PPTP is Dead, Too

PPTP is Dead, Too.
Microsoft's VPN protocol PPTP is now dead, too: It's been known for a
while that MSCHAPv2 authentication was a bad idea, and PPTP
(Point-to-Point Tunneling Protocol) relies by default on this method of
credentials. George Ou explains how Joshua Wright, developer of the
Cisco LEAP breaking software Asleap has simply added PPTP breaking to
the mix. Both protocols are weak enough that a weak key choice–short
and found in a dictionary with some variation–can be broken by
iterating through a very large database of precomputed password hashes
that a cracker has put together in advance. They don't have to crack
the authentication process, just grab the transaction and run it on
their own computer against their hashes at a rate of 45 million
passwords per second on a normal desktop computer, Ou writes. Laptops
would be slightly slower. Ou notes that he thought LEAP and PPTP had
similar weaknesses, and Wright's update–made only after contacting
Microsoft and being quite decidedly rebuffed over his concern–shows he
was correct. Long, complex, user-managed passwords can still protect
PPTP because this is a brute-force attack. You can also switch to using
EAP-TLS for the credential exchange in PPTP, but that then requires
corporate public-key infrastructure. WPA has a similar problem with
weak passwords but it's tied to an SSID. So you can't precompute
generally for passwords as with the LEAP and PPTP weakness, but you
could precompute passwords against common SSIDs, like linksys.
Assuming, as wardrivers have discovered, that the vast majority of base
stations have a default SSID, this makes it a little simpler, but not
trivial. Likewise, only weak WPA passwords can be broken, so you're
stuck for people who throw in a couple of exclamation points. I'm just
testing Buffalo's new VPN (PPTP) router, and discovered that they set
the default SSID to the MAC address of the unit, which, although ugly
looking in a list of available networks, would defeat a precomputed
default SSID password database. (Thanks to Robert Moskowitz for a prod
to clarify this.) When I say a security protocol is dead, I don't mean
that it's actually impossible to use. It's just that you can no longer
use it with any degree of assurance that the purpose for which it was
intended can be fulfilled. It's like driving a car with a cracked
windshield. It keeps the bugs off, but it's not really safe to drive…
[Wi-Fi Networking News]

Leave a comment