Brute force attack on Windows Vista product keys?

This morning as I was checking my feeds while standing in line waiting for coffee I saw a few headlines about a reported brute force attack on product keys for Windows Vista. The attack randomly searches for legit keys.  This is called a brute force attack because there really isn’t much intelligence involved and the goal is to just randomly cycle through key after key after key until a legit one is found. One report  indicates that the script written to perform this attack goes through about a thousand keys every half an hour; frankly, that’s a pretty slow brute force attack. 

In one of the forums I was scanning this morning, there was a question brought up: assuming the attack were successful (and this hasn’t been confirmed yet), what would happen if a key that was hit upon was also the same key in use by a legitimate customer? Really, this would boil down to a customer service issue and we would work to make sure that our customers are taken care of. Having said this personally I think it’s unlikely that this would happen as our product activation servers perform a more rigorous analysis of the keys that are sent up for activation than the local key logic does. For this reason producing keys that will ultimately activate is less likely than just hitting upon one that will pass the local logic. But if anyone does hear of a report of a legit customer being refused a product activation on a genuine key please let us know.

We’re looking more deeply into this issue now and I’ll post more info soon.

Comments (2)

  1. rdamiani says:

    I don’t know where you are getting your info from, but the places I’ve seen it reported have follow-ups claiming that they’ve activated Vista using ‘found’ keys. And don’t forget the folks taking pictures of CD-Keys in the store.

    The current versions of the attack seem to be using a modified version of an MS-supplied vbs file, so the lack of speed is hardly surprising. It wont be long before someone writes a version in something that performs better than vbs. The keyspace being searched has many valid keys, not just one, so even a slow approach will find plenty of valid combinations.

    More to the point – how strong is the key allogrythim. Now that there is a way to test keys in bulk, someone is going to start working on a key generator, which would be bad ju-ju for WGA.

    I’d suggest taking a look at some of the difficulties Symantec had with leaking keys and how they dealt with the fallout before you formulate a customer response plan. Symantec’s approach (your key was already activated, so you lose – go buy another copy) managed to piss off a lot of folks and likely lost a few customers (like me) just from the reports. Vista isn’t compelling enough to force folks off of XP, and it’s different (and frickin’ annoying) enough that they might just jump to OSX.