Microsoft's VPN protocol PPTP is now dead, too: It's been known for a while that MSCHAPv2 authentication was a bad idea, and PPTP (Point-to-Point Tunneling Protocol) relies by default on this method of credentials. George Ou explains how Joshua Wright, developer of the Cisco LEAP breaking software Asleap has simply added PPTP breaking to the mix.
Both protocols are weak enough that a weak key choice--short and found in a dictionary with some variation--can be broken by iterating through a very large database of precomputed password hashes that a cracker has put together in advance. They don't have to crack the authentication process, just grab the transaction and run it on their own computer against their hashes at a rate of 45 million passwords per second on a normal desktop computer, Ou writes. Laptops would be slightly slower.
Ou notes that he thought LEAP and PPTP had similar weaknesses, and Wright's update--made only after contacting Microsoft and being quite decidedly rebuffed over his concern--shows he was correct. Long, complex, user-managed passwords can still protect PPTP because this is a brute-force attack. You can also switch to using EAP-TLS for the credential exchange in PPTP, but that then requires corporate public-key infrastructure.
WPA has a similar problem with weak passwords but it's tied to an SSID. So you can't precompute generally for passwords as with the LEAP and PPTP weakness, but you could precompute passwords against common SSIDs, like linksys. Assuming, as wardrivers have discovered, that the vast majority of base stations have a default SSID, this makes it a little simpler, but not trivial. Likewise, only weak WPA passwords can be broken, so you're stuck for people who throw in a couple of exclamation points. I'm just testing Buffalo's new VPN (PPTP) router, and discovered that they set the default SSID to the MAC address of the unit, which, although ugly looking in a list of available networks, would defeat a precomputed default SSID password database. (Thanks to Robert Moskowitz for a prod to clarify this.)
When I say a security protocol is dead, I don't mean that it's actually impossible to use. It's just that you can no longer use it with any degree of assurance that the purpose for which it was intended can be fulfilled. It's like driving a car with a cracked windshield. It keeps the bugs off, but it's not really safe to drive with.
The real answer is switching from PPTP to the more robust L2TP (Layer 2 Tunneling Protocol) and IPsec combination. This more robust combination of protocols was designed, in part, to avoid the weak key choice problem that's plaguing other standards. Ou is right: users shouldn't be blamed for bad key choice; encryption designers, rather, should.
Josh already has a WPA cracker. Go to http://www.remote-exploit.org/?page=codes to find it. It is not related to MSCHAPv2 cracking or the ASLEAP tool. They are quite different in fact and it is about 1 million times slower. Typical cracking speeds on a desktop is about 70 pass phrases per second on a powerful desktop. It's useful for attacking dictionary words and some minor variations, but it is one million times slower so you can't do large variations against a 4 TB database.
As best I can tell, PPTP is no longer used that much relative to L2TP. That said, if someone is using PPTP, they should be worried enough to switch to alternative solutions. I wrote more about this on my Common Sense Technology weblog at http://mitchellconsulting.net/commonsense/2004/12/microsofts-pptp-broken.html
Ed