Russian security company Elcomsoft just posted a press release (original PDF) detailing a new method to crack WPA and WPA2 keys:

With the latest version of Elcomsoft Distributed Password Recovery, it is now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100 times quicker with the use of massively parallel computational power of the newest NVIDIA chips. Elcomsoft Distributed Password Recovery only needs a few packets intercepted in order to perform the attack.

The 100-fold increase in speed is achieved with two GeForct GTX280’s per workstation; for €599 you can build a network of 20 workstations dedicated to “recovering” your “lost” WPA keys. This means that a WPA or WPA2 key could be cracked in days or weeks instead of years.

This has prompted security firm GSS to advise their clients to add an additional layer of protection to their Wifi networks:

“This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data,” said GSS managing director David Hobson. “As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well.”

But the question remains how long it will take until the next generation of GPU’s or custom-designed chips will break VPN encryption as well. 3DES DES encryption can already be broken quite easily with custom-built machines, and while AES appears to be better on paper, there is no guarantee that there isn’t some hidden flaw in the algorithm. GSS agrees:

Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data privacy.

Update: This will, of course, mainly affect simple ascii keys. And it will only work against static keys; anyone using more complicated authentication schemes will not be at risk for now. But since that takes a couple of extra minutes when installing, smaller businesses or departments often skip setting this up.