Researcher cracks 70% of neighborhood Wi-Fi passwords

Nearly three-quarters of home and small office Wi-Fi networks could be infiltrated by an attacker armed with a simple, inexpensive set of hacking gear.

Research from the team at CyberArk found that in a city the size of Tel Aviv, Israel, roughly 70% of network router passwords could be cracked with Wi-Fi sniffing and open source hacking tools.

According to CyberArk researcher Ido Hoorvitch, the attack required little more than a laptop and a $50 Wi-Fi signal extender. The signal booster is then used to run scripts that exploit previously-known vulnerabilities in the Robust Security Network Information Element that allow for the extraction of hashed PMKID (Pairwise Master Key Identifier) network keys without the need to intercept traffic.

Other tools used in the procedure include packet capture tools and specialized hardware drivers that enable monitor mode with the signal extender. Hoorvitch said the entire setup can fit into a backpack.

Armed with the Wi-Fi sniffing setup, Hoorvitch took to the streets and over the course of the day, he walked through Tel Aviv picking up thousands of hashed network passwords. After collecting around 5,000 Wi-Fi passwords, he decided he had enough of a sample size.

"The Tel Aviv metropolitan area has more than 3.9 million people -- you can imagine what the numbers would have been had we not cut our research off at 5,000 Wi-Fi networks," Hoorvitch explained.

"And while this research was conducted in Tel Aviv, the routers that were susceptible to this attack -- from many of the world's largest vendors -- are used by households and businesses worldwide."

From there, the process of decoding the hashed Wi-Fi passwords began. Hoorvitch noted that this was made easier by the tendency of networks in Israel to use the owner's mobile phone number as the password. After the first pass with the Hashcat tool, Hoorvitch was able to crack 2,200 of the passcodes.

Subsequent passes yielded even more passcodes, and by the time the research was finished, the he had lifted valid passcodes for a total of 3,559 of the 5,000 sniffed hashes.

Hoorvitch noted that the attack technique does have one very significant weakness; it only works when the targeted routers have Wi-Fi roaming enabled.

"Not all routers support roaming features and are, therefore, not vulnerable to the PMKID attack," he explained. "However, our research found that routers manufactured by many of the world's largest vendors are vulnerable."

In terms of what router owners can do to protect their networks, Hoorvitch recommends best practices, such as creating a long, complex password and changing the default login settings. Other security measures including updating router firmware, turning off Wi-Fi Protected Setup, and disabling the weaker Wi-Fi Application Protocol (WAP) and WAP1 specifications.

In the end, Hoorvitch said, users and admins need to understand that cracking their Wi-Fi networks is far easier than anyone had previously imagined.

"As I estimated beforehand, the process of sniffing Wi-Fi and the subsequent cracking procedures was a very accessible undertaking in terms of equipment, costs and execution," Hoorvitch wrote.

"The bottom line is that in a couple of hours and with approximately $50, your neighbor or a malicious actor can compromise your privacy and much more if you don't have a strong password."