The same standard that allows wireless devices to remain connected and roam between access points also allows attackers to easily collect critical Wi-Fi keys that can later be hashed to find Wi-Fi network passwords, a researcher found in a wardriving experiment.

Ido Hoorvitch, a security researcher at identity and access management provider CyberArk, found he could recover the network passwords for more than 70% of the networks he scanned merely by using information collected as he pedaled his bike — and sometimes walked or drove — along the streets in Tel Aviv, Israel. 

He used a homemade wireless scanner based on a $50 network card connected to a laptop running Ubuntu Linux, plus the Hcxdumptool tool available on GitHub, to collect Wi-Fi Protected Access (WPA) packets from nearby networks.

Many wireless networks in Israel use a cellphone number as a password. Using a custom decryption system comprised of eight graphic processing units (GPUs), Hoorvitch could test each possible password in about 15 seconds.

“All of us know that passwords are problematic — they are too hard to remember. And if they are easy to remember, then they are too easy to crack,” Hoorvitch says. “What is special about this research is that it changed the state from a hypothesis to an empirical experiment. We now know that the Wi-Fi password for most of the networks is really not secure enough.”

Wireless networks continue to be a weak point for many consumers and enterprises. In May, a doctoral researcher at New York University Abu Dhabi warned that every Wi-Fi device is vulnerable to at least one of three design flaws, after spending nine months helping major wireless-device manufacturers close the vulnerabilities. In 2017, the same researcher warned that a series of issues could allow attackers to conduct key reinstallation attacks (KRACKs), which could allow them to hijack wireless connections.

In addition, cybersecurity specialists have warned that weak, default, or easily guessable passwords put wireless networks at risk. With more employees working from home, consumer Wi-Fi networks have also become a gateway to corporate data.

“The threat of a compromised Wi-Fi network presents serious risk to individuals, small business owners and enterprises alike,” the CyberArk blog post stated. “And as we’ve shown, when an attacker can crack more than 70% of Wi-Fi networks in a major global city with relative ease, greater attention must be paid to protecting oneself.”

In the latest research, CyberArk researchers showed that an attacker — rather than needing to be nearby a targeted wireless network — could record the necessary packets as they drove through a neighborhood and then use that information to have a high probability of discovering the password to any particular network.

The Problem With PMK
The key to the attack is poor password selection and attackers’ ability to capture the Pairwise Master Key (PMK) Identifier (PMKID) and other necessary information. The PMK allows a device to remain connected to a network even if the device moves to a different access point on the same network. Rather than requiring the user to reauthenticate, the device keeps the PMK to send as its authentication. Most consumer networks do not use this functionality, but often the feature is on by default.

The attack method, discovered by Jens Steube, the lead developer for Hashcat, gives attackers the ability to scan networks and discover passwords at a later time.

The attack uses four pieces of data from the network: the wireless network SSID, the hardware — or media access control (MAC) — address of the access point, the MAC address of the client computer, and the PMKID that the computer and access point use to remain authenticated. By combining knowledge of a wireless network’s SSID, the attacker can create a list of PMKs for possible passwords. Those PMKs are then used in another hashing algorithm to create a list of PMKIDs. An attacker just has to keep changing the password to create new PMKs, which is then used to create new PMKIDs, until a match is found.

The number of potential alphanumeric-plus-symbol combinations creates a massive search space, but Hoorvitch and CyberArk used the fact that many Israeli consumers use their cellphone numbers as their passwords as a way to limit the search. For each network, the researcher had to try every possibility for eight-digit cell numbers, or 100 million. While that seems to be a massive endeavor, the worst-case scenario — having to try every possible number — requires 15 seconds on CyberArk’s custom eight-GPU decryption machine, or about nine minutes on a good laptop, Hoorvitch says.

Of the 5,000 networks on which the researcher collected information, 44% had a cellphone number as a password, while another 18% were found on the common password list known as RockYou.txt. The rest were other simple combinations of numbers and letters. 

In total, the researchers found passwords for 3,633 of the 5,000 targeted networks, and likely some of the rest could have been found as well.

“We know we can crack harder passwords, but that is not the idea of this research,” he says. “What bothered me is not [whether] someone did not have a complex password, but whether, with three to four days on a normal laptop, what can we crack?”

Choosing a non-guessable, complex password for a wireless network should protect against the attack. While 18% of passwords were found by using the popular password list RockYou.txt, almost half of the total used only numbers and, most of those, the users’ cellphone numbers — a scheme that provides little security.

While multifactor authentication (MFA) is often the solution to password security issues and would also strengthen a wireless network’s security, it is notoriously hard to implement on consumer Wi-Fi networks.