By Adam Govier, SureCloud principal cybersecurity consultant
SureCloud partnered with the consumer group Which? to demonstrate some of the risks of a modern internet-connected home by identifying and exploiting vulnerabilities within a sample of popular Internet of Things (IoT devices). We exposed the risks associated specifically with the Virgin Media Super Hub 2, and demonstrated why proper cyber security risk management and understanding is so vital to business and home security.
Identifying Cyber-Security Risks at Home
For the project, Which? created a realistic test environment by filling a house with a range of readily available IoT devices.
The assessment used a Virgin Media Super Hub 2 router to connect the IoT devices to the internet wirelessly.
These devices range from quality-of-life-enhancing products to children’s toys and devices that offer assurance for home security.
SureCloud’s security testing was structured over four days, with the primary goal of demonstrating risks to consumers; by identifying new vulnerabilities within these products or by utilising and expanding upon known exploitation methods previously published by the broader security community. Of course, weaknesses within these products and services were possible, but we could not identify these within the scheduled period.
What did we find?
One of the key ﬁndings of the project was a vulnerability in the default PSK passphrases used by the Virgin Media Super Hub 2 devices, meaning they’re open to potential compromise.
Now, we want to expand upon the information publicised regarding the Virgin Media Super Hub 2 devices, specifically the ease at which the default Wi-Fi PSK passphrases could be compromised. We will also provide an overview of how attackers can quickly compromise and gain access to one of these home wireless networks.
SureCloud has purposely delayed the publication of this blog since the publication of the ‘Which? Hackable Home’ article to give consumers time to mitigate their wireless configurations before the release of this blog. We now intend to explore the technical aspects of the issue in greater detail.
Existing PSK Research – Hashkiller
The basis of the SureCloud Cybersecurity team’s ability to obtain the plaintext PSK passphrase for the sampled Super Hub 2 router originated from the community effort at the Hashkiller forums. Here, forum members have collaborated to create a list of common ISP-provided (and third-party) default PSK character key spaces. This proved invaluable given the limited time we had available during this project.
Our Sample Environment
For the ‘Hackable Home’ project, the Which? target environment utilised a default-configured Super Hub 2 device as one of the entry points for the ‘local’ aspect of the article research.
Through discussions with colleagues, people within the security industry, and non-technically focused users of these Virgin devices, SureCloud found that most end-users do not change the default PSK passphrases used to connect devices to Wi-Fi. Furthermore, through passive war-driving, it’s evident that very few consumers change the default SSIDs that broadcast the wireless networks over the air.
Note that this blog will only focus on what was discovered during the ‘Hackable Home’ project, and whilst other router default configurations may also be vulnerable to similar weaknesses, we are unable to cover them here.
The Hackable Vulnerability
The main cause of weakness here is related to the simplistic character key-space used during the generation of the plaintext pre-shared key (PSK) passphrases.
It is a requirement for WPA- and WPA2-based passphrases that the length of each passphrase must be 8 characters at a minimum. This is an improvement upon prior wireless protocols, such as WEP (Wired Equivalent Privacy), but this is becoming an insufficient requirement due to advancements in technology and hardware.
In more direct terms, the Super Hub 2 default passphrase’s character key-space utilises only lower-case alpha characters, except for the letters ‘i’ and ‘o’.
This leaves the following as a possible key-space:
A 24-character key-space for an 8-character passphrase means that 114,861,197,400 possible combinations could be used.
SureCloud utilised the open-source password cracking tool ‘Hashcat’ during the assessment, with multiple NVidia GTX 1080 graphics cards. As an example of what would be possible with just one of these consumer graphics cards, the entire key-space used by the Super Hub 2 devices could be processed in just over three days (roughly 378,000 combinations per second). SureCloud were thus able to compute the passphrase for the sample Super Hub 2 in less than a day using several of these graphics cards. This would scale with multiple GPU setups.
For example, the Hashcat tool can support up to 128 GPUs, and therefore theoretically allows for this full 24-character key-space to be brute-forced in less than 40 minutes.
As a comparison, the latest Virgin Media Super Hub 3 devices utilise a stronger default PSK passphrase comprising 12 characters with the key-space of numeric, upper alpha, and lower alpha characters. This equates to a total of 3.2791563814536033e+21 combinations – a valuable mitigation from Virgin Media. Using the same example for computing these combinations, just one of these graphics cards would take an estimated 275 million years to crack the key-space.
Cracking WPA/WPA2 PSK Passphrases
For the purposes of a general overview, we’ll simplify things. Attacks against wireless networks that use PSK passphrases for client authentication are possible because the client and wireless access point (AP) provide nearly all the necessary information required to compute a small key over-the-air. This key (known as the MIC, or ‘Message Integrity Code’) can then be used as a reference point for computational comparisons alongside the readily available information (such as client and access point MAC addresses, SSID names, etc.) for an attacker to potentially obtain the plaintext passphrase.
The methodology to obtain the passphrase can be described as follows:
- Capture the client and access point handshake
- Process the handshake to verify that it contains valid data
- Compute the plaintext passphrase through brute-force
Capturing the Handshake
The first step in obtaining the plaintext passphrase is to set up the attacking environment and capture the client-AP handshake.
Several tools are freely available online that can be used for this. For this demonstration, we’re using the Aircrack suite of tools and a Linux-based operating system within a Virtual Machine. Along with these tools, a wireless network card that supports monitor mode would be required.
We’re going to initially enable the monitor mode on our wireless adaptor, which will allow us to use the ‘airodump-ng’ tool to scan for broadcasting networks. This can be performed with the following command:
airmon-ng start wlan0
Once we’ve created the monitor mode interface using the ‘airmon-ng’ tool, we’ll execute the ‘airodump-ng’ tool to detect nearby networks. We will use the default arguments for now, which will hop between the wireless channels quickly, although there are extensive command-line arguments that can be used to filter and enhance the results:
The result highlights that the Virgin Media hub SSID ‘VM0394859-2G’ is nearby, with a reasonable broadcast power-level.
With the BSSID and Wi-Fi channel information. To do so, we will use the channel and bssid argument options with ‘airodump-ng’, whilst also using the argument to write the observed traffic to a file:
airodump-ng --channel 1 –bssid 00:c0:ca:58:46:e6 -w vm0394859-2g mon0
We can see a filtered view, targeting only channel 1 and the specific MAC address for the Virgin Media wireless network.
After a short while, we observed a client connection being performed, and we were able to capture a WPA handshake.
For the purposes of this article, our example is executed within a closed environment. In real-life scenarios, however, penetration testers and attackers may have to perform a de-authentication attack against the host access point and one or more clients to force a re-authentication to occur, and thus a new handshake. Although we did not need to do this for our example, it’s important to note that the ‘aireplay-ng’ tool can be used for such purposes.
Our next step is to extract the relevant data in a format that Hashcat (or other password-cracking tools) can use. The Hashcat team have released a new utility named ‘cap2hccapx’ that verifies the captured data to prevent unnecessary computation for invalidly captured data. Using this tool will output a ‘hccapx’ file, which can only be used with Hashcat, although this tool provides GPU-based computation, which vastly decreases the maximum amount of time to cycle through the full key-space.
Handshake validity was confirmed using the cap2hccapx tool from the Hashcat team.
Following the clean-up of the captured data with the ‘cap2hccapx’ tool, we’ll use Hashcat to crack the passphrase by using a custom character-set mask. This can be accomplished using the inbuilt functionality through the ‘-1’ argument (ranging through ‘-1’ to ‘-4’) and then by specifying the characters that we require within this mask. Our example uses the lower-case character set, excluding ‘i’ and ‘o’.
hashcat64.exe -m 2500 vm0394859-2g.hccapx -1 abcdefghjklmnpqrstuvwxyz -a 3 ?1?1?1?1?1?1?1?1 -w 4
Screenshot of Hashcat in use, demonstrating the expected completion for the full key-space when using just one NVidia GTX 1080.
The result of this is that we could crack the password within this estimated time; as an attacker, we would then be able to gain access to your home Wi-Fi network and could potentially compromise further devices that are also connected.
Hashcat output summary, highlighting the passphrases within plaintext following a successful cracking attack.
What Security Mitigations Are Now in Place?
Virgin Media have already addressed the default configuration weakness with their newer Super Hub 3 devices. However, many customers may still be affected if they own the Super Hub 2 devices and have not yet amended their wireless network settings from the default configuration.
The key mitigation would be to log in to the router web interface and manually set a stronger passphrase.
Passphrase recommendations should include a minimum length of at least 12 characters and comprise upper-case alpha, lower-case alpha, and numeric characters in random order. If this cannot be remembered or easily guessed by the user, it is a good baseline for a stronger passphrase.
Please consider this a minimum.
SureCloud would recommend you use the longest supported passphrase, usually around 63 characters, and include non-standard characters. The longer and more complex the passphrase is, the more mathematically improbable it is that it will be ‘cracked’ within a reasonable timeframe. Graphics processing is continuing to accelerate, so as technology improves, the overall time it would take to crack a ‘key’ will likely decrease.
SureCloud’s Hackable Home Recommendations
To be sure your password is as secure as possible:
- Always change default credentials present in your router’s configuration/administration pages
- Consider disabling Wireless Protected Setup (WPS) functionality
- Review their current PSK passphrases and strengthen them as appropriate
Devising the right cyber security risk management strategy for a device such as the Virgin Media Super Hub 2 doesn’t have to be complex. Follow the SureCloud recommendations above to decrease the likelihood of your network suffering a hack, or get in touch with us using the form below to find out more about the possibilities of penetration testing.
Cyber Risk Management Capability