{"id":50790,"date":"2024-03-15T08:49:58","date_gmt":"2024-03-15T12:49:58","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=50790"},"modified":"2024-03-15T08:49:58","modified_gmt":"2024-03-15T12:49:58","slug":"wi-fi-pmkid-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/wi-fi-pmkid-attack\/50790\/","title":{"rendered":"Wi-Fi hacking using PMKID interception"},"content":{"rendered":"

Being concerned about the security of your wireless network is not as paranoid as some may think it is. Many routers have a setting enabled by default that makes your WPA\/WPA2-protected Wi-Fi network rather vulnerable. In this post, we\u2019ll discuss one of the most effective methods of hacking wireless networks that exploits this setting, and how to protect against it.<\/p>\n

The simplest and most effective attack on WPA\/WPA2-PSK: PMKID interception<\/h2>\n

PMKID interception is the most effective, easy-to-execute, and completely undetectable method of attacking wireless networks protected by the WPA\/WPA2 standards. In essence, this attack involves intercepting the encrypted Wi-Fi passwords that wireless routers broadcast constantly \u2014 even when no devices are connected to them. Having obtained the encrypted password, the attacker can use the brute-force method<\/a> to decrypt it \u2014 and thereby connect to the Wi-Fi network.<\/p>\n

This attack can also be carried out on a large scale using a technique called wardriving<\/a>. Here, the attacker drives around a city scanning all available wireless networks and intercepting encrypted passwords that are broadcast by routers. Not much equipment is required for this \u2014 just a laptop, a long-range Wi-Fi adapter, and a powerful antenna.<\/p>\n

The intercepted encrypted passwords can be cracked on the go. But an attacker may prefer to wait until they\u2019re home and enter all the garnered passwords into a password-cracking tool on a high-performance computer (or rent computing power in the cloud). The effectiveness of this attack was recently demonstrated<\/a> in Hanoi: a Vietnamese hacker scanned around 10,000 wireless networks and managed to decrypt the passwords for half of them.<\/p>\n

\"Equipment<\/a>

This is all you need to hack 5000 wireless networks using PMKID interception. Source<\/a><\/p><\/div>\n

How is it even possible to hack Wi-Fi using PMKID interception?<\/h2>\n

So why do wireless routers broadcast their Wi-Fi password all the time, albeit in encrypted form? Well, this is a basic function of the 802.11r standard<\/a>, which is implemented on most routers and usually enabled by default. This standard enables fast roaming in Wi-Fi networks using multiple access points. To speed up the reconnection of the client device to new access points, they constantly broadcast their identifier \u2014 the very same PMKID.<\/p>\n

This identifier is a derivative of the Pairwise Master Key (PMK). More precisely, it contains the result of an SHA-1 hash function calculation, whose source data includes the PMK key and some additional data. The PMK key itself, in turn, is the result of an SHA-1 hash function calculation of the Wi-Fi password.<\/p>\n

In other words, the PMKID contains the wireless network password, hashed twice. In theory, the hashing process is irreversible, meaning it\u2019s impossible to recover the original data from the resulting hashed value. Presumably, the creators of the 802.11r standard relied on this when devising the PMKID-based fast roaming mechanism.<\/p>\n

However, hashed data can be brute-forced. This is made especially straightforward by the fact that people rarely use particularly strong passwords for wireless networks, often relying on fairly predictable combinations of characters instead. The creators of 802.11r obviously didn\u2019t take this into account.<\/p>\n

This problem was discovered<\/a> a few years ago by the team behind one of the most popular password recovery utilities \u2014 in other words, a password-cracking tool \u2014 Hashcat. Since then, specialized tools have been developed specifically for cracking intercepted PMKIDs.<\/p>\n

\"Hacking<\/a>

Successful extraction of the password \u201chashcat!\u201d from the intercepted PMKID of a wireless network. Source<\/a><\/p><\/div>\n

Thus, in practice, the attacker usually intercepts the PMKID containing the encrypted password, and then uses a dictionary attack<\/a> \u2014 that is, they brute-force the most common passwords, which are collected in a database.<\/p>\n

How to protect your wireless network from a PMKID attack<\/h2>\n

What can you do to prevent a PMKID interception attack on your wireless network? Fortunately, there are several protective measures that aren\u2019t too difficult to implement:<\/p>\n