Hacking

Expert managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv

A researcher from the security firm CyberArk has managed to crack 70% of Tel Aviv’s Wifi Networks starting from a sample of 5,000 gathered WiFi.

CyberArk security researcher Ido Hoorvitch demonstrated how it is possible to crack WiFi at scale by exploiting a vulnerability that allows retrieving a PMKID hash.

Hoorvitch has managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv to demonstrate that it is easy to compromise WiFi networks.CyberArk security researcher Ido Hoorvitch first wandered in the city center with WiFi sniffing equipment to gather a sample of 5,000 network hashes to use in the research.

The expert gathered 5,000 WiFi network hashes by strolling the streets in Tel Aviv with simple WiFi sniffing equipment composed of an AWUS036ACH ALFA Network card ($50) that can work in monitoring mode and is able to inject packets.

The expert used the free and open-source packet analyzer.WireShark running on Ubuntu.

The PMKID is calculated by using a hashing function having the PMK, the PMK Name, the MAC_AP and the MAC_STA as input.

The PMK is calculated from the following parameters:

  • Passphrase– The WiFi password — hence, the part that we are really looking for.
  • SSID – The name of the network. It is freely available at the router beacons (Figure 3).
  • 4096 – Static integer for all PMK

Hoorvitch used an attack technique devised by Jens “atom” Steube’s (Hashcat’s lead developer) to retrieve the PMKIDs that allowed him to derive the password.

“All of this changed with the atom’s groundbreaking research, which exposed a new vulnerability targeting RSN IE (Robust Security Network Information Element) to retrieve a PMKID hash (will be explained in a bit) that can be used to crack the target network password. PMKID is a hash that is used for roaming capabilities between APs. The legitimate use of PMKID is, however, of little relevance for the scope of this blog. Frankly, it makes little sense to enable it on routers for personal/private use (WPA2-personal), as usually there is no need for roaming in a personal network.” reads the post published by Hoorvitch.

The attack technique is clientless, this means that an attacker doesn’t need to carry out the attack in real-time, he just needs to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process.

The expert first used “mask attack” as a Hashcat cracking method, he used a combination of dictionary + rules and mask attack because many Israeli citizens have the bad habit of using their cellphone numbers as WiFi passwords. 

Israeli phone numbers have 10 digits and starts with 05, so it’s only eight digits, this means that remained only 8 digits to guess. Using a standard laptop, Hoorvitch successfully cracked 2,200 passwords at an average speed of nine minutes per password.

“Each digit has 10 options (0-9), hence 10**8 possible combinations. One hundred million seems like a lot of combinations, but our monster rig calculates at the speed of 6819.8 kH/s which translates into 6,819,000 hashes per second.” continues the post. “A cracking rig is not required as my laptop can get to 194.4 kH/s, which translates into 194,000 hashes per second. That equals more than enough computing power to cycle through the possibilities necessary to crack the passwords. Consequently, it took my laptop roughly 9 minutes to break a single WiFi password with the characteristics of a cellphone number. (10**8)/194,000 = ~516 (seconds)/60 = ~9 minutes.”

In a second phase, the expert used a standard dictionary attack technique leveraging the ‘Rockyou.txt’ dictionary.

He cracked another 1,359 passwords using this technique, most of cracked passwords contain only digits or only lower-case characters.

The expert pointed out that only routers supporting roaming features are vulnerable to the PMKID attack, however, the research demonstrated that routers manufactured by major vendors are vulnerable.

“In total, we cracked more than 3,500 WiFi network in and around Tel Aviv – 70% of our sample.” concludes the expert. “The threat of a compromised WiFi network presents serious risk to individuals, small business owners and enterprises alike. And as we’ve shown, when an attacker can crack more than 70% of WiFi networks in a major global city with relative ease, greater attention must be paid to protecting oneself.”

Below are the recommendations provided by the expert to protect themselves:

  1. Choose a complex password. A strong password should include at least one lower case character, one upper case character, one symbol, one digit. It should be at least 10 characters long. It should be easily remembered and hard to anticipate. Bad example: Summer$021
  2. Change the default username and password of your router.
  3. Update your router firmware version.
  4. Disable weak encryption protocols (as WAP or WAP1).
  5. Disable WPS.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WiFi)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.