Connect with us

Hi, what are you looking for?


Application Security

Researcher Explains Wi-Fi Password Cracking at Scale

A security researcher at CyberArk was able to easily break more than 70 percent of Wi-Fi passwords he sniffed using relatively simple, cheap equipment.

A security researcher at CyberArk was able to easily break more than 70 percent of Wi-Fi passwords he sniffed using relatively simple, cheap equipment.

Conducted in Tel Aviv, the researcher’s experiment showed just how easy an attacker could hack into home and enterprise networks, by simply walking around a city with the right equipment in hand.

For his experiment, CyberArk’s Ido Hoorvitch used an AWUS036ACH ALFA Network card, which costs around $50, and provides both monitoring and packet injection capabilities, connected it to an Ubuntu system, and walked around the center of Tel Aviv with the system in a backpack, to sniff Wi-Fi networks.

For his research, Hoorvitch was interested in capturing the PMKID hash from the Wi-Fi networks, and he used Hcxdumptool, a utility by ZerBea, for that.

Hoorvitch said the attack exploits a vulnerability in RSN IE (Robust Security Network Information Element) that allows for the retrieval of the PMKID, a hash used for roaming capabilities between access points. The PMKID is driven from a PMK (generated from SSID and the WiFi password), the MAC address of the AP, and the client MAC address.

After successfully sniffing 5000 networks, the researcher moved to cracking the passwords, using the hashcat password recovery tool, which supports dictionary and rules and mask attacks.

Hoorvitch says he was able to successfully crack roughly 3,600 of the passwords, thus being able to hack all of the corresponding Wi-Fi networks.

Advertisement. Scroll to continue reading.

He also discovered that the majority of these passwords were 10-digit numbers, and that most of the Wi-Fi networks were protected with the owners’ phone numbers. Hundreds of passwords contained eight or nine digits, and hundreds more consisted of eight lower case letters.

“Not all routers support roaming features and are, therefore, not vulnerable to the PMKID attack. However, our research found that routers manufactured by many of the world’s largest vendors are vulnerable,” Hoorvitch explained.

He also points out that the roaming feature should not be enabled on routers meant for personal/private use (WPA2-personal), as there is no need for roaming on these networks. He also notes that the success rate of cracking passwords longer than 10 letters/numbers was lower.

The researcher also underlines the fact that he was able to crack more than 70% of the Wi-Fi networks in his sample, sounding the alarm on the potential implications of a larger-scale malicious attack employing the same technique and on the importance of using strong, long passwords.

“The threat of a compromised WiFi network presents serious risk to individuals, small business owners and enterprises alike. And as we’ve shown, when an attacker can crack more than 70% of WiFi networks in a major global city with relative ease, greater attention must be paid to protecting oneself,” he notes.

Related: Researchers Create Toolkit for Hardware Security Tests on Apple’s Mobile Processors

Related: Research Shows Many Security Products Fail to Detect Android Malware Variants

Related: Research: Security Agencies Expose Information via Improperly Sanitized PDFs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...