WatchGuard Blog

How to access 70% of Wi-Fi networks in a residential neighborhood

Israeli cybersecurity researcher and analyst Ido Hoorvitch has published the results of an experiment he conducted on residential Wi-Fi networks and the findings were surprising: he was able to crack about 70% of the hashes from residential Wi-Fi networks in one Tel Aviv neighborhood.  

Hoorvitch gathered a sample of 5,000 Wi-Fi network hashes by strolling round the streets of Tel Aviv with sniffing equipment consisting of components that are readily available on the market: a $50 Wi-Fi adapter, a cheap Ubuntu device and the hcxdumptool utility, which is available to everyone on Github and is used to capture packets from WLAN devices.  

After gathering the hashes using this equipment, he installed Hashcat, a powerful password recovery solution, also available on the web, which offers cracking capabilities using methods such as "dictionary attacks" (trying from a list that usually includes past or commonly used passwords) or "mask attacks" (a brute-force attack, but with some more specific guidelines so that the tool can skip unnecessary character combinations). 

Hoorvitch started with the mask method as he explained that many people in Israel use their own cell phone numbers as Wi-Fi hashes. That made cracking the passwords easier because there is also a common two-digit prefix on all Israeli numbers (05). From there, he narrowed down the combinations needed for the brute-force attack and his computer was able to try 194,000 hashes per second. In the first run he managed to crack 2,200 passwords. After that, he mounted a dictionary attack using the list of words in Rockyou.txt and succeeding in cracking a further 900 passwords.  

Passwords, access points and secure VPNs  

The first lesson learned is that organizations need to have a proper password policy: passwords mustn’t be based on easily guessable numbers (such as employee phone numbers) and must be updated periodically, so that if current passwords are leaked and become part of a registry, dictionary attacks will not be effective.  

By gathering hashes with sniffers, the experiment shows that most residential routers or those used by SMEs in the neighborhood are very insecure, either because of shortcomings of the devices themselves or because their owners do not alter the manufacturer’s settings. Therefore, IT teams should deploy secure Wi-Fi access points with WPA3 encryption for their work environments. 

Another finding worth noting is that many remote employees do not work in range of the organization's office Wi-Fi networks. So, they could create an attack vector for the company's servers and systems when they connect remotely to the corporate network. A good solution to this problem is for employees to use Wi-Fi Remote Access Points that  are connected to an advanced Firewall via an IPSec VPN tunnel before accessing the company's servers, which can all be managed in a single interface from the Cloud. This ensures communication between employees working remotely and the organization is encrypted, making it very difficult for third parties to gain access, even if they were to intercept signals using sniffing equipment, as Hoorvitch managed to do.