Wi-Fi hacking using PMKID interception

What’s the easiest way to hack a WPA2-protected wireless network? Using PMKID interception. Here’s how it works, and what you can do to protect yourself.

How Wi-Fi WPA2 is hacked using PMKID interception

Being concerned about the security of your wireless network is not as paranoid as some may think it is. Many routers have a setting enabled by default that makes your WPA/WPA2-protected Wi-Fi network rather vulnerable. In this post, we’ll discuss one of the most effective methods of hacking wireless networks that exploits this setting, and how to protect against it.

The simplest and most effective attack on WPA/WPA2-PSK: PMKID interception

PMKID interception is the most effective, easy-to-execute, and completely undetectable method of attacking wireless networks protected by the WPA/WPA2 standards. In essence, this attack involves intercepting the encrypted Wi-Fi passwords that wireless routers broadcast constantly — even when no devices are connected to them. Having obtained the encrypted password, the attacker can use the brute-force method to decrypt it — and thereby connect to the Wi-Fi network.

This attack can also be carried out on a large scale using a technique called wardriving. Here, the attacker drives around a city scanning all available wireless networks and intercepting encrypted passwords that are broadcast by routers. Not much equipment is required for this — just a laptop, a long-range Wi-Fi adapter, and a powerful antenna.

The intercepted encrypted passwords can be cracked on the go. But an attacker may prefer to wait until they’re home and enter all the garnered passwords into a password-cracking tool on a high-performance computer (or rent computing power in the cloud). The effectiveness of this attack was recently demonstrated in Hanoi: a Vietnamese hacker scanned around 10,000 wireless networks and managed to decrypt the passwords for half of them.

Equipment required for mass Wi-Fi hacking using PMKID interception

This is all you need to hack 5000 wireless networks using PMKID interception. Source

How is it even possible to hack Wi-Fi using PMKID interception?

So why do wireless routers broadcast their Wi-Fi password all the time, albeit in encrypted form? Well, this is a basic function of the 802.11r standard, which is implemented on most routers and usually enabled by default. This standard enables fast roaming in Wi-Fi networks using multiple access points. To speed up the reconnection of the client device to new access points, they constantly broadcast their identifier — the very same PMKID.

This identifier is a derivative of the Pairwise Master Key (PMK). More precisely, it contains the result of an SHA-1 hash function calculation, whose source data includes the PMK key and some additional data. The PMK key itself, in turn, is the result of an SHA-1 hash function calculation of the Wi-Fi password.

In other words, the PMKID contains the wireless network password, hashed twice. In theory, the hashing process is irreversible, meaning it’s impossible to recover the original data from the resulting hashed value. Presumably, the creators of the 802.11r standard relied on this when devising the PMKID-based fast roaming mechanism.

However, hashed data can be brute-forced. This is made especially straightforward by the fact that people rarely use particularly strong passwords for wireless networks, often relying on fairly predictable combinations of characters instead. The creators of 802.11r obviously didn’t take this into account.

This problem was discovered a few years ago by the team behind one of the most popular password recovery utilities — in other words, a password-cracking tool — Hashcat. Since then, specialized tools have been developed specifically for cracking intercepted PMKIDs.

Hacking a Wi-Fi password from an intercepted PMKID

Successful extraction of the password “hashcat!” from the intercepted PMKID of a wireless network. Source

Thus, in practice, the attacker usually intercepts the PMKID containing the encrypted password, and then uses a dictionary attack — that is, they brute-force the most common passwords, which are collected in a database.

How to protect your wireless network from a PMKID attack

What can you do to prevent a PMKID interception attack on your wireless network? Fortunately, there are several protective measures that aren’t too difficult to implement:

  • Create a password for your wireless network that is as long and complex as possible. If a PMKID attacker intercepts the hashed password from your Wi-Fi, they still need to decrypt it afterward, but the more complex the password — the less likely the attackers are to succeed. Therefore, to protect against this attack, create the longest and most unguessable password possible for your wireless network.
  • Disable PMKID transmission in the router settings. Unfortunately, not all routers allow this, but it’s worth checking if yours has this setting. You can find it by searching for PMKID or 802.11r.
  • Switch to WPA3. If all your devices support this newer Wi-Fi security standard, it’s worth considering switching to it: WPA3 is generally much more secure than WPA2 and, importantly, isn’t susceptible to PMKID interception.
  • Set up a guest network. It can be tedious to have to frequently enter a strong password for the main network on new devices, so set up a guest network with a simpler password. By the way, it’s also a good idea to transfer potentially insecure things like IoT devices to the guest network.
  • Use the “Devices on My Network feature, which is available in our Kaspersky Plus and Kaspersky Premium This feature shows a list of devices on your network and alerts you if a new device connects to it.

For additional protection of transmitted data in case someone still manages to hack your Wi-Fi, use a VPN on all your devices to secure the internet connection — for example, our Kaspersky Secure Connection, which is also included in the Kaspersky Plus and Kaspersky Premium subscriptions.