-Fi user, possibly millions of Americans whose data was captured by Google, according to plaintiffs’ lawyers. Class-action status for the case hasn’t been addressed yet.

http://www.bloomberg.com/news/2014-...undup-mistake-has-lawyers-eyeing-jackpot.html

No problem here. I use WPA2 AES and a 64 digit key. LOL!

 

[M0oG0oGaiPan]

just lie and say they stole your data. profit 10k. after lawyer fees $50 in google adwords credit.

 

[Lean L]

Here's the kicker whenever anyone brags about their wifi password length.

The password is hashed into the proper key length to satisfy the encryption bit length.

In other words, if your password is one digit or 100 digits, the encryption is just as secure from a non-brute force perspective.

Not aimed at you OP, just pointing it out.

 

[SunnyD]

Here's the kicker whenever anyone brags about their wifi password length.

The password is hashed into the proper key length to satisfy the encryption bit length.

In other words, if your password is one digit or 100 digits, the encryption is just as secure from a non-brute force perspective.

Not aimed at you OP, just pointing it out.

And your point? In order to use a brute force password attack on an access point, you would need a custom wireless network stack to bypass the key-to-hash conversion, meaning such things are still out of the realm for common users. You would still need to brute force the original key to make the attack usable on common end user platforms, which means all the e-peen waving is still perfectly valid.

 

[rudder]

just lie and say they stole your data. profit 10k. after lawyer fees $50 in google adwords credit.

More like $2.58

 

[Lean L]

 

[John Connor]

Here's the kicker whenever anyone brags about their wifi password length.

The password is hashed into the proper key length to satisfy the encryption bit length.

In other words, if your password is one digit or 100 digits, the encryption is just as secure from a non-brute force perspective.

Not aimed at you OP, just pointing it out.

[FONT=Verdana,Arial,Helvetica,Sans-Serif,MS Sans Serif]64 hex characters = 256 binary bits:

[/FONT]
[FONT=Verdana,Arial,Helvetica,Sans-Serif,MS Sans Serif]Each of the 64 hexadecimal characters encodes 4 bits of binary data, so the entire 64 characters is equivalent to 256 binary bits — which is the actual binary key length used by the WiFi WPA pre-shared key (PSK). Some WPA-PSK user interfaces (such as the one in Windows XP) allows the 256-bit WPA pre-shared key to be directly provided as 64 hexadecimal characters. This is a precise means for supplying the WPA keying material, but it is ONLY useful if ALL of the devices in a WPA-protected WiFi network allow the 256-bit keying material to be specified as raw hex. If any device did not support this mode of specification (and most do not) it would not be able to join the network.[/FONT]

[FONT=Verdana,Arial,Helvetica,Sans-Serif,MS Sans Serif]

Make sense? https://www.grc.com/passwords.htm
[/FONT]

 

[Lean L]

[FONT=Verdana,Arial,Helvetica,Sans-Serif,MS Sans Serif]

Make sense? https://www.grc.com/passwords.htm
[/FONT]

You missed the part where there is a hash involved.

I'll put it this way. The encryption is secured at a predefined bit length. Your pre-hashed key has nothing to do with that length.

So in theory it is impossible to crack WPA regardless of password length assuming no brute force.

If brute force is used, you really want to weigh convience vs having an impossible to remember password. I contend that a 13 character password with special characters, numbers, and capitals is as good for all intents and purposes for brute force prevention. It's the difference between 30 quintillion years vs 120 years to crack. If that's worth the trouble of not being able to memorize the wifi key then more power to you.

 

[KLin]

 

[John Connor]

If that's worth the trouble of not being able to memorize the wifi key then more power to you.

The key doesn't have to be memorized. I'm not typing a 64 digit key every time I connect. The WIFI connection client saves the key.

You can only brute force WPA and WPA2 makes it much harder. Read here, it's brute forcing.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.

http://www.aircrack-ng.org/doku.php?id=cracking_wpa

In my case I use 64 hex digits.

 

[SunnyD]

You missed the part where there is a hash involved.

I'll put it this way. The encryption is secured at a predefined bit length. Your pre-hashed key has nothing to do with that length.

So in theory it is impossible to crack WPA regardless of password length assuming no brute force.

If brute force is used, you really want to weigh convience vs having an impossible to remember password. I contend that a 13 character password with special characters, numbers, and capitals is as good for all intents and purposes for brute force prevention. It's the difference between 30 quintillion years vs 120 years to crack. If that's worth the trouble of not being able to memorize the wifi key then more power to you.

And I contend that at the rate of exponential growth of computing power, I'd rather have the difference of several orders of magnitude between your 13 characters+special versus my n+1 characters+special, since that technology growth means the difference between your password getting cracked in a few hours tomorrow and mine getting cracked in a few quadrillion years tomorrow.

If you feel the point is lost on me, you're obviously sorely mistaken. There's a much bigger picture than the narrow focus you're harping on. Perhaps you should adjust your scope.

 

[Lean L]

And I contend that at the rate of exponential growth of computing power, I'd rather have the difference of several orders of magnitude between your 13 characters+special versus my n+1 characters+special, since that technology growth means the difference between your password getting cracked in a few hours tomorrow and mine getting cracked in a few quadrillion years tomorrow.

If you feel the point is lost on me, you're obviously sorely mistaken. There's a much bigger picture than the narrow focus you're harping on. Perhaps you should adjust your scope.

I'll concede that longer psk is in theory more secure. As far as anything else, I'll not go through the math since, just as you point out, I feel the point will be missed. We'll agree to disagree and leave it at wifi security opinions are variable.

 

[SunnyD]

I'll concede that longer psk is in theory more secure. As far as anything else, I'll not go through the math since, just as you point out, I feel the point will be missed. We'll agree to disagree and leave it at wifi security opinions are variable.

I've already conceded that brute forcing the hash rather than the key is a legitimate end, but not a technically feasible one on a widespread scale. It's those technical limitations which make the magnitude of difficulty higher than the mathematics behind the attack suggest in this case. Yes, it's doable, but of limited utility.