A new attack takes advantage of weak WiFi passwords
A new attack technique has been demonstrated that is capable of widespread WiFi cracking.
CyberArk security researcher Ido Hoorvitch said that properties in urban areas often have unsafe and weak WiFi passwords in use that could be “easily cracked or even guessed by curious neighbors or malicious actors”.
Hoorvitch, who lives in Tel Aviv, Israel, decided to put his theories to the test.
In total, 5,000 WiFi hashes around his neighborhood were gathered as a sample group by wandering the streets with network sniffing equipment.
The researcher then set to work developing an attack capable of striking each of these networks rapidly and efficiently.
The gear used included a ‘monster’ cracking rig, made up of eight xQUADRO RTX 8000 (48GB) GPUs in CyberArk Labs, although Hoorvitch noted that this type of attack does not need such heavy-duty equipment to pull off. Instead, all you need is a laptop and basic sniffing equipment.
A vulnerability, discovered by Hashcat’s lead developer, Jens ‘atom’ Steube, is at the heart of the attack. This bug can be exploited to retrieve PMKID hashes and crack network passwords.
Wholesale password cracking
PMKID hashes, obtained through wireless sniffers with monitor mode enabled, can then be cracked through the generation and cracking of PMKs with SSIDs and different passphrases.
When a PMKID is generated that is equal to the PMKID retrieved from an access point, this data has been generated from the correct WiFi password.
After using the Hcxdumptool utility to sniff out PMKID hashes, Hoorvitch then used a conversion tool and Hashcat, a password recovery utility.
According to Hoorvitch, many residents of Tel Aviv use cellphone numbers as their WiFi password, and so it was not long before numerous hashes were cracked, their passwords obtained, and doors opened into their networks.
In these cases, it took approximately nine minutes for each crack on the researcher’s laptop.
In total, the team was able to crack over 3,500 WiFi networks around Tel Aviv, approximately 70% of the 5,000 network sample.
Protecting home networks
If routers do not support roaming modes, then they are not susceptible to this form of attack. However, Hoorvitch noted that many routers, “manufactured by many of the world’s largest vendors, are vulnerable”.
In order to protect yourselves and your internet connection, complex passwords should be in play – preferably with both lower and upper case, at least one symbol and digit, as well as a length of at least 10 characters – and default username/password combinations absolutely should be changed.
The researcher also noted that keeping router firmware up to date will protect your hardware from attacks based on vulnerability exploits. Weak encryption protocols, including WAP/WAP1, should also be disabled.
“With the continued shift to remote work due to the pandemic, securing home networks has become imperative and poses a risk to the enterprise if not done so,” Hoorvitch commented.
“Home networks rarely have the same controls as enterprise networks. And a security program is only as strong as its weakest link.”
Hoorvitch detailed his findings in a technical blog post on October 26.