Imagine walking around your hometown and discovering that you could break into more than two-thirds of the Wi-Fi networks you come across.
That’s what happened to Israeli security researcher Ido Hoorvitch, who “sniffed” Wi-Fi networks in the city of Tel Aviv without logging into them, but nevertheless found that he could “crack” the access passwords for most of them.
“I gathered 5,000 Wi-Fi network hashes as my study group by strolling the streets in Tel Aviv with Wi-Fi sniffing equipment,” wrote Hoorvitch in a blog post yesterday (Oct. 26).
No fancy equipment needed
That data-gathering equipment was nothing more than a laptop running the free Ubuntu operating system and the free WireShark network packet analyzer, plus a $50 strong network card with external antennae strapped to Hoorvitch’ backpack to detect as many Wi-Fi networks as possible.
Hoorvitch used another free program called Hashcat to crack the passwords.
“At the end of the research,” he added, “I was able to break more than 70% of the sniffed Wi-Fi networks passwords with relative ease.”
Because of his day job at security-solution provider CyberArk (disclosure: Tom’s Guide is a client), Hoorvitch was able to use the company lab’s new password-cracking rig containing eight Nvidia Quadro RTX 8000 graphics cards that likely cost about $40,000 in total.
But he stressed that all the password cracking he did could also be done on a regular PC, in perhaps less than 10 minutes per password if you were targeting a single network.
“You do not need a cracking rig” to do this, Hoorvitch wrote.
The point here is that most people, and some businesses as well, use terrible Wi-Fi access passwords. Hoorvitch notes that many Israelis (and 44% of his sample) use their cellphone numbers as the passwords for their home Wi-Fi routers. Why that is, we don’t know, but it did give Hoorvitch a good head start.
Even among those Wi-Fi networks that didn’t use cell numbers, nearly half (48%) used terrible, easy-to-guess passwords that routinely appear on lists of the most common passwords. Only 30% of the 5,000 had access passwords that were too strong to easily crack.
“I hypothesized that most people living in Israel (and globally) have unsafe Wi-Fi passwords that can be easily cracked or even guessed by curious neighbors or malicious actors,” Hoorvitch wrote.
How and why to have a strong Wi-Fi access password — and a strong admin one too
So what, you wonder? What’s the harm if some neighbor’s kid gets access to my Wi-Fi network?
A lot could happen. The neighbor’s kid could use your network to download pirated movies and software, possibly exposing you to legal consequences or even higher bills if your monthly data usage is capped.
That kid, or anyone else within radio range of your home Wi-Fi router, could also use the network access to attack devices in your home, such as smart TVs, printers or older computers. Being inside a network gives an attacker great advantages that aren’t available from outside.
“The bottom line is that in a couple of hours and with approximately $50, your neighbor or a malicious actor can compromise your privacy and much more if you don’t have a strong password,” Hoorvitch wrote.
To make sure interlopers aren’t sneaking into your home Wi-Fi network, create long, strong, unique access passwords. If you’re having trouble creating and remembering such passwords, then use one of the best password managers; some of them are free.
Routinely check your home Wi-Fi network’s logs to see which devices have accessed your network recently. Follow up with anything you don’t recognize, and if it turns out to not be one of yours, use your network’s administrative interface to block such devices.
If you can, create a “guest” network segment or second network for visitors to use. The guest network should have a different access password from the main one. It might be best to put less secure devices — smart TVs, other smart appliances — on the guest network to minimize the potential harm if one of them were to be hacked.
Disable remote administrative access to the network from the internet, and turn off Universal Plug and Play, a protocol that makes it too easy for new devices to find each other on the network.
And most important of all, make sure your Wi-Fi network’s administrative password is not the same as your access password and is even stronger. (Again, one of the best password managers will come in handy.)
How this was done
We’ll skip over most of the technical details of how Hoorvitch did this, partly because we don’t completely understand them ourselves. (You can read all about how to do it on Hoorvitch’s blog post.)
But he used a fairly new way to crack Wi-Fi passwords. It takes advantage of the fact that many of the Wi-Fi access points and routers using the WPA2-PSK, aka WPA2 Personal, security protocol broadcast a numerical ID to all passing devices, whether they’re logged in or not.
The routers and access points do this so that devices can quickly rejoin their networks without having to recalculate encryption values. (Some enterprise networks use a different access standard that isn’t vulnerable to this attack.)
That ID, called the PMKID, is formed by running the Wi-Fi network access password, the Wi-Fi network name, the router/access point and client device MAC addresses (fixed network device IDs) and a couple of other factors through a “hashing” algorithm that creates a long, supposedly irreversible string of digits.
The problem is that, except for the Wi-Fi access password, all the factors used to create the PMKID are known quantities. The router broadcasts its own MAC address and its network name. The client device knows its own MAC address. The other factors are part of the formula.
So if the only unknown factor is the access password, then it can be isolated and subjected to “cracking” attacks.
Those attacks don’t have to be done on the spot: Because the PMKIDs can be logged along with MAC addresses and network names, the attacks can take place offline, after the attacker has returned home.
Hashcat, the free password-cracking tool, can be used to generate PMKIDs from lists of potential Wi-Fi passwords. From there it’s just a question of seeing which generated PMKIDs match real PMKIDs in the sample.
Taking apart the passwords
Because many Israelis just use their cellphone number as passcodes, this gave him a head start. He said Israeli cell numbers are all 10 digits that invariably begin with “05,” leaving only eight digits — 100 million possible numerical combinations — to be calculated. One hundred million is a big number to a human, but it’s nothing to a powerful late-model PC.
Using the cellphone-number method, Hoorvitch was able to figure out 2,200 — 44% — of the Wi-Fi access passcodes in his sample set. That’s kind of insane.
For the remaining 2,800 uncracked passcodes, Hoorvitch attacked them with the passwords in the RockYou list. That’s a freely available text file containing more than 14 million unique passwords that in 2009 were stolen (from a company that developed Facebook and MySpace widgets) and then dumped online by hackers.
Twelve years later, the most often used passwords in the RockYou list — “123456,” “12345,” “123456789,” “password,” “iloveyou” and so on — are still among the most often used passwords in English-speaking countries.
Using the RockYou list, Hoorvitch was able to crack an additional 1,359 Wi-Fi access passwords, 26% of the total sample size. That left only 30% of the passwords uncracked.
How vulnerable is your router?
The ironic thing is that home Wi-Fi routers don’t need to broadcast PMKIDs. These types of IDs are mainly used in workplaces and other large environments in which devices — laptops, smartphones — roam about and seamlessly connect to and disconnect from multiple Wi-Fi access points that are part of the same Wi-Fi network.
Nonetheless, PMKID distribution is turned on by default in many home Wi-Fi routers, although we weren’t able to find any indication that it was activated on our own aging Netgear router. (One way to check is to see if “802.11r”, the specification that defines PMKID, is enabled or mentioned in your home router administrative interface.)
PMKID would be on for many of the workplace Wi-Fi networks that Hoorvitch sniffed.
“Not all routers support roaming features and are, therefore, not vulnerable to the PMKID attack,” he wrote. “However, our research found that routers manufactured by many of the world’s largest vendors are vulnerable.”
Unfortunately for us, he didn’t provide a list of those router vendors.