PPTP Gets Cracked
The Black Hat hackers convention in Las Vegas is a sort of safe crackers convention for the modern world. If many of the participants are the modern equivalents of safe crackers, then Moxie Marlinspike showed up with a lot of dynamite.
This accomplished hacker utilized his CloudCracker Web service to demonstrate that he is able to get through the security on any PPTP VPN utilizing the MS-CHAPv2 protocol. If you think that this doesn’t affect you because you’re not using PPTP security on your VPN connection, be aware that MS-CHAPv2 is also used for the WPA2-Enterprise security on wireless access points.
How Important Is This?
It’s important to keep in mind exactly what Marlinspike proved. By utilizing his online cracking tool, he demonstrated that he could get through any password, no matter how complex it may be. The first step was using ChapCrack, which allow the hacker to reduce the handshake involved on a PPTP VPN or WPA2-Enterprise connection utilizing MS_CHAPv2 to a single DES key, according to a report in PC World. That key was then submitted to another tool, CloudCracker, which went ahead and decrypted the key. This can be done to any key within 24-hours.
It’s long been known that PPTP VPN connections are not secure. They do provide encryption, which prevents somebody from being able to see what you’re doing online by simply sniffing the network, but the security used on these connections is not up to par with what people would expect for the highest levels of security.
The point of the Black Hat conference is not to provide people with tools to compromise the security of everyday users. In fact, the point of the conference is rather like having a locksmith examine the locks on your windows and doors. By showing you where security holes exist, these hackers provide valuable information that businesses and individuals can use to secure themselves better.
What Should You Do?
All of our recommended VPN providers offer protocols other than PPTP security. The other options include IPSec and OpenVPN, both of which are far more secure than the PPTP protocol. In fact, with a high enough level of encryption, IPSec is even used by governments to transmit top-secret information.
Marlinspike recommends that businesses and users switch over to one of these protocols and not use PPTP. If you are using VPN encryption to protect yourself from having your ISP spy on your activity online, it’s a good idea to move over to one of the other protocols. IPSec uses far more processing power than PPTP. OpenVPN is more efficient. Either, however, should run very well on any modern computer.