Wardrivers Can Crack Wi-Fi Passwords In Alarming Experiment

Recent research has ruled that an attacker equipped with a basic, affordable set of wardriver gears can enter almost three-quarters of residential and small business Wi-Fi networks. The same protocol enables wireless devices to remain connected and roam between access points. Nonetheless, it is the one that allows attackers to gain critical Wi-Fi passwords with a deficient level of difficulty. Unfortunately, wardrivers can crack Wi-Fi passwords presenting loopholes on connected devices. Ido Hoorvitch discovered that data might be subsequently hashed to reveal Wi-Fi network passwords in a warlike exercise.

Research outcomes showed that when Ido conducted the simulation in Tel Aviv, Israel, around 70% of network router passwords can be cracked using a Wi-Fi sniffer and open source hacking tools. Hoorvitch experimented with seeing that his neighbors’ mobile phone numbers turned out to be the same as their Wi-Fi passwords. He was aware of this since he had requested to use the neighbors’ Wi-Fi while he awaited cable internet installation.

What Is WarDriving and How Does It Work?

Wardriving is a snooping technique that first appeared in the film WarGames, in which the actor Matthew Broderick played the lead role. When Broderick’s character is trying to discover all the computers now in operation, he calls every phone number in his area, which takes the whole film to complete. This evolved into a technique called access point mapping, which involves attackers discovering vulnerable or unprotected Wi-Fi networks and then exploiting them to their advantage.

Wardriving is a technique in which attackers go about an area in a moving vehicle, hunting for wireless networks with vulnerabilities. They use gear and software to find unprotected Wi-Fi networks. Because wardrivers can crack Wi-Fi passwords, they may get unauthorized network access by cracking passwords or decrypting the router’s security settings. In a technique called access point mapping, the attacker records the locations of vulnerable networks on digital maps and may later distribute this information to third-party applications and websites to further their objectives. There are various versions of this wardriving description, depending on the form of transportation that the hacker employs: warbiking, warcycling, warrailing, warjogging, and warwalking, to name a few.


The LIFARS New York City Lab was established in collaboration with the FBI, Department of Homeland Security and US Secret Service to examine digital evidence of all forms of cyber crime. We operate globally on cases including ransomware, cyber extortion, data breaches, celebrity hacking, Facebook hacking, insider threats, Twitter hacking, Gmail hacking and more.


Methods Of The Experiment

To conduct the experiment and check if wardrivers can crack Wi-Fi passwords, Hoorvitch collected 5,000 Wi-Fi network hashes by roaming the streets of Tel Aviv. He used readily accessible, commercial Wi-Fi sniffer equipment.

In addition to a $50 AWUS036ACH ALFA wireless network interface card (NIC) placed in a low-cost Ubuntu computer, his hash-sniffing setup included the Hcxdumptool program from ZerBea. The hcxdumptool, accessible on GitHub, collects packets from wireless LAN (WLAN) networks. According to the study, the network interface card (NIC) features monitor-mode capabilities, enabling packet capture without connecting with an access point.

He started cracking after compiling what he considered a representative sample of 5,000 SSIDs and password hashes. Ido discovered that 44% of the networks had used a cellphone number as the password, which he discovered by utilizing the GPU cracking tool hashcat to find the passwords. On a laptop computer, this was cracked in 9 minutes flat.

His dictionary assault, which he obtained on the internet, allowed him to break an additional 900 hashes by processing the remainder hashes through the famous rockyou.txt password list. His final result was an astonishing 70 percent of his initial hash list cracked after running the remaining pieces through some additional straightforward cracking algorithms, a remarkable achievement.

Insecurities and Loopholes

Specifically, the attack capitalized on a weakness in RSN IE (Robust Security Network Information Element) that permits the recovery of the PMKID. That is a hash used to enable roaming capabilities across different access points. The PMKID is formed using a PMK (derived from the SSID and the Wi-Fi password), the MAC address of the access point, and the client’s MAC address.

In addition to the apparent lesson of the narrative, which is that most people use insecure passwords, another aspect of the story is that Hoorvitch utilized a comparatively new sniffing method that is only compatible with routers that offer roaming functions. When Wi-Fi is utilized to provide a blanket of internet connectivity by linking several access points throughout a city or school, roaming routers often use access points (APs); it can sustain seamless connectivity by using PMKID keys. These are one-of-a-kind key identifiers used to verify the password hash used by the client to authenticate the connection. At the same time, a person goes from one network router to another.

As a result, shutting off roaming, if feasible, is an effective deterrent to wardriving. Other than that, earlier sniffing approaches need an attacker’s ability to intercept the four-way handshake that occurs when someone connects to an AP, which prevented any cracking at a large scale.

Wi-Fi Cyberattack Protection

Password cracking on Wi-Fi networks often takes advantage of small mistakes users make while setting their devices to connect to a network or configuring a router. You can take a few easy steps to lower your attack surface and avoid being a victim of some of the most prevalent Wi-Fi assaults, which can help you avoid making the worst of these blunders.

Turn Off The Auto-connect Feature

You may have to enter the password for any networks you connect to as a result of removing them from your favorite networks list. This is one of the consequences of deleting networks from your favorite networks list. That may be inconvenient if you connect to many networks regularly, and it also necessitates cleaning your PNL after each new network connection.

Using a solution, you may save the passwords of password-protected Wi-Fi networks that you usually connect to while also minimizing the probability that your device will connect to fraudulent networks with the same name as the networks you regularly connect to. To do this, make sure that the “disable auto-connect” selection is selected when connecting to a network for the first time. If your device attempts to connect to a network that has the same name and security type as the one you’re joining, it will be blocked from doing so.

Never Use Hidden Networks

Some users believe that concealing their Wi-Fi network from Wi-Fi hackers is an excellent strategy to keep their network safe from hackers. However, the unfortunate fact is that you start making all of your smart devices more difficult to monitor by obscuring your Wi-Fi network. Since a concealed Wi-Fi network would never transmit before a device tries to connect to it, a Wi-Fi device set to connect to a hidden network will have to operate on the assumption that the network might be nearby at any time when the device attempts to connect to it.

As a result, even if your Wi-Fi equipment’s MAC address is randomized or you are making other efforts to remain anonymous, your device will be continually broadcasting the name of the secret network, making it simple to locate down your Wi-Fi device. Therefore, not only does it become easy to deceive your device into connecting to a malicious AP, but it also makes it possible for anybody to pinpoint your whereabouts by monitoring the radio signals that your smart gadget is constantly producing.

Do Not Reuse Wi-Fi Passwords

In WPA2, one of the most severe weaknesses is that a weak password may make it very simple for an attacker to get into the network. Unless your Wi-Fi network’s password is one of the top million, a hacker will probably be able to get into your network in a couple of minutes. They can do so since all they have to do is capture the connection from a device linked to the Wi-Fi network. Then, they can put it into a tool like Hashcat and sit back as the program attempts every conceivable guess from a massive database of leaked passwords.

One crucial thing in this situation is to consider passwords as “strong” in two different ways. To be successful, they must be tough to predict and distinct from other people’s answers. Using the same or highly similar passwords in several accounts increases the likelihood of your password is included in a compromised password list, making it one of the default “poor” passwords a hacker would attempt when conducting an automated password brute-force assault.

Final Thoughts

The stakes might be pretty high in terms of exploitation for routers: Hoorvitch pointed out that getting into a home network enables attackers to pivot to any of the devices linked to the network to steal information or dump malicious code on the network. As a result of the pandemic, more individuals are working from home, which might have significant implications for data privacy in the workplace.

Individuals, small company owners, and large corporations are in danger from a hacked Wi-Fi network, and the threat is particularly significant. The fact that an attacker can get into more than 70% of Wi-Fi networks in a sizeable global metropolis with relative ease highlights the need to pay more attention to personal security.