The new remote work reality is good news for cybercriminals seeking to capitalise on security shortcomings – including workers using personal WiFi networks to access corporate resources remotely and without the help of company IT. Many will inadvertently leave their WiFi exposed to threat actors, and this poses a serious threat to your data.
It is shockingly easy for a hacker to break into a WiFi network that lacks adequate protection or uses a simple password. All it takes is a £15 wireless network adapter and free, open-source software, such as Airgeddon, to audit wireless networks.
The anatomy of hacking WiFi
While it has many legitimate uses, Airgeddon can be used to demonstrate a number of simple but highly effective attacks against WiFi networks. To gain access to a WiFi network with a weak password, a hacker can use Airgeddon to kick the user off, briefly, to obtain a WiFi ‘handshake’, which is a hashed version of the password. The WiFi hacker can then use this handshake to carry out a brute-force attack in an attempt to uncover the password – making networks with bad passwords easy prey. Even strong WiFi passwords are not invincible from social engineering.
To trick the WiFi owner into revealing a password directly, a hacker can use Airgeddon to lure them to a phishing page. This is achieved by, again, kicking the user out of their WiFi network, but for a longer period to simulate an outage. When the user realises that they are no longer able to connect to their normal WiFi, they will see an alternative network that has the same name as their own and requires no password to connect. However, this is a trap: it is a fake network set up by the hacker to mimic a router experiencing issues.
When the user attempts to connect to the new open network, they will see a fake login page asking for their WiFi password to reboot the router from an update. The hacker can capture the password hash ahead of time and compare phished passwords, so the phishing site will only accept the actual password. This is different from most other phishing sites that will accept anything that the user inputs
The hacker now has unrestricted access to the user’s home WiFi network, enabling them to carry out a whole range of actions. They can redirect the user to other phishing sites to gather more data or access connected home devices, such as smart speakers and cameras.
Encrypt, but don’t hide
To fight back, remote employees can take a few simple measures to lock down their Wi-Fi networks and help protect themselves – and their companies – from cybercriminals. First, they should lock down a router’s convenience features that make remote access easier. These can often be disabled without impacting how the WiFi is used, and it will help prevent outsiders from breaking into the home network. This includes WPS which, if enabled, makes a WiFi network susceptible to PIN brute force or WPS-Pixie attacks.
A VPN is well worth considering to protect local WiFi traffic. Under the current WPA2 standard, attackers can record all data that crosses a WiFi network and decrypt it later if they have learned the password. VPNs make this harder by encrypting DNS requests and other revealing information that could be used for phishing.
Some users might think that creating a hidden network will protect their WiFi from hackers, but this will actually make devices like smartphones easier to track. A hidden WiFi network doesn’t broadcast before a device connects to it: a configured device needs to constantly call out to the WiFi network in order to connect. This makes it easy for cybercriminals to trick the configured device into joining a rogue access point or track it from place to place.
Control passwords to protect from WiFi hackers
When a WiFi password is weak or has been used elsewhere, threat actors can easily break through the hash using brute-force techniques. All they need to do is put the hash into a tool such as Hashcat that will compare it to a huge cache of stolen passwords to guess the right one. It’s worth reminding remote workers to stop recycling passwords as it makes them very vulnerable.
Remote employees should also get to know what their router admin page looks like, as it’s unlikely that the hacker will create an exact copy. If it doesn’t look right, don’t use it. Finally, the router admin page will only ask for the administrator password. Any site that asks for the WiFi password is likely to be phishing for information. Internet connections are often taken for granted, so organisations should implement awareness campaigns to ensure their workforce is aware of WiFi security best practices.
While it’s simple for hackers to break into a WiFi network, it’s just as simple for owners to protect them. IT and security teams can help educate remote workers on their own WiFi and IT security. If not, employees – and their companies – could find themselves sharing their home WiFi connections, and even their data, with hackers using nothing more than £15 worth of supplies and a little know-how.
Kody Kinzie is a field security researcher at Varonis, a cybersecurity company that specialises in data security and insider threat protection.