Wifi is NEVER Secure. Here’s Why!

A few months back, I started learning a thing or two about network security as I thought it might be a useful skill to learn (might be good for employment purposes too). All the tools and instructions are easily available online. I’ve learnt quite a lot, but I must say that I am very spooked by just how vulnerable Wifi communication can be.

In this post, I will show just how unsecure Wifi can be, what steps you can do to increase the security of your Wifi networks, and more importantly, run through some scary scenarios of what a malicious hacker might do if you did not do enough to secure your wireless network.

But first, here’s a disclaimer: Please note that I have not done anything illegal. In the examples below, I have set up my own machine and network according to standard practices, and hacked into them. Also, I did not go out of my way to capture data. Whatever information that I show below are already information that’s flying around in the air when people use Wifi. This post is for educational purposes, nothing malicious or illegal was done.

Let’s begin!

One of the tools you need to effectively crack into people’s wireless networks is a special kind of wireless adaptor capable of packet injection. What’s that? To put it simply, packet injection involves injecting packets of data into a network in such a way that it looks like the packets are coming from an authorised source (e.g. your wifi router). A wifi adaptor capable of packet injection allows someone to be able to intercept and rewrite packets (of data), or at least transmit data while pretending that it came from an authorised device.

However, it’s usually the case that a wireless adaptor is not sufficient. If an attacker wishes to break into your wifi network and create trouble, it wouldn’t be safe for the attacker to be sitting just outside your house or office. He must be able to do this from a safe distance without being noticed. In which case, you’ll need an antenna upgrade.

Here’s what I got:

921028_539289052781580_2677779_o

Look at the size of that antenna. It’s a 10dBi antenna. The white one next to it is a 5dBi antenna.

What’s the difference between a built-in wifi antenna, a 5 dBi antenna and a 10 dBi antenna?

Most built-in antennas have, at best, a range of up to 15m in the home or office. Living in a public housing area, my built-in wifi card can only detect up to 10 wireless networks.

A 5 dBi antenna performs a bit better. It gives me a slightly wide range. I can detect up to 40 networks in the neighbourhood.

A 10 dBi antenna? I was able to detect 180 wireless networks in the neighbourhood!!!

Judging from the number of networks detected I think that gives me a coverage radius of something around 50-100 metres within a built-up area alone!

With an antenna like this, I could actually connect to someone’s network about a hundred metres away from me!!!

A malicious hacker could park his car in the HDB (public housing) car park with such equipment, and enjoy access to the hundreds of wireless networks around him that he could potentially exploit.

If you’re crazy enough, you can go to a shop in Sim Lim Square (Level 3), and buy a 50 dBi antenna. That’s as big as a flag pole. But I’m guessing you might be able to cover up to 1km in a built-up area. I don’t know. Anyway, a 10 dBi antenna is pretty strong already. I actually get very bad headaches just using it for several minutes.

I should say that the wireless adaptor (with packet injection) and antennas can be easily bought from any computer hardware shop. So as long as you are using Wifi, you are already VERY VERY vulnerable to hacks. All you need is some crazy unethical guy with these easily bought tools and the skills to break into your network. Anyone can do it and you may not even know.

How unsecure are wireless networks? Well, let me demonstrate. There are programs, like Wireshark, that allow me to monitor all Wifi data that is transmitted around in the air. Even with basic Wifi security such as WEP or WPA turned on, here’s what I can see the moment I begin monitoring:

screen-shot-2013-04-26-at-9-56-27-pm

While I can’t see the precise content of what people around me are surfing, I do know that someone in my neighbourhood is surfing YouTube, and someone else is surfing Facebook. I can look at the source/destination address and figure out what people are doing. I also discovered that people in my neighbourhood were doing online shopping.

All I had to do was to stick my antenna out of the window and I could already see what people are doing online.

I didn’t do anything else. Everything that’s being transferred between your computer and your Wifi router is flying all over the air – it’s all public!

Moreover, if we’re all on the same wifi network (even if it’s encrypted), I can see all your surfing activity, including the content of what you’re browsing. Places like airports, libraries, cafes, where people are connected to the same network – these are potential sites for hackers to harvest all your important information! If the hacker has a 10 dBi antenna, he could even hide in a corner, or somewhere far away, and break into people’s computers or harvest all their sensitive personal information – without you even realising it!

Are you spooked by this, so far?

Well, let’s go a little further. So far, I’ve not done any actual hacking. I only stuck my wifi antenna out the window and already there’s so much information readily and publicly available. Most wifi networks today are password protected. But if yours isn’t, please do something about it. I know one or two people who think that they have nothing to lose if they don’t secure their networks.

But it’s worth asking: what could a malicious hacker do to you and your computer if your network wasn’t secured?

Well, in the first place, you would have made the attacker’s job easy.

The hacker can gain access to your network and use programs like Wireshark to harvest all your online surfing activity. Once he has broken into your network, the hacker can steal all your sensitive information, especially log in information for your e-mails, Facebook, and other important accounts. He could steal your credit card information. He could learn more about you and steal your identity by pretending to be you on the Internet. He could even harvest enough information to blackmail you, especially if you have done something wrong.

If he is more skilled, he could gain access to all your computers and your smartphones and tablets, and he could even use your computers to coordinate cyber attacks or spread viruses to your friends. He could even use your computer and/or Internet connection to conduct illegal activity. In which case, if the police were to trace the source, it would lead back to you.

That’s what you could possibly stand to lose with an unsecured network. Of course, the reality is that all secured networks are hackable. If someone is determined to get you, it doesn’t matter how much security you put in place to protect your Wifi network. But at the same time, you don’t want to make things too easy for some mischievous person to ruin your life.But what about the other means of securing your Wifi network? Are they secure?

Well, let’s start first with WEP!

If you subscribed to SingTel Mio several years ago (I’m not sure about the other ISPs), and you’re still using the same Wifi router today, you should take note of this (especially if you didn’t change the settings, because the default settings use WEP).

Simply put, WEP gives you a false sense of security. Your Wifi password can be broken in about a minute or so.Here I have set up my router, and secured it using WEP. Let’s call it the Victim Router.

WEP protection is really simple, so all you need to do is to run Backtrack (the popular network security and hacking tool), and get it to make the Victim Router send you sufficient data to easily work backwards to decrypt the password. You can easily find instructions to do this online, so I won’t go into details.
screen-shot-2013-04-26-at-6-36-45-pm

The point is, WEP offers you a false sense of security. If your home or office network is using WEP, please change it immediately. Once someone has successfully decrypted your WEP password, he can now infiltrate your wireless network and carry out any of the malicious scenarios I described above.How about WPA protection? Is that any better?

Well, the short answer is yes, but only if your WPA password is very very long.

WPA’s protection works very differently, so it isn’t that easy to crack.

For an attacker to do this, he will need to inject a packet (of data) into the victim’s wireless network. This packet pretends to come from the Victim’s Router, but it isn’t. What this packet does is that it disconnects the victim’s computer from his wireless network. The victim’s computer will then attempt to reconnect with the router. While this is happening, the attacker’s computer is recording the reconnection attempt, known as the handshake.

If you find yourself suddenly disconnected from your WPA-protected wireless network for no reason, this might be happening. Someone might have purposely disconnected you for this precise purpose.

Once the attacker has the handshake information, the attacker can go home and slowly try to decrypt the WPA password. He doesn’t need to be physically present anymore. Once he has cracked the password, he can come back another day.

How long does it take to carry out a brute force cracking? If your WPA password is short, then it’ll be fast. Otherwise, it’ll take a very long time.

On my MacBook Air, I’ve configured the cracking tool to make use of my dual-core processor, thereby allowing it to test 1000 keys per second.

Most people would limit their WPA passwords to just lowercase letters and numbers. That gives a total of 36 possibilities for each character. Assuming the hacker can test 1000 keys a second:

A 3-character long WPA password would require up to (36^3 / 1000) = up to 46 seconds.A 5-character long WPA password would require up to (36^5 / 1000) = up to 16 hours.

An 8-character long WPA password would require up to (36^8 / 1000) = up to 89 years.

Not bad, right?

But since WPA allows a-z, A-Z, 0-9, and punctuation, there’s about 94 possibilities for each character. If your password consists of a variety of these characters, assuming the hacker can test 1000 keys a second:An 8-character long WPA password requires up to (94^8 / 1000) = up to 19 3160 years.

Well, provided your password doesn’t start with ‘a’ like the example below (I forced it to begin checking passwords from 8 characters onwards to save time).

screen-shot-2013-04-26-at-7-58-12-pm

Does that mean that your safe as long as you have an 8-character long WPA password consisting of lowercase and uppercase letters, numbers, and punctuation? Well, kinda. But that means the hacker will have to employ other means to crack into your network. Please note that this doesn’t mean that WPA with such a lengthy password is 100% safe. It just means that it’s just not going to be easy for the attacker to break through. There are other means that only take minutes, but these would require a more skilled attacker.

So what is the moral of the story?

(1) Wifi is never secure. NEVER. Do not for a moment imagine that it is – even if you have the most complex security settings, it still isn’t secure. Your data and surfing activity is broadcasted in the air. Even with WPA protection, people with the right tools can still see what websites your surfing, even if they can’t see what exactly you’re doing online.

(2) If you have to do sensitive things online, do consider adding an additional layer of security, such as using a virtual private network (VPN) to encrypt your wireless activity. Even if a hacker has broken in to your wireless network, he will be unable to see what you’re doing online since everything appears as encrypted stuff to him.

(3) If you haven’t already done so, please change your wifi security settings to WPA, and make sure your password is at least 8 characters long, with a mixture of numbers, alphabets and punctuation. The longer it is, the better. Stop using WEP!

(4) Please be sure to put an admin password to your Wifi router. You don’t want an attacker to discover your connected devices and crack their way into your computers and smartphones, or mess up with your Internet connection.

(5) Always remember, if someone is determined to hack into your wireless network, they will be able to do it somehow, eventually. But you should still have some layer of security just to keep mischievous people away.Hope you’ve found this useful!