Your Wi-Fi network is too easy to hack — how to protect yourself

A home wireless router near a child using a laptop.

(Image credit: Casezy idea/Shutterstock)

Imagine walking around your hometown and discovering that you lot could intermission into more two-thirds of the Wi-Fi networks you come up beyond.

That'southward what happened to Israeli security researcher Ido Hoorvitch, who "sniffed" Wi-Fi networks in the city of Tel Aviv without logging into them, merely nevertheless found that he could "crack" the access passwords for near of them.

Your router'southward security stinks: Here'southward how to fix it
The best Wi-Fi routers you can get
Plus: PS5 just got Apple Music support — here'southward how to gear up information technology up

"I gathered v,000 Wi-Fi network hashes equally my study group by strolling the streets in Tel Aviv with Wi-Fi sniffing equipment," wrote Hoorvitch in a blog mail yesterday (Oct. 26).

No fancy equipment needed

That data-gathering equipment was nothing more a laptop running the free Ubuntu operating system and the free WireShark network packet analyzer, plus a $l stiff network menu with external antennae strapped to Hoorvitch' haversack to find as many Wi-Fi networks as possible.

Hoorvitch used some other free program called Hashcat to crack the passwords.

"At the end of the inquiry," he added, "I was able to break more than than lxx% of the sniffed Wi-Fi networks passwords with relative ease."

Because of his day job at security-solution provider CyberArk (disclosure: Tom's Guide is a client), Hoorvitch was able to employ the company lab's new countersign-cracking rig containing eight Nvidia Quadro RTX 8000 graphics cards that likely cost near $forty,000 in total.

But he stressed that all the password dandy he did could too exist done on a regular PC, in perhaps less than 10 minutes per password if you were targeting a unmarried network.

"You do not need a cracking rig" to do this, Hoorvitch wrote.

Dismal passwords

The point here is that most people, and some businesses as well, use terrible Wi-Fi access passwords. Hoorvitch notes that many Israelis (and 44% of his sample) utilize their cellphone numbers as the passwords for their dwelling Wi-Fi routers. Why that is, we don't know, merely information technology did give Hoorvitch a practiced head start.

Even among those Wi-Fi networks that didn't use cell numbers, nearly half (48%) used terrible, piece of cake-to-gauge passwords that routinely appear on lists of the near mutual passwords. Merely 30% of the five,000 had access passwords that were besides strong to easily crack.

"I hypothesized that most people living in State of israel (and globally) accept dangerous Wi-Fi passwords that can be easily croaky or fifty-fifty guessed by curious neighbors or malicious actors," Hoorvitch wrote.

How and why to take a strong Wi-Fi access password — and a stiff admin one likewise

So what, y'all wonder? What's the damage if some neighbor'southward kid gets admission to my Wi-Fi network?

A lot could happen. The neighbor's child could utilise your network to download pirated movies and software, perchance exposing y'all to legal consequences or even higher bills if your monthly data usage is capped.

That kid, or anyone else within radio range of your abode Wi-Fi router, could also use the network admission to assail devices in your home, such as smart TVs, printers or older computers. Being inside a network gives an aggressor great advantages that aren't bachelor from outside.

"The bottom line is that in a couple of hours and with approximately $l, your neighbor or a malicious actor can compromise your privacy and much more if yous don't take a strong password," Hoorvitch wrote.

To make sure interlopers aren't sneaking into your domicile Wi-Fi network, create long, strong, unique access passwords. If you're having trouble creating and remembering such passwords, then use 1 of the all-time password managers; some of them are free.

Routinely check your home Wi-Fi network'southward logs to see which devices take accessed your network recently. Follow up with annihilation you don't recognize, and if it turns out to not be i of yours, use your network'southward administrative interface to block such devices.

If you tin can, create a "guest" network segment or second network for visitors to use. The guest network should take a different access password from the primary one. It might exist best to put less secure devices — smart TVs, other smart appliances — on the guest network to minimize the potential harm if one of them were to exist hacked.

Disable remote administrative admission to the network from the internet, and plow off Universal Plug and Play, a protocol that makes it too easy for new devices to find each other on the network.

And most important of all, make sure your Wi-Fi network'south administrative countersign is not the same as your access password and is even stronger. (Again, one of the best countersign managers volition come in handy.)

Your Wi-Fi router could tell everyone where you live — here's what y'all can practice

How this was done

We'll skip over most of the technical details of how Hoorvitch did this, partly because we don't completely understand them ourselves. (Yous can read all about how to exercise it on Hoorvitch'south blog post.)

Merely he used a fairly new way to cleft Wi-Fi passwords. It takes reward of the fact that many of the Wi-Fi access points and routers using the WPA2-PSK, aka WPA2 Personal, security protocol circulate a numerical ID to all passing devices, whether they're logged in or not.

The routers and access points do this so that devices can apace rejoin their networks without having to recalculate encryption values. (Some enterprise networks use a different access standard that isn't vulnerable to this assault.)

That ID, called the PMKID, is formed by running the Wi-Fi network access password, the Wi-Fi network name, the router/admission indicate and customer device MAC addresses (fixed network device IDs) and a couple of other factors through a "hashing" algorithm that creates a long, supposedly irreversible cord of digits.

The problem is that, except for the Wi-Fi admission password, all the factors used to create the PMKID are known quantities. The router broadcasts its own MAC address and its network name. The customer device knows its ain MAC accost. The other factors are part of the formula.

So if the only unknown gene is the access countersign, then it can exist isolated and subjected to "cracking" attacks.

Those attacks don't have to be done on the spot: Because the PMKIDs tin be logged along with MAC addresses and network names, the attacks tin can take identify offline, later on the attacker has returned home.

Hashcat, the free password-cracking tool, can be used to generate PMKIDs from lists of potential Wi-Fi passwords. From there it'southward just a question of seeing which generated PMKIDs match existent PMKIDs in the sample.

Taking apart the passwords

Because many Israelis just utilise their cellphone number as passcodes, this gave him a head start. He said Israeli cell numbers are all 10 digits that invariably begin with "05," leaving only eight digits — 100 million possible numerical combinations — to exist calculated. 1 hundred million is a big number to a homo, but it's nothing to a powerful late-model PC.

Using the cellphone-number method, Hoorvitch was able to effigy out 2,200 — 44% — of the Wi-Fi admission passcodes in his sample set. That'southward kind of insane.

For the remaining 2,800 uncracked passcodes, Hoorvitch attacked them with the passwords in the RockYou listing. That's a freely available text file containing more than than fourteen million unique passwords that in 2009 were stolen (from a company that developed Facebook and MySpace widgets) and then dumped online by hackers.

Twelve years later, the most often used passwords in the RockYou list — "123456," "12345," "123456789," "password," "iloveyou" and then on — are even so among the most frequently used passwords in English-speaking countries.

Using the RockYou list, Hoorvitch was able to cleft an additional one,359 Wi-Fi access passwords, 26% of the total sample size. That left but xxx% of the passwords uncracked.

How vulnerable is your router?

The ironic affair is that home Wi-Fi routers don't need to broadcast PMKIDs. These types of IDs are mainly used in workplaces and other large environments in which devices — laptops, smartphones — roam about and seamlessly connect to and disconnect from multiple Wi-Fi access points that are office of the same Wi-Fi network.

Nonetheless, PMKID distribution is turned on past default in many home Wi-Fi routers, although we weren't able to observe whatsoever indication that it was activated on our own crumbling Netgear router. (One way to check is to see if "802.11r", the specification that defines PMKID, is enabled or mentioned in your home router authoritative interface.)

PMKID would be on for many of the workplace Wi-Fi networks that Hoorvitch sniffed.

"Not all routers back up roaming features and are, therefore, not vulnerable to the PMKID assault," he wrote. "However, our research found that routers manufactured by many of the world'due south largest vendors are vulnerable."

Unfortunately for the states, he didn't provide a listing of those router vendors.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has likewise been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security infinite for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Boob tube news spots and fifty-fifty chastened a panel discussion at the CEDIA habitation-technology briefing. You tin can follow his rants on Twitter at @snd_wagenseil.