How I Hacked My Neighbor’s Wi-Fi Password Without a Break


Last week’s article explaining why passwords are under attack like never before struck a chord with many Ars readers, and with good reason. After all, passwords are the keys that secure web-based banking accounts, sensitive email services, and virtually every other facet of our online lives. Lose control of the bad password and it may only be a matter of time until the rest of our digital assets fall as well.

Take, for example, the hundreds of millions of Wi-Fi networks in use around the world. If they’re like the ones in range of my desk, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people to access wireless networks or even view the traffic sent to them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found was not encouraging.

First, the good news. WPA and WPA2 use an extremely robust password storage scheme that significantly slows the speed of automated hacking programs. Using the PBKDF2 key derivation function with 4,096 iterations of the SHA1 cryptographic hash algorithm, attacks that took minutes to execute against the recent LinkedIn and eHarmony password dumps in June would require days or even weeks or months to end against WiFi encryption scheme.

Additionally, both WPA and WPA2 passwords require a minimum of eight characters, eliminating the possibility of users choosing shorter passphrases that could be brute-forced in more manageable time frames. WPA and WPA2 also use a network’s SSID as a salt, ensuring hackers cannot effectively use precomputed tables to crack the code.

That’s not to say wireless password cracking can’t be accomplished easily, as I learned firsthand.

I started this project by setting up two networks with hopelessly insecure passwords. The first step was to capture what is known as the four-way handshake, which is the cryptographic process a computer uses to validate itself to a wireless access point and vice versa. This handshake takes place behind an impenetrable cryptographic veil. But nothing prevents a hacker from capturing the packets transmitted during the process and then seeing if a given password will complete the transaction. With less than two hours of practice, I was able to do just that and crack the dummy “secretpassword” and “tobeornottobe” passwords I had chosen to protect my test networks.

Brother, can you spare a dead frame?

To capture a valid handshake, a targeted network must be monitored while an authorized device validates with the access point. This requirement may seem like a considerable obstacle, since people often remain connected to certain wireless networks 24 hours a day. However, it is easy to get around by transmitting what is called a death frame, which is a series of Deauthorization packets that an access point sends to client devices before restarting or shutting down. Devices that encounter a dead frame will quickly join an affected network.

Using the Silica wireless hacking tool sold by penetration testing software vendor Immunity for $2,500 a year, I had no trouble capturing an established handshake between a Netgear WGR617 wireless router and my MacBook Pro. Indeed, using freely available programs like Aircrack-ng to send dead frames and capture the handshake is not difficult. The good thing about Silica is that it allowed me to complete the hack with just a click of the mouse. In less than 90 seconds, I had handshakes for both networks in a “pcap” (short for packet capture) file. My Mac never showed any signs that it had lost connectivity with hotspots.

A screenshot showing Immunity Inc.'s Silica wireless penetration testing tool in action as it sends out a death frame, then captures the resulting four-way handshake.
Enlarge / A screenshot showing Immunity Inc.’s Silica wireless penetration testing tool in action as it sends out a death frame, then captures the resulting four-way handshake.

Dan Goodin

I then uploaded the pcap files to CloudCracker, a software-as-a-service website that charges $17 to verify a WiFi password against about 604 million possible words. Within seconds, “secretpassword” and “tobeornottobe” were hacked. A special WPA mode built into the freely available oclHashcat Plus password cracker recovered passcodes with equal ease.

It was the thing to do between neighbors

Cracking such passcodes that I had set up in advance to be guessed was great for demonstration purposes, but it didn’t bring much satisfaction. What I really wanted to know was how lucky I would be to crack a password that was actually used to secure one of the networks near my office.

So I got permission from one of my office neighbors to crack his WiFi password. Much to his chagrin, it only took 89 minutes for CloudCracker to crack the 10-character all-numeric password he was using, despite the password not being on the entry-level list. of 604 million words, I relied on a premium, 1.2 billion word dictionary that costs $34 to use.

My fourth hacking target showed up when another neighbor of mine was selling the Netgear router mentioned above at a recent sidewalk sale. When I plugged it in, I discovered that it had left the eight-character WiFi password intact in the firmware. Remarkably, neither CloudCracker nor 12 hours of intensive Hashcat grinding was able to crack the passphrase. The secret: a lowercase letter, followed by two numbers, followed by five more lowercase letters. There was no discernible pattern to this password. He didn’t spell a word forward or backward. I asked the neighbor where he came from with the password. He said he was chosen years ago using an auto-generate feature offered by EarthLink, his ISP at the time. The email address is long gone, the neighbor told me, but the password lives on.

Arguably, this neighbor should have changed his password a long time ago, but there’s still a lot to admire about his security hygiene. By resisting the temptation to use a human-readable word, he avoided a fair amount of high-tech resources spent on discovering his password. Since the code is not likely to be included in a password cracking wordlist, the only way to crack it would be to try every eight-character combination of letters and numbers. Such brute force attacks are possible, but in the best of all worlds, they require at least six days to exhaust all possibilities when using Amazon’s EC2 cloud computing service. WPA’s use of a highly iterative implementation of the PBKDF2 function makes these cracks even more difficult.

Besides changing the password every six months or so and not using a 10-digit phone number, my neighbors could have taken another important step to improve their WiFi security. WPA allows 63-character passwords, allowing four or five randomly selected words to be added – “applesmithtrashcancarradar” for example – which are easy enough to repeat to guests who want to use your wireless network but are extremely difficult to decipher.

Yes, the gains made by crackers over the past decade mean that passwords are under attack like never before. It’s also true that it’s trivial for nearby hackers to capture packets from the wireless access point that is routing some of your most closely held secrets. But that doesn’t mean you have to be a sitting duck. Done right, it’s not hard to choose a password that will take weeks, months, or years to crack.

With such odds, hackers are likely to move on to easier targets, say one that relies on the quickly guessed “secret password” or a well-known Shakespearean quote for security.

Ad image by Dan Goodin


Comments are closed.