[ad]
Interesting research from Elcomsoft, using the parallel processing capacity of graphics cards to speed up the password cracking process.
Pretty inventive thinking, as graphics cards get more and more powerful, and they are created to do massive parallel tasks for all the latest and greatest games, why not apply it to password cracking!
A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community.
Elcomsoft, a software company based in Moscow, Russia, has filed a US patent for the technique. It takes advantage of the “massively parallel processing” capabilities of a graphics processing unit (GPU) – the processor normally used to produce realistic graphics for video games.
Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company’s CEO, Vladimir Katalov.
A top end graphics cards makes your cracking 25 times faster, now that’s a pretty impressive increase if you ask me. Worth investing for regular pen-testers who do a lot of cracking to test password strength.
The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer’s central processing unit (CPU). By harnessing a $150 GPU – less powerful than the nVidia 8800 card – Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.
Elcomsoft says it took three months to develop code to take advantage of a GPU, and the company plans to introduce the feature into some of its password cracking products over time.
I’ll be watching where this goes and will be interested to see if any open source tools come out capitalise on the GPU capability.
Source: New Scientist
Goodpeople says
This is very genius. Why didn’t I think of this? After all, password cracking comes down to raw computing power.
I’d like to see the first password crackers to incorporate this technique.
Bogwitch says
As soon as I read this, it reminded me of Aspex Semiconductors – They make PCI boards with 4096 parallel processors running at 300MHz, supported with a small amount of RAM. I considered these for password cracking as the boards are (relatively) cheap. Unfortunately, the developers pack was (and maybe still is) rather expensive.
dirty says
Read this article a couple of weeks ago about this GPU cracking…
My fav quote is from John Callas from Columbia University(NYC)…”Once you’ve shown you can do cryptography with a graphics card Latest News about graphics card, doing cryptanalysis with a graphics card is really the same sort of thing,” he reasoned.
“Once you’ve heard you can make a frozen daiquiri with a blender, it’s like saying the frozen Pina Colada is a new invention,” he analogized. “It’s not really a new invention. It’s changing the ingredients and realizing the blender works that way.”
Anyway its still interesting nonetheless and whether or not its patentable, I definitely think this is going to prove to be useful.
Foo says
Applying the vector processing of GPGPU for password cracking is as old as the talk of GPGPU’s. Schneier covered this a few weeks ago and the commentary was very good:
http://www.schneier.com/blog/archives/2007/10/speeding_up_pas.html
James says
Very old news Folding@home have being running code on GPU’s(ATI X1900,PS3
normalsecrecy says
so does this mean we need to be concerned about botnets exploiting graphics cards on sweet gamer pc setups? just think how powerful a distributed cracker would be. passwords would be jacked in seconds! scary cool development.
Nobody_Holme says
People with really fancy gaming rigs are usually fairly sensible, and thus immune to being botnetted… at least, I hope they are. I cant wait for the GPU manufacturers to come up with something to “stop” this…
Pantagruel says
Like -Foo- and -James- already mention, age old news. Both Nvidia and Ati released their GPU toolkits quite a while ago.
Ofcourse I would be very interested to see the first p0wn3d SLI setup.
It’s my guess however that PS3 owners will be a more suitable target, heaps of computing power, networked by default and quite a user base.
All we have to do is wait for a real world PS3 exploit to turn them in to botnet drones.
Nobody_Holme says
That could be tasty… console owners suck at security mostly… Case in point is my housemate’s Wii… He runs it on our wireless network, the security settings on the switch for which are all off, to let me play… But the Wii itself looks to have no firewall or protection from malware at all… admittedly, neither does it have much proccessing power, but then, botnets dont need all that much power in each component if they have access to enough units, so…
I think i’ll be watching network traffic more closely for a while now i’ve said this…
Sir Henry says
@Nobody_Holme:
Have you seen any news out there about malware being crafted specifically for the Wii (or PS3 for that matter)? Not personally knowing the base OS/kernel for these consoles, I wonder what kinds of “proof-of-concept” examples are out there for these.
eM3rC says
@Sir Henry
No I have not heard of that. Sounds very interesting. I remember when cellphone viruses were a big deal. I guess the hackers have moved on.
What would be the point of hacking a Wii or PS3 aside for pissing a lot of people off? I could see maybe with an XBox live account you could use the credit card on the account to buy a lot of games but other than that I still don’t see a reason for it.
zupakomputer says
re: taking over consoles – if that were done they could be used to do a lot of processing; the PS3s for example are utilised on a sort of passive sleep mode (unused clock cycles & when not in use) to do the folding@home mentioned.
This topic area is bound to get all the more interesting as the graphics cards continue to get more powerful – there’s now triple SLI, and DDR3 RAM on them is more and more common.
Also, the high-end gaming PC is becoming more common too with folks buying them off the shelf! So not as security-conscious as may be thought.
Add in ever growing interest in bit-torrent and there’s a huge potential for those botnets to operate on.
(not entirely on-topic but of interest – the gaming card Killer NIC is a linux-running network card that does packet prioritising for gaming, and enables things like down/up loading all without calling on the CPU; it was UDP-only on launch, but it comes with a kit – I’m not sure how much tweaking etc has been achieved as yet but it certainly caught my eye anyway when I read about it.)
vxnuke says
There Is An Open Source Program Out There Now Its Called “PYRIT”
Navin says
Hey thanks vxnuke …..for those who wanna know more, chk out http://code.google.com/p/pyrit/