Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Penetration Testing, Cyber Risk Management

The Hackable Home

The Hackable Home
Written by

Adam Govier

Published on

30 Oct 2018

The Hackable Home

 

SureCloud partnered with the consumer group Which? to demonstrate some of the risks of a modern internet-connected home by identifying and exploiting vulnerabilities within a sample of popular Internet of Things (IoT devices). We exposed the risks associated specifically with the Virgin Media Super Hub 2, and demonstrated why proper cyber security risk management and understanding is so vital to business and home security.

 

Identifying Cyber-Security Risks at Home

For the project, Which? created a realistic test environment by filling a house with a range of readily available IoT devices. 

 

The assessment used a Virgin Media Super Hub 2 router to connect the IoT devices to the internet wirelessly.

 

These devices range from quality-of-life-enhancing products to children’s toys and devices that offer assurance for home security. 

 

SureCloud’s security testing was structured over four days, with the primary goal of demonstrating risks to consumers; by identifying new vulnerabilities within these products or by utilising and expanding upon known exploitation methods previously published by the broader security community. Of course, weaknesses within these products and services were possible, but we could not identify these within the scheduled period.

 

What did we find?

One of the key findings of the project was a vulnerability in the default PSK passphrases used by the Virgin Media Super Hub 2 devices, meaning they’re open to potential compromise. 

 

Now, we want to expand upon the information publicised regarding the Virgin Media Super Hub 2 devices, specifically the ease at which the default Wi-Fi PSK passphrases could be compromised. We will also provide an overview of how attackers can quickly compromise and gain access to one of these home wireless networks.

 

SureCloud has purposely delayed the publication of this blog since the publication of the ‘Which? Hackable Home’ article to give consumers time to mitigate their wireless configurations before the release of this blog. We now intend to explore the technical aspects of the issue in greater detail.

 

Existing PSK Research – Hashkiller

The basis of the SureCloud Cybersecurity team’s ability to obtain the plaintext PSK passphrase for the sampled Super Hub 2 router originated from the community effort at the Hashkiller forums. Here, forum members have collaborated to create a list of common ISP-provided (and third-party) default PSK character key spaces. This proved invaluable given the limited time we had available during this project.

 

Our Sample Environment

For the ‘Hackable Home’ project, the Which? target environment utilised a default-configured Super Hub 2 device as one of the entry points for the ‘local’ aspect of the article research. 

 

Through discussions with colleagues, people within the security industry, and non-technically focused users of these Virgin devices, SureCloud found that most end-users do not change the default PSK passphrases used to connect devices to Wi-Fi. Furthermore, through passive war-driving, it’s evident that very few consumers change the default SSIDs that broadcast the wireless networks over the air.

 

Note that this blog will only focus on what was discovered during the ‘Hackable Home’ project, and whilst other router default configurations may also be vulnerable to similar weaknesses, we are unable to cover them here.

 

The Hackable Vulnerability

The main cause of weakness here is related to the simplistic character key-space used during the generation of the plaintext pre-shared key (PSK) passphrases. 

 

It is a requirement for WPA- and WPA2-based passphrases that the length of each passphrase must be 8 characters at a minimum. This is an improvement upon prior wireless protocols, such as WEP (Wired Equivalent Privacy), but this is becoming an insufficient requirement due to advancements in technology and hardware.

 

In more direct terms, the Super Hub 2 default passphrase’s character key-space utilises only lower-case alpha characters, except for the letters ‘i’ and ‘o’. 

 

This leaves the following as a possible key-space:

abcdefghjklmnpqrstuvwxyz

 

A 24-character key-space for an 8-character passphrase means that 114,861,197,400 possible combinations could be used. 

 

SureCloud utilised the open-source password cracking tool ‘Hashcat’ during the assessment, with multiple NVidia GTX 1080 graphics cards. As an example of what would be possible with just one of these consumer graphics cards, the entire key-space used by the Super Hub 2 devices could be processed in just over three days (roughly 378,000 combinations per second). SureCloud were thus able to compute the passphrase for the sample Super Hub 2 in less than a day using several of these graphics cards. This would scale with multiple GPU setups. 

 

For example, the Hashcat tool can support up to 128 GPUs, and therefore theoretically allows for this full 24-character key-space to be brute-forced in less than 40 minutes.

 

As a comparison, the latest Virgin Media Super Hub 3 devices utilise a stronger default PSK passphrase comprising 12 characters with the key-space of numeric, upper alpha, and lower alpha characters. This equates to a total of 3.2791563814536033e+21 combinations – a valuable mitigation from Virgin Media. Using the same example for computing these combinations, just one of these graphics cards would take an estimated 275 million years to crack the key-space.

 

Cracking WPA/WPA2 PSK Passphrases

For the purposes of a general overview, we’ll simplify things. Attacks against wireless networks that use PSK passphrases for client authentication are possible because the client and wireless access point (AP) provide nearly all the necessary information required to compute a small key over-the-air. This key (known as the MIC, or ‘Message Integrity Code’) can then be used as a reference point for computational comparisons alongside the readily available information (such as client and access point MAC addresses, SSID names, etc.) for an attacker to potentially obtain the plaintext passphrase.

 

The methodology to obtain the passphrase can be described as follows:

  • Capture the client and access point handshake
  • Process the handshake to verify that it contains valid data
  • Compute the plaintext passphrase through brute-force

 

Capturing the Handshake

The first step in obtaining the plaintext passphrase is to set up the attacking environment and capture the client-AP handshake. 

 

Several tools are freely available online that can be used for this. For this demonstration, we’re using the Aircrack suite of tools and a Linux-based operating system within a Virtual Machine. Along with these tools, a wireless network card that supports monitor mode would be required.

 

We’re going to initially enable the monitor mode on our wireless adaptor, which will allow us to use the ‘airodump-ng’ tool to scan for broadcasting networks. This can be performed with the following command:

airmon-ng start wlan0

Once we’ve created the monitor mode interface using the ‘airmon-ng’ tool, we’ll execute the ‘airodump-ng’ tool to detect nearby networks. We will use the default arguments for now, which will hop between the wireless channels quickly, although there are extensive command-line arguments that can be used to filter and enhance the results:

airodump-ng mon0

The result highlights that the Virgin Media hub SSID ‘VM0394859-2G’ is nearby, with a reasonable broadcast power-level.

 

With the BSSID and Wi-Fi channel information. To do so, we will use the channel and bssid argument options with ‘airodump-ng’, whilst also using the argument to write the observed traffic to a file:

airodump-ng --channel 1 –bssid 00:c0:ca:58:46:e6 -w vm0394859-2g mon0

We can see a filtered view, targeting only channel 1 and the specific MAC address for the Virgin Media wireless network.

 

After a short while, we observed a client connection being performed, and we were able to capture a WPA handshake.

 

For the purposes of this article, our example is executed within a closed environment. In real-life scenarios, however, penetration testers and attackers may have to perform a de-authentication attack against the host access point and one or more clients to force a re-authentication to occur, and thus a new handshake. Although we did not need to do this for our example, it’s important to note that the ‘aireplay-ng’ tool can be used for such purposes.

 

Our next step is to extract the relevant data in a format that Hashcat (or other password-cracking tools) can use. The Hashcat team have released a new utility named ‘cap2hccapx’ that verifies the captured data to prevent unnecessary computation for invalidly captured data. Using this tool will output a ‘hccapx’ file, which can only be used with Hashcat, although this tool provides GPU-based computation, which vastly decreases the maximum amount of time to cycle through the full key-space.

 

Handshake validity was confirmed using the cap2hccapx tool from the Hashcat team.

 

Following the clean-up of the captured data with the ‘cap2hccapx’ tool, we’ll use Hashcat to crack the passphrase by using a custom character-set mask. This can be accomplished using the inbuilt functionality through the ‘-1’ argument (ranging through ‘-1’ to ‘-4’) and then by specifying the characters that we require within this mask. Our example uses the lower-case character set, excluding ‘i’ and ‘o’.

hashcat64.exe -m 2500 vm0394859-2g.hccapx -1 abcdefghjklmnpqrstuvwxyz -a 3 ?1?1?1?1?1?1?1?1 -w 4

Screenshot of Hashcat in use, demonstrating the expected completion for the full key-space when using just one NVidia GTX 1080.

 

The result of this is that we could crack the password within this estimated time; as an attacker, we would then be able to gain access to your home Wi-Fi network and could potentially compromise further devices that are also connected.

 

Hashcat output summary, highlighting the passphrases within plaintext following a successful cracking attack.

 

What Security Mitigations Are Now in Place?

Virgin Media have already addressed the default configuration weakness with their newer Super Hub 3 devices. However, many customers may still be affected if they own the Super Hub 2 devices and have not yet amended their wireless network settings from the default configuration.

 

The key mitigation would be to log in to the router web interface and manually set a stronger passphrase. 

 

Passphrase recommendations should include a minimum length of at least 12 characters and comprise upper-case alpha, lower-case alpha, and numeric characters in random order. If this cannot be remembered or easily guessed by the user, it is a good baseline for a stronger passphrase. 

Please consider this a minimum.

 

SureCloud would recommend you use the longest supported passphrase, usually around 63 characters, and include non-standard characters. The longer and more complex the passphrase is, the more mathematically improbable it is that it will be ‘cracked’ within a reasonable timeframe. Graphics processing is continuing to accelerate, so as technology improves, the overall time it would take to crack a ‘key’ will likely decrease.

 

SureCloud’s Hackable Home Recommendations

To be sure your password is as secure as possible:

  1. Always change default credentials present in your router’s configuration/administration pages
  2. Consider disabling Wireless Protected Setup (WPS) functionality
  3. Review their current PSK passphrases and strengthen them as appropriate

 

Devising the right cyber security risk management strategy for a device such as the Virgin Media Super Hub 2 doesn’t have to be complex. Follow the SureCloud recommendations above to decrease the likelihood of your network suffering a hack, or get in touch with us using the form below to find out more about the possibilities of penetration testing.