Paper 2016/547

Efficient High-Speed WPA2 Brute Force Attacks using Scalable Low-Cost FPGA Clustering

Markus Kammerstetter, Markus Muellner, Daniel Burian, Christian Kudera, and Wolfgang Kastner


WPA2-Personal is widely used to protect Wi-Fi networks against illicit access. While attackers typically use GPUs to speed up the discovery of weak network passwords, attacking random passwords is considered to quickly become infeasible with increasing password length. Professional attackers may thus turn to commercial high-end FPGA-based cluster solutions to significantly increase the speed of those attacks. Well known manufacturers such as Elcomsoft have succeeded in creating world's fastest commercial FPGA-based WPA2 password recovery system, but since they rely on high-performance FPGAs the costs of these systems are well beyond the reach of amateurs. In this paper, we present a highly optimized low-cost FPGA cluster-based WPA-2 Personal password recovery system that can not only achieve similar performance at a cost affordable by amateurs, but in comparison our implementation would also be more than $5$ times as fast on the original hardware. Since the currently fastest system is not only significantly slower but proprietary as well, we believe that we are the first to present the internals of a highly optimized and fully pipelined FPGA WPA2 password recovery system. In addition we evaluated our approach with respect to performance and power usage and compare it to GPU-based systems.

Available format(s)
Publication info
Published by the IACR in CHES 2016
FPGAWPA2SecurityBrute ForceAttacks
Contact author(s)
mk @ seclab tuwien ac at
k @ auto tuwien ac at
2016-06-02: received
Short URL
Creative Commons Attribution


      author = {Markus Kammerstetter and Markus Muellner and Daniel Burian and Christian Kudera and Wolfgang Kastner},
      title = {Efficient High-Speed WPA2 Brute Force Attacks using Scalable Low-Cost FPGA Clustering},
      howpublished = {Cryptology ePrint Archive, Paper 2016/547},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.