A security researcher at CyberArk was able to easily break more than 70 percent of Wi-Fi passwords he sniffed using relatively simple, cheap equipment.
Conducted in Tel Aviv, the researcher’s experiment showed just how easy an attacker could hack into home and enterprise networks, by simply walking around a city with the right equipment in hand.
For his experiment, CyberArk’s Ido Hoorvitch used an AWUS036ACH ALFA Network card, which costs around $50, and provides both monitoring and packet injection capabilities, connected it to an Ubuntu system, and walked around the center of Tel Aviv with the system in a backpack, to sniff Wi-Fi networks.
For his research, Hoorvitch was interested in capturing the PMKID hash from the Wi-Fi networks, and he used Hcxdumptool, a utility by ZerBea, for that.
Hoorvitch said the attack exploits a vulnerability in RSN IE (Robust Security Network Information Element) that allows for the retrieval of the PMKID, a hash used for roaming capabilities between access points. The PMKID is driven from a PMK (generated from SSID and the WiFi password), the MAC address of the AP, and the client MAC address.
After successfully sniffing 5000 networks, the researcher moved to cracking the passwords, using the hashcat password recovery tool, which supports dictionary and rules and mask attacks.
Hoorvitch says he was able to successfully crack roughly 3,600 of the passwords, thus being able to hack all of the corresponding Wi-Fi networks.
He also discovered that the majority of these passwords were 10-digit numbers, and that most of the Wi-Fi networks were protected with the owners’ phone numbers. Hundreds of passwords contained eight or nine digits, and hundreds more consisted of eight lower case letters.
“Not all routers support roaming features and are, therefore, not vulnerable to the PMKID attack. However, our research found that routers manufactured by many of the world’s largest vendors are vulnerable,” Hoorvitch explained.
He also points out that the roaming feature should not be enabled on routers meant for personal/private use (WPA2-personal), as there is no need for roaming on these networks. He also notes that the success rate of cracking passwords longer than 10 letters/numbers was lower.
The researcher also underlines the fact that he was able to crack more than 70% of the Wi-Fi networks in his sample, sounding the alarm on the potential implications of a larger-scale malicious attack employing the same technique and on the importance of using strong, long passwords.
“The threat of a compromised WiFi network presents serious risk to individuals, small business owners and enterprises alike. And as we’ve shown, when an attacker can crack more than 70% of WiFi networks in a major global city with relative ease, greater attention must be paid to protecting oneself,” he notes.