An open letter to everyone using WiFi

Posted on Edited on
Having ability to automatically connect to your home WiFi is nice. Actually, whole WiFi technology is really imrpessive, and many people calls it a marvel of modern age. But this convinient wireless connection comes with great deal of security flaws, which can be exploited by malicious persons. Nothing can be completely hidden, and ranging from seeing what webpages you visit to completely yanking your personal data, files and whatknot, WiFi is a huge security hole that needs to be fixed. In this post, we will look at some vulnerabilities, how they work and try to recommend some fixes for average users.

Preface

I guess you use WiFi. If not, then you’re probably not able to even see this. Anyways. Me and my friend (goes by Czechball) decided to start a little project for us, and that was, collecting WiFi handshakes and trying to crack passwords. Well.. we succeeded. Actually, we exceeded our expectations, by a few miles. Naturally, we went deeper into the rabbit hole called IEEE 802.11 and learnt a thing or two about how this works, what are some common flaws and why we were able to hash so many passwords (around 2500 in just 3 weeks of operation, not daily). So in this “open letter to everyone using wifi”, I’ll try to explain these things as simply as possible, but mainly focus on the topic of preventing 2 teens getting into your network. Of course, we have to talk a bit about the project itself, but if you are not interested, you can skip directly to the letter using quick menu on the side.

Quick notes / Disclaimer

This blog post is NOT a tutorial on how to exploit any networks. There WON’T be mentioned any specific tools, software nor guide on how to do stuff. Neither will I share any sensitive information about any of our work. We do this project as a proof of concept, and to spread awarness of internet security, and absolutely NOT to do anything malicious. If you do things wrong, you might get into serious legal trouble, involving courts, really big fines or even jailtime. So as always, if you don’t know what you are doing, DO NOT ATTEMP TO DO THIS BY YOURSELF. You can get into trouble.

The Project

We started this project around two months ago, when I’ve showed my friend Pwnagotchi. It is a little device based on Raspberry Pi 0W, which is essentially a Tamagotchi, but instead of feeding it candy a playing tennis, you collect WiFi handshakes. It have some AI stuff to improve it’s efficiency and also has a personality, which changes depending on your environment (many new networks - happy; no networks - sad or upset; friends around - excited; etc). It is a fun little toy, and for 10$ for the Pi, it is really cool for anyone interested in these things. After a while, we discovered that you can extract PSK using multiple exploits in this standart. There are essentially 2 ways of doing this:

EAPOL

EAPOL (Extended Authentication Protocol Over LAN) is a method of authentication user in 802.1x standards. There is a process called 4-Way Handshake, in which the Access Point (AP) and client device (supplicant) exchange information about authorization to the network. I’m not going to explain how this process works, if you want to know more, read this blog post by WiFi professionals, which explains 4 Way handshake in great depth and sense. TL;DR, there is an exchange of information which is sensitive, contains PSK (Pre-Shared Key) from which password to the wifi can be derived. This method however, requires at least one supplicant to be connected to the network, that already have the password (someone’s cell, laptop, console…). If that is the case, then you can deauthenticate (kick) that supplicant from the network and sniff all packets coming around that AP. Remember, wifi is omnidirectional, that means that all the traffic can be sensed and read from any point (as long as you have signal obviously). When you capture that EAPOL frame, you can then work back the equation and with great help of dictionaries, find the password.

PMKID

PMKID attack was discovered pretty recently (2018) and by accident, but is by far the most useful attack. This attack does not require the whole 4 Way Handshake capsule to be captured. Instead, it does the exploit on RSN IE (Robust Security Network Information Element (not so robust imo)), which is contained in just single EAPOL packet. PMKID (Pairwaise Master Key IDentificator) is a hash, computed from MAC address, PMK and some additional information. PMK is used to verify users connecting to the network, and is contained in afromentioned EAPOL frames. So you can extract them without need of any clients, as this message is broadcasted. You can then use basically then same technique to get the password.

How we progressed

After a while, Pwnagotchis got pretty inefective. RPi0W have an internal antenna, but it’s pretty weak, and the factor of it’s AI, learning rate, and exceptionally slow processor made it.. more like a toy. So we equipped ourselves with some beefy antennas (some 3-6dB omnis, 16dB directional) and great adapters (Alfa Networks), and went hunting. Well.. wardriving. Yes, it really is called wardriving. Essentially, you just drive around with many antennas connected to laptop, and you collect handshakes. Quickly, it became hard to manage all those networks, so I have created a full blown website from scratch, which serves as a database for all networks, with a map where you can see almost exact position of your network, alongside with HMAC, password, and a lot more info. And we haven’t even started mapping those networks. The amount of information we are able to legally and without any notice get is absurd. But even at this point, we know exactle where you live, what is your password (in many cases even the name of your pet, wife, birthday, favourite beer or whatever else people use as password). If we were to dig a bit deeper, we can completely cot you off your own network, sniff traffic (what pages you visit, what protocols you use), what devices are on your network, and, in case of bad security, see you through IP cameras, deactivate your security system, or steal your holiday photos from your NAS.

The Letter

Dear people.

We live in age, where we are willing to trade privacy, intimacy and security for comfort. To some extent, this is a good tradeoff. But in recent years, with massive data breaches happening every few months, and moving extremely critical stuff to internet, it has become crucial to be safe. Just like you don’t want anyone in the shop to read your ID number, credit card number or see your insurance number, you don’t want anyone to know your passwords, read your emails or see what you have stored on cloud.

Some very, very mission (or life) critical things were moved to Internet, and we as humanity, rely on them and on fact, that they work. Banks, electric grids, water supplies, medical records.. All those things are stored, somewhere on the Internet. And, with more or less effort, can and most likely will be gained access to. We are literally talking about most of the money on the world, medical records of nearly all of the population, electricity to the whole world, and much, much more.

If you’re telling yourself “Well I have nothing to hide”, then trust me, you have. You’ve ever wrote that email about how bitchy your boss is? Or send a photo of your house to someone? Or even have an online bank account? Then if I have those information, I can get you fired, stalk/blackmail you (or worse, do damage to your property or threaten your life) and steal your money. I guess nobody wants that.

And those are the most basic things. Now let’s say, you own a small company, and you have stored all your accounting or blueprints to whatever you’re manufacturing on your NAS. If your LAN isn’t protected enough, an access to this NAS could be gained, resulting in theft of all those documents, and possibly costing you fortune.

How to be safe

What you want to do is protect yourself. Protect your own privacy, protect intelectual property of your company, and protect your family. You can start simply by using strong, unique passwords. The best thing you can do is use automatic password generators, such is the one built in Firefox, or password managers like LastPass. If you don’t trust those (and you shouldn’t), you can always memorise your passwords. There are many, many guides on how to create and memorise long, complicated passwords that will probably never be broken. In any case, NEVER use passwords containing your personal info (birth date, date of marriage, pet name, your name, etc..), or just plain simple words. There are a lot of dictionaries, composed from mentioned data breaches, containing milions of passwords that people, very sadly, use frequently. And of course, do not use the same password more than once. Adding a one special character at the end of “password123” will NOT be helpful. Actually, adding a single letter will probably be more secure, as a single character in still less than 26 possible combinations of alphabet.

As of protecting your home network, check if your router is vulnerable to common exploits, such as RouterSploit. Change the default password to something else (again, long, secure and mixed symbols), as many pre-generated passwords can be generated again (reducing time needed to crack that password to literally instant). This is what we have tested, and it applies mainly to UPC/Vodafone provided routers (Compal, Technicolor, Huawei). Disable WPS (never seen anyone use it), as WPS is extremely simple to crack, gaining instant access to the network. If you have to have open ports, open just those you absolutely need, and be sure they are secured (DO NOT use plain FTP, Telnet or HTTP. Use SFTP, SSH or HTTPS instead). Change your router login password, again, to something unique and secure. Depending on your hardware, enable firewall, ICMP flood detection, DDoS detection and IP flood detection. If you can, hide your SSID, and create MAC whitelist for all your devices. Also depending on your hardware, if you can, absolutely create a guest WiFi. This WiFi will be completely separated from your LAN on hardware level, thus nobody will be able to “look around”.

At the end…

… it’s about humans. Someone is willing to just connect to his home wifi, automatically, without tinkering with anything, at the expense of possibility of their data being stolen. The amount of work you have to do to secure your home network is minimal, and can be difference between your data being stolen and sold, to being safe and sound. If you are willing to spent a few hours of your time to tweak your router settings, or a few extra bucks to buy hardware firewall, better router or even build your own, do it. You will need to learn few things, but at the end, it will be worth it. Expecially if you have some data on your network, that you don’t want to be accessed.

As I’ve said:

  • Disable WPS, enable firewall, flood protections, change password
  • Open only necessary ports, that uses secure connections
  • Use long, unique passwords, that contains mix of lower and upper case letters, numbers and special symbols
  • Create Guest network, and hide your main one
  • Create a MAC whitelist

If you are more technically oriented, you can build your own pfSense router, which gives you absolutely lowest access to everything on your network, from creating multiple VLANs, guest networks, filters, firewall rules to multiple layers of protection, authentication and whatnot. Also I recommend you to build piHole, which is DNS level ad-blocker, that not only block ads (mainly a benefit), but also huge amount of malware. It can run on Raspberry Pi, 35$ computer that is small, completely silent and .. cheap.

Be safe on the internet.