This article is not meant to be a hacking guide. Its only purpose is to demonstrate how easy (or difficult) it is to hack into the WiFi networks in your neighborhood. Criminals, law-enforcement officers, secret agents and alike can crack about half of these networks in about two hours, while sitting in a van near your house. You'd better know this.
I have written three technical posts that together explain in detail how to hack a WiFi network. To be able to follow the example attack in these posts you will have to be able to handle Linux computers. Summarizing what is in the three posts:
- What chipset is in your wireless adapter? This post helps in finding out what wireless adapters can be used in attacking a wireless router.
- Monitoring WiFi traffic of your neighbors. This post helps in setting up a Linux computer to monitor (which is legal) all WiFi traffic in range of your wireless adapter.
- Brute-force attack on a WiFi network. This post shows in detail how a WiFi network can be successfully attacked.
The content of the above three posts is not new (See also another report on attacking a WiFi network). But given the fact that a number of people complain on the Internet that they could not perform the attack, this detailed account might help.
The present post is more or less like a "manager's summary" of these previous three posts and here I will discuss in addition how to protect oneself against these attacks.
Adapters and routers
Network adapters are hardware devices on your computer, either built-in or on a USB-stick. An Acces Point (AP) is a wireless router somewhere in your house, likely hard-wired connected to a cable of your ISP. But nowadays wireless ISP connections (hot spots) are becoming popular. APs are also to be found in almost any professional environment, public or private.
We will forget about repeaters as they are a trivial extension. As adapters and APs should be able to talk to each other (authentication, error reporting and acknowledgments) they both can transmit and receive. An AP should be able to handle numerous adapters so the power and sensitivity of an AP likely will be better than that of an adapter.
What routers can be hacked?
Routers supporting the WPS protocol can be attacked. Information on WPS will be supplied later on in this post. If your router does not support WPS you are in the clear. Checking my local electronics store (MediaMarkt) I discovered that at least half of the wireless routers they sell support WPS.
What is needed to hack into a WPS-enabled wireless network?
One needs a Linux computer and some software. In addition one needs a high-power USB wireless adapter. These can be bought on the Internet, for instance from Amazon. Professionals will be able to get hold of even better equipment and software. With this equipment an attacker could sit near your house in a van with antenna's on the roof or integrated in a window. Or the attacker could sit in the garden or on the balcony of your neighbor.
How big is the chance that your wireless network will be attacked?
Attacks by crackers that can be performed over the internet are the most dangerous. The criminal can be in any country, like China or Ukraine, and perform the attack. Attacks on WiFi's are by definition not in that category as the attacker has to be within range of the wireless network. The requirement to be physically close seriously limits the number of people that can attack your wireless network. In addition exposure of an attack is certainly possible, something criminals do not like.
Randomly attacking Access Points does not make much sense and although I do not trust Google very much I do not think they will collaborate when police asks them to use the StreetView camera cars to break into wireless networks. For only commercial purposes the cracking of a wireless network is far too much trouble. The only ordinary, not very rich, people who could be targeted are those who have an angry neighbor. It becomes a whole different situation if a person deals with sensitive information. Organizations could be targeted by an angry laid-off employee. More likely targets are organizations such as banks, hospitals and companies in need of protecting their intellectual property IP.
How bad is it when your wireless network is compromised?
If criminals or other bad guys get hold of the password of you wireless Acces Point/router this would be a disaster. They could carry out any form of man-in-the-middle-attack. For instance they could replace the DNS server of your ISP by their own DNS server, redirecting all your Internet traffic. They could get hold of any username/password combination you type into an internet website. They could interfere with your internet banking. My favorite statement about this is: they could grab your house. In the majority of such successful attacks you would only know about this attack way after the fact or never notice it.
How to recognize a WPS-enabled router?
WPS is essentially a Microsoft-endorsed invention, so all Apple people are in the clear if they have an Apple router (the computer being an Apple computer is irrelevant). How can you tell whether your router is WPS-enabled? Here is some help:
- The manufacturer is proud of the WPS-feature and announces the WPS property on the box or in the manual.
- The router has a knob that can be used to make a connection. The presence of this Push-Button-Method (PCB) means you got a WPS-enabled router.
- When you configure your router by connecting it to your computer with an Ethernet or USB cable, or when it is connected to your AP and you navigate to address like 192.168.0.1. you will get to the control panel of the router. In the control panel there will be a WPS tab if the router is WPS enabled.
- The real check is a Linux computer running wireshark or running reaver.
Turning off WPS
WPS-enabled routers have WPS turned on by default. Sometimes turning off WPS is possible. This could be done by going to the control panel of the router (see item 3 above). Beware that the control panel of the router might tell you that you turned off WPS, but in fact it is still not turned off. In addition you should realize that resetting your router (when your child is playing with the reset button too long) will lead to the default situation with restored WPS.
WPS goal: avoiding long passwords
Manufacturers of wireless routers should have learned their lessons. Their Wired Equivalent Privacy (WEP) can be cracked in 1 minute by somebody listening in to the network traffic. So in 2004 a far more secure protocol for wireless networks, WPA/2 was introduced, WPA/2 together with a long password for the router leads to a secure connection. But the Wi-Fi Alliance, with Microsoft as a member, considered the necessity of long passwords for an Access Point too much of a hassle for a user. So indeed, with Microsoft leading, the user was helped jumping out of the frying pan into the fire: a simplification WiFi-setup procedure was invented to help the user not to have to enter the long password. The simplification consists of two options: entering an 8-digit PIN and the even simpler method of pushing a button on the router. Many modern routers have this WPS push button.
A WPS enabled router should support two modes: (i) PIN exchange between adapter and router and (ii) a push-button. Both are equally stupid from the point of security. In the case of the button-method a user tells his computer he is going to push a button on his new wireless router. If the computer receives this signal within a short period - like two minutes - the computer assumes it is the right AP, and avoids all handshaking and password and connects. In the software mode the adapter and the router exchange a PIN and if this correct the AP accepts the connection.
What is the WPS vulnerability?
The vulnerability is known for almost a year (pdf file) and it is in the wireless Access Point. Wireless routers that have WiFi Protected Setup (WPS) enabled suffer from this vulnerability. Why haven't all router manufacturers like Cisco, Sitecom and Netgear disabled WPS. That is because of what I call the User-Friendliness-Security-Dilemma (UFSD). WPS is introduced because Microsoft and company thought that typing a long password is too difficult for the dummy users. They simplified in a PIN with only 11000 different values. As even an eight-digit number is considered to be too difficult, WPS also implements a push-button-method. The user pushes a button on his router and his computer receives this WPS signal and starts the connection without the user having to type in anything.
An attacker with his wireless adapter within the range of wireless network can just supply the attacked wireless router with the 11000 PINs, one by one. Within a few hours the attacker has the password.
- Owners of routers should find out whether or not their router is WPS-enabled.
- If the router is WPS enabled the best advice is to buy a new router.
- Manufacturers of routers should not implement the WPS protocol.
- Manufacturers of wireless adapters should not implement the WPS-protocol.