Thursday 28 May 2015

How Easy Is It To Hack A Wireless Network?

How Easy Is It To Hack A Wireless Network

With wireless networks commonplace, are we becoming complacent? David Crookes looks at how safe your network really is

Seconds. Mere seconds. That is the figure many an expert will tell you measures the time it takes for a hacker to infiltrate a home network. It may sound alarmist, it may be designed to make you sit up and listen, but a study five years ago showed that half of home wi-fi networks could be hacked in less than five seconds, and the situation does not appear to have become better since.


With determination, it wouldn't take long for anyone to work out how to get into a network. A report on the website securityaffairs.co showed researcher Dominique Bongard finding a way to attack wireless routers that had a poorly implemented version of Wi-fi Protected Setup (WPS). It took him just one second using offline calculations. To aid would-be hackers, there are websites that promise to help you crack wi-fi passwords in two minutes. There are many others that detail popular wireless hacking tools.

But then we've long known that wireless networks are vulnerable to attack. It may be that your neighbour is savvy enough to piggy back on your wi-fi, slowing down your access and benefitting from a freebie. This is bad enough, but there would be no telling what he or she is using your network for: is he or she downloading illegal items? Is he or she using it to hack into GCHQ?

Sure, we're always wary of people hacking into public wi-fi (in January this year, even a seven-year-old was able to hack into a public wi-fi system in under 11 minutes, and in-flight wi-fi is assumed to be at risk from rogues seeking to control the aircraft system), but home wi-fi is yours; it's personal and it arguably carries a greater personal risk. Stats in America show four out of five internet-connected homes are at risk of attack through a wireless router, and it would not be surprising to see similar figures in the UK.

"Don't be fooled by someone telling you your data is secure. If you are accessing the system wirelessly, it is never secure," says hacker Matthew Beddoes, who was caught stealing carbon credits from the United Nations to sell on, earning him a three-year jail sentence. Invited to talk to businesses in the North West of England last year by the Aintree-based Stack Group, the man who goes by the pseudonym the Black Dragon demonstrated how a £30 Raspberry Pi could be used to bypass security features. "All this code is free and publicly available."

Explaining Wireless Networks


Wireless networks are based on IEEE 802.11 standards as defined by the Institute of Electrical and Electronics Engineers. There are two security protocols: WEP and WPA, the former deemed weak and having been surpassed by the latter, which is now on version two, WPA2. For hackers to gain access to a network, he or she needs to smash through this protocol. With WPA and WPA2 this can only be done through brute force, either by gaining an idea of how the network is being used or using specific software and tools to do the job. Poor encryption and sloppy configuration are the two key mistakes that allow hackers through.

And get through they do, for money is a motivating factor for hackers. Being able to find holes in wireless networks can be lucrative, and coders who provide software that enables cracks to be prised open are often paid handsomely for their efforts. Black hat hackers - those who prey on networks for their own negative ends - only see networks as a challenge, and they are determined enough to win. White hat hackers seek to help defend us from these problems by finding vulnerabilities first, so are therefore always playing a game of cat and mouse.

What makes the problem worse is that we are relying on wireless networks more than ever before, thanks to the Internet of Things becoming a reality in British homes. The wi-fi network is the thread that ties these digital devices together in the home, and yet, according to security companies such as Avast, very little attention has been paid to securing it. Wireless routers are fast becoming a lucrative target for hackers - exposing financial information, passwords, private photos and even browsing history - and that is because wireless traffic is open to eavesdropping.

Even when that traffic is encrypted, hackers are able to crack it open and pluck whatever information they need out of the airwaves. Whether they are taking those passwords or causing problems with your emails, the issues hacking causes can be keenly felt. Another problem is that encryption, while improved, is seldom strong enough to offer perfect protection. The good news, though, is hackers tend to go for the least protected networks. So let's look at how easy we may inadvertently be making it.

Performing A Drive-By


There was a time when some hackers would grab a laptop, drive down a street and pick up on insecure wi-fi signals beaming out of people's homes. There are also occasions when a neighbour will look for available wi-fi and hope to piggyback on it. This is known as snarfing, and it can be more than just a nuisance, as viruses are installed on systems and spam is sent.

The ease with which people can do this is due to a great many networks being like eggs. They have a hard interior, but crack them and you'll find they're soft inside. A hacker will therefore do all they can to get through that protective layer, looking for vulnerabilities and going after those networks that are easier to get into. Someone attempting to penetrate a large network such as a company will seek host names, network addresses ranges, exposed hosts, information about operating systems and any software on the machines that may be exposed.

In a home, an attacker will seek similar vulnerabilities, and with so many devices now hooked into a network, there are a greater number of entry points. A smart TV can be used to gain access, and it may have fewer network restrictions. But the main entry point is an unsecured user. Using software such as Aircrack-ng in combination with a wireless card, hackers are able to discover passwords, having captured the handshake between the computer and the router. Aircrack-ng even offers step-by-step instructions.

It used to be that software was needed to scan for available wi-fi networks, but this is built into computers these days. When you look to connect to a wireless network, you are given a list, and that has made it even easier for hackers to identify possible networks to break into. The hackers tend to work together, posting information online to help them to complete their work. There are password lists available, for instance, which can be used to force their way into a network; the easier the password, the quicker the process will be. And so many people use the simplest of passwords or don't even bother to change the one the router came with.

"Unsecured routers create an easy entry point for hackers to attack millions of American home networks," says Vince Steckler, chief executive officer of Avast. "If a router is not properly secured, cybercriminals can easily gain access." Too many routers are poorly protected by default or common, easily hacked password combinations such as admin/admin or admin/password, or even admin/<no-password>. And for those who change them, the most typical passwords are often too easily guessed.

The problem is that the software used for these cracks is so easily available. WEPCrack is an open-source tool, which lets people break into 802.11 WEP secret keys. AirSnort bills itself as a wireless LAN encryption key recovery tool. It operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. KisMAC for Mac OSX and Kismet for Linux need advanced knowledge, but they will help to crack WEP and WPA keys by brute force, exploiting flaws including weak scheduling and badly generated keys.

There are even online tools. CloudCracker is aimed at penetration testers and network auditors who are looking to check the security of WPA-protected wireless networks, crack password hashes or break document encryption. Thankfully for those who use this particular service there is a charge, so a money trail is left. Access a secured network without authorisation using CloudCracker and a hacker will likely fall foul of the law. Use it to test your own vulnerabilities, though, and it could be money worth spending.

But with all this in mind, you should be protecting your wireless router. In order to access it, you'll need to enter your IP address into a web browser, which you'll be able to typically find on the back of the device. Enter the default password (check your internet service provider for the details. For Sky, for instance, you would enter admin/sky), and then make sure you alter it so something that is far less easy to crack.

While you have the router details open, though, you should also look at the level of encryption you have for the data transmitted from your computer to the router. It is very unlikely that it will be set to the dated encryption format WEP, but make sure that it's WPA2, and if it isn't available, update the firmware for your router so that it supports it. WPA2 security with AES/CCMP encryption gives you a better chance of beating off hackers, but it's not crack proof. Going back to 2010, ElcomSoft, a member of the Russian Cryptology Association, developed a product that combined graphics cards from Nvidia and ATI to accelerate the recovery of WPA2 encryption passwords.

Fast forward to today, and you're able to use the likes of Reaver, which "implements a brute force attack against WPS registrar PINS in order to recover WPA/WPA2 passphrases". It says it has been designed to be a robust and practical attack against WPS, and it has been tested against a wide variety of access points and WPS implementations. What's more, it will recover passphrases within four to ten hours. Patience is required, for sure, but it's possible. The software works by testing the connection between a wi-fi device and a router with Wi-fi Protected Setup turned on. It goes without saying that to protect yourself from such hacks to some degree, you need to turn WPS off.

"Today's router security situation is very reminiscent of PCs in the 1990s, with lax attitudes towards security combined with new vulnerabilities being discovered every day creating an easily exploitable environment," says Steckler. "The main difference is people have much more personal information stored on their devices today than they did back then."

Router To Nowhere


It doesn't help that more than 75% of all routers that are provided to customers by ISPs contain software or firmware easily exploited by hackers. Independent Security Evaluators researchers said they discovered "critical security vulnerabilities" in numerous small office/home office routers and wireless access points. "These vulnerabilities allow a remote attacker to take full control of the router's configuration settings; some allow a local attacker to bypass authentication directly and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network," the report said. It is no surprise given that companies want to provide as cheap a device as possible to customers.

Still, Steckler says one of the biggest risks on any wi-fi network is DNS hijacking. This is when hackers exploit vulnerabilities in a user's unprotected router and play around with the Domain Name Service so it diverts people from bona fide websites to malicious ones. It allows for the harvesting of credentials including logins. Because the user has been going to a specific site and since it looks identical to the proper one, they suspect nothing and they potentially lose everything.

These so called man-in-the-middle attacks are not to be taken lightly, but you can protect yourself from them. Routers use DNS servers that are automatically acquired from an internet provider, so if you fear the settings have been altered you can opt to change them. You can go to the Network and Sharing Center, select Change Adapter Settings, choose the connection you want to alter and then click 'Internet Protocol Version (TCP/IPv4)' or 'Internet Protocol Version (TCP/IPv6)'. You can choose the Google DNS using the settings 8.8.8.8 or 8.8.4.4, or for Ipv6 2001:4860:4860::8888 or 2001:4860:4860::8844.

But even technology cannot save most of us from social engineering hacks. In March at CeBIT, ex-hacker Kevin Mitnick used USB drives, wi-fi access points, PDF files and cloned wireless keycards, and he was able to gain control of targeted machines. In his hacking career, his chosen method was to sift through the usernames and passwords thrown out by companies, and he was able to seize control of networks. Antivirus software is no match for such methods.

There are more ingenious methods and lengths that hackers will go to, though. In August last year. Gene Bransfield in Virginia hacked into the networks of his neighbours by fitting his pet cat, Coco, with a wi-fi sniffing device. He called the animal his WarKitteh and allowed it to exploit the networks of 23 homes, a third of which used WEP. The cost of the device was just £60. It's not much of a leap to suppose that similar technology could be used on board drones by determined hackers.

When you then go on to read reports of vulnerabilities in software that controls wireless networking chipsets made by Realteck Semiconductor, which is said to allow attackers to compromise home routers, you realise that you can be powerless. The chips are inside models made by Netgear, D-Link and Trendnet. Hackers are able to exploit the vulnerability and gain administrative access to a router. They could infect devices on a wi-fi network. The advice has been to keep router's firmware current but that is essential to do. But as one commentator pointed out, even if RealTek came up with a patch, it would not be implemented on all affected devices. Many of them are no longer supported by their manufacturers.

One thing you should avoid, though, is trying to exploit vulnerabilities yourself. Computer hacking is illegal in the UK, and you will face a possible prison sentence. The Communications Act 2003 says a "person who (a) dishonestly obtains an electronic communications service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence". So if someone breaks into a wireless network that they should be paying for or if they break into your wireless network and avoid charges, that could potentially get them into trouble, and there have been cases where perpetrators have been caught and taken to court. This is not the case the world over; in the Netherlands, a court ruled that wi-fi hackers could not be prosecuted for breaching router security, because the majority of hackers who do this are not gaining access to the computer, only the connection. But it is certainly how it works in the UK, so please do be aware of that.

What we've done here is show that there are tools available that allow ordinary people to hack. And by remembering that hackers are not always anti-social types locked away in darkened rooms, you should be better prepared to head them off. As wireless networks become commonplace in our homes, taking small steps to protect your wireless router today will put you in a far stronger position.


Getting Hacked On A Public Wi-fi Network


There are some things to watch out for when accessing the web on your travels.

1. Note the name of the connection
You may think that you're logging into Starbucks' wi-fi, but what's that other similar sounding provider? Should you be choosing StarbucksWiFi or WiFiStarbucks? If in doubt, you should always ask the provider for the exact identifier before you connect. Getting the wrong one means you could be connecting to a rogue hotspot, and that may route your sensitive information to a hacker's server.

2. Turn sharing off
One of the first things to do when you're hooking up to public wi-fi is turn sharing off. In Windows, go to Network and Internet > Network and Sharing Center and select Homegroup and Sharing Options > Change Advanced Sharing Settings. Choose the public profile and ensure network discovery, file and printer sharing and public folder sharing are turned off. On a Mac, go to System Preferences > Sharing and untick everything.

3. Activate the firewall
Firewalls control the incoming and outgoing network traffic, forming an effective barrier. Go to the Control Panel on your PC and turn the firewall on. Using a Mac? Go to System Preferences > Security & Privacy, select Firewall, click the padlock and click Turn On Firewall.

4. Use a virtual private network
VPNs guarantee to encrypt and secure data, so if a public wireless network is hacked, your data cannot be intercepted. If you're restricting your web use to a web browser, CyberGhost has a free proxy for web traffic at www.cyberghostvpn.com/en_us/proxy.

5. Just use your phone
A 3G or 4G connection is more secure than public wi-fi, and data plans are getting better again so make use of it. You can tether laptops and tablets to your phone. Check out your provider's web pages to find out how to do this.


Protecting Your Home Wireless Network


How to keep your network as safe as possible.

1. Encrypt the wireless network
Avoid using WEP. It has vulnerabilities, and it is very easy to hack. There are loads of tutorials online that show people how to do this with an app and a handful of step-by-steps. Instead, change the network settings so you're using WPA/WPA2.

2. Change the router password
So many people do not bother to do this, and yet it is a major vulnerability. Many ISPs reveal the default login and password online, so you can't really get much more open. Make sure you log in and change the password to something that is very difficult to guess - the longer the better.

3. Enable the firewall
A router has a firewall, but it's not always turned on. You need to check it and turn it on so it blocks unsolicited incoming traffic and protects the network from the 'wild' internet. Some routers will also allow the blocking of some outgoing traffic.

4. Enable MAC address filtering
Every wireless networking card has a MAC code. By enabling filtering, that address is registered to your networked devices and only they will be able to connect to the network. It's not foolproof, since MAC addresses can be cloned, but as backup to WPA2 encryption it will make your network more secure.

5. Change the SSID name
The SSID is the name that is given to your network by a provider and the one you look for when you're connecting. Many of them identify the network, so you'll see references to EE or Sky, for instance. By altering the name, you can mask this extra information, so knowledgable hackers have to work harder to figure who provides your internet.

6. Do not allow remote access
There's a chance you're not going to need remote access to your router, so if this is the case then remove the ability. It's usually disabled by default, so leave it that way if it is. Sure, you'll need a LAN cable plugged into your router if you want to make changes, but it will disable the opportunity for wireless hacking.