By Adam Govier, SureCloud principal cybersecurity consultant
SureCloud recently partnered with the consumer group Which? to demonstrate some of the risks of a modern internet-connected home, through the identification and exploitation of vulnerabilities within a sample of popular Internet of Things (IoT devices).
For the project, ‘Which?’ created a realistic test environment by filling a house with a range of readily available IoT devices. The assessment used a Virgin Media Super Hub 2 router to wirelessly connect the IoT devices to the internet.
These devices ranged from ‘quality of life’ enhancing products to children’s toys (such as the CloudPets plush doll that we recently blogged about), to some that claim to offer assurance for home security. SureCloud’s security testing was structured over a 4-day period, with the primary goal of demonstrating risks to consumers; whether through the identification of new vulnerabilities within these products or the utilising and expanding upon known exploitation methods that were previously published by the wider security community. This of course meant the possible existence of weaknesses within these products or services, but we were not able to identify these within the scheduled time-period.
One of the key ﬁndings of the project was a vulnerability in the default PSK passphrases used by the Virgin Media Super Hub 2 devices, meaning they’re open to potential compromise. This blog aims to expand upon the information that was publicised regarding the Virgin Media Super Hub 2 devices, specifically the ease at which the default Wi-Fi PSK passphrases could be compromised. We will also provide an overview of how attackers can quickly compromise and gain access to one of these home wireless networks.
SureCloud has purposely delayed the publication of this blog since the publication of the ‘Which? Hackable Home’ article, to give consumers the time to mitigate their wireless configurations prior to the release of this blog, which intends to explore the technical aspects of the issue in greater detail.
The basis of the SureCloud Cybersecurity team’s ability to obtain the plaintext PSK passphrase for the sampled Super Hub 2 router originated from the community-effort at the Hashkiller forums. Here, forum members have collaborated to create a list of common ISP-provided (and third-party) default PSK character key-spaces. This proved invaluable for the limited time that we had available during this project.
For the purposes of the ‘Hackable Home’ project, the ‘Which?’ target environment utilised a default-configured Super Hub 2 device as one of the entry-points for the ‘local’ aspect of the article research. Through discussions with colleagues, people within the security industry, and non-technically focused users of these Virgin devices, SureCloud found that most end-users do not change the default PSK passphrases that are used to connect devices to Wi-Fi. Furthermore, through the act of passive war-driving, it’s evident that very few consumers change the default SSIDs that broadcast the wireless networks over the air.
It should be noted that this blog will only focus upon what was discovered during the ‘Hackable Home’ project, and whilst other router default configurations may also be vulnerable to similar weaknesses, these will look to be covered in a future blog post.
As for the main cause of this weakness, this primarily related to the simplistic character key-space that was used during the generation of the plaintext pre-shared key (PSK) passphrases. A requirement for WPA and WPA2 based passphrases is that the length of each passphrase must be 8 characters at a minimum. This is of course an improvement upon prior wireless protocols, such as WEP (Wired Equivalent Privacy), but due to advancements in technology and hardware, this is beginning to become an insufficient requirement.
In more direct terms, the Super Hub 2 default passphrase’s character key-space utilises only lower-case alpha characters, except for the letters ‘i’ and ‘o’. This leaves the following as a possible key-space:
A 24-character key-space for an 8-character passphrase means that there are 114,861,197,400 possible combinations that could be used. SureCloud utilised the open-source password cracking tool ‘Hashcat’ during the assessment, with multiple NVidia GTX 1080 graphics cards. As an example of what would be possible with just one of these consumer graphics cards, the entire key-space used by the Super Hub 2 devices could be processed within just over 3 days (roughly calculated using 378,000 combinations per second). SureCloud were thus able to compute the passphrase for the sample Super Hub 2 in less than a day using several of these graphics cards. This would of course scale with multiple GPU setups. For example, the Hashcat tool can support up to 128 GPUs, and therefore theoretically allows for this full 24-character key-space to be brute-forced in less than 40 minutes.
As a comparison, the latest Virgin Media Super Hub 3 devices utilise a stronger default PSK passphrase, comprised of 12 characters with the key-space of numeric, upper alpha, and lower alpha characters. This equates to a total number of 3.2791563814536033e+21 combinations that are available. This is a great mitigation that Virgin Media have implemented, and by using the same example for computing these combinations using just one of these graphics cards would take an estimated 275 million years from start to finish.
Overview of Cracking WPA/WPA2 PSK Passphrases
SureCloud covered the ‘behind-the-scenes’ of how WPA/WPA2 handshakes are performed from a technical aspect, and what that means from the perspective of an attacker in a previous blog. We’d recommend reading this for those that are interested in why these sorts of attacks are possible.
However, for the purposes of a general overview, the attacks against wireless networks that utilise PSK passphrases for client authentication are possible due to both the client and wireless access point (AP) providing nearly all the necessary information required to compute a small key over-the-air. This key (known as the MIC, or ‘Message Integrity Code’) can then be used as a reference point for computational comparisons alongside the readily available information (such as client and access point MAC addresses, SSID names, etc.) for an attacker to potentially obtain the plaintext passphrase.
The methodology to obtain the passphrase can be described as follows:
• Capture the client and access point handshake.
• Process the handshake to verify that it contains valid data.
• Compute the plaintext passphrase through brute-force.
Capturing the Handshake
The first step in the process to obtaining the plaintext passphrase is to set up the attacking environment and to capture the client-AP handshake. There are several tools that are freely available online that can be used for this, but for the purposes of this blog we’re using the ‘aircrack’ suite of tools and a Linux-based operating system within a Virtual Machine for this demonstration. Along with these tools, a wireless network card that supports monitor mode would be required.
For our example, we’re going to initially enable the monitor mode on our wireless adaptor, which will allow us to use the ‘airodump-ng’ tool to scan for broadcasting networks. This can be performed with the following command:
airmon-ng start wlan0
Once we’ve created the monitor mode interface using the ‘airmon-ng’ tool, we’ll then execute the ‘airodump-ng’ tool to detect nearby networks. We will use the default arguments for now, which will hop between the wireless channels quickly, although there are extensive command-line arguments that can be used to filter and enhance the results:
The result of this highlights that the Virgin Media hub SSID ‘VM0394859-2G’ is nearby, with a reasonable broadcast power-level.
With the BSSID and Wi-Fi channel information we can target this network further. To do so, we will use the channel and bssid argument options with ‘airodump-ng’, whilst also using the argument to write the observed traffic to a file:
airodump-ng –channel 1 –bssid 00:c0:ca:58:46:e6 -w vm0394859-2g mon0
We can see a filtered view, targeting only channel 1 and the specific MAC address for the Virgin Media wireless network.
After a short while we observe a client connection being performed, and that we were able to capture a WPA handshake.
This example is of course within a closed environment for the purposes of this article, but in real-life scenarios, both pen-testers and attackers may have to perform a de-authentication attack against the host access point and one or more clients to force a re-authentication to occur, and thus a new handshake. We have not needed to do this for this example, but the ‘aireplay-ng’ tool can be used for such purposes.
Our next step is to extract the relevant data in to a format that Hashcat (or other password-cracking tools) can use. The Hashcat team have released a new utility named ‘cap2hccapx’ that verifies the captured data to prevent the unnecessary computation for invalidly captured data. Using this tool will output a ‘hccapx’ file, which can only be used with Hashcat, although this tool provides GPU-based computation, greatly decreasing the maximum amount of time to cycle through the full key-space.
Handshake validity was confirmed using the cap2hccapx tool from the Hashcat team.
Following the clean-up of the captured data through use of the ‘cap2hccapx’ tool, we’ll then use Hashcat to crack the passphrase by using a custom character-set mask. This can be accomplished using the inbuilt functionality through the ‘-1’ argument (ranging through ‘-1’ to ‘-4’) and then by specifying the characters that we require within this mask. Our example uses the lower-case character set, excluding ‘i’ and ‘o’.
hashcat64.exe -m 2500 vm0394859-2g.hccapx -1 abcdefghjklmnpqrstuvwxyz -a 3 ?1?1?1?1?1?1?1?1 -w 4
Screenshot of Hashcat in use demonstrating the expected completion for the full key-space when using just one NVidia GTX 1080.
The result of this is that we could crack the password within this estimated time, and as an attacker we would then be able to gain access to your home Wi-Fi network and could potentially compromise further devices that are also connected.
Hashcat output summary, highlighting the passphrases within plaintext following a successful cracking attack.
Virgin Media have already addressed this default configuration weakness with their newer Super Hub 3 devices, as stated previously within this blog post. However, many customers may still be affected if they own the Super Hub 2 devices and have not yet amended their wireless network settings from the default configuration.
The key mitigation for this would be to log in to the router web interface and to manually set a stronger passphrase. Passphrase recommendations should include a minimum length of at least 12 characters, and be comprised of upper-case alpha, lower-case alpha, and numeric characters in a random order. Ideally, if this cannot be remembered or easily guessed by the user, then it is a good baseline for a stronger passphrase. Please consider this a minimum, SureCloud would always recommend you use the longest supported passphrase which is usually around 63 characters whilst also building non-standard characters. The longer and more complex the passphrase is, the more mathematically improbable it is that it will be ‘cracked’ within a reasonable timeframe. Also, remember that graphics processing is continuing to accelerate, so as technology improves the overall time it would take to crack a ‘key’ will likely decrease.
Always change default credentials present in your router’s configuration/administration pages, and strongly consider disabling Wireless Protected Setup (WPS) functionality. We’d suggest that users review their current PSK passphrases and strengthen them as appropriate.