Security Researcher ‘Hacks’ 70% of WiFi Passwords with Next to No Effort

A password is often the only thing that stands in the way of a hacker and a treasure trove of sensitive data. It is therefore important to set a strong, unique password for all accounts. Hackers often conduct automated attacks on accounts using lists of commonly used passwords and passwords previously compromised in data breaches. Accounts with weak passwords can often be compromised in a matter of seconds.

While most people are aware of the importance of setting a strong, hard-to-guess password for their financial accounts, it is surprisingly common for weak passwords to be set on home WiFi networks, according to research conducted by Ido Hoorvitch of the Israeli cybersecurity firm CyberArk.

The idea for the research came when Hoorvitch moved apartment and needed to access the Internet before his apartment was connected. Hoorvitch asked a neighbor if he could use his wireless network temporarily and was given the password, which turned out to be his neighbor’s mobile phone number. A password of that nature was far from secure as it consisted of just 11 numbers, which made it vulnerable to brute force attempts, made worse because the mobile phone number was easily traceable to his neighbor. It was a WiFi hacker’s dream.

As it turns out, his neighbor was far from alone in using a phone number for a router password. Hoorvitch used commercially available network sniffing equipment and went on a voyage of discovery around Tel Aviv. His route allowed him to identify around 5,000 WiFi networks. He then used a free password recovery tool to determine how well protected those WiFi networks were.

Hashcat is a powerful tool that can be used to compare hundreds of thousands of password hashes a second, which Hoorvitch used to search for passwords that consisted of a local phone number. To his surprise, Hashcat allowed him to identify the passwords for around 2,200 WiFi networks. He then attempted a dictionary attack using a list of 14 million commonly used passwords he found on GitHub. That list gave him the passwords of a further 1,300 WiFi networks. So, 3,500 passwords out of 5,000 were identified simply by using a password list that could be downloaded by anyone and a list of local phone numbers – That’s a success rate of 70%!

While hacking a home WiFi network may not seem anywhere near as serious as a hacker gaining access to an online bank account, the risks of WiFi hacks are greater than simply stealing some bandwidth. By hacking a WiFi network, hackers can redirect users to malicious websites where they can steal a wide range of sensitive information, including bank account details. It would also be possible to use a compromised WiFi network for distributing malware to devices that connect to the network. In this case, Hoorvitch was only conducting research, but a threat actor with malicious intentions could easily do the same.

WiFi passwords are often shared between friends and family members, so setting a long, complex, and unique password can be a pain, but there are easy solutions that are low cost and can greatly improve security without causing headaches.

A password manager is the natural solution for improving security. Some password managers – Bitwarden for example – even offer an impressive free tier, although at $10 per year for personal use it is hardly expensive to get the full version.

Bitwarden includes a secure password generator that will set a unique, complex password for all accounts that will resist brute force attacks. The solution also allows secure password sharing, which means when you want to share your WiFi network with others or provide them with access to a personal account – a streaming site for instance – it is a quick, easy process. This one simple, low-cost measure is all you need to improve security and prevent attack techniques like those demonstrated by Hoorvitch from being successful.

Author: NetSec Editor