Here’s a rather odd New Years Resolution for you. If you have SKY Broadband, change your WiFi Password. If you have another ISP, read on. This is likley to apply to you too!
Why? Because the default passwords, while they look random, are pretty weak compared to the tools attackers have available in 2017.. As I found out by hacking my own sky wifi.
Mumble Mumble, WPA2, Secure, no flaws… right?
Well yes, modern wifi protection (WPA2) is very good, there are no known flaws to speak of, which leaves attackers one option: age old password guessing or ‘brute force cracking’.
So whats the problem?
All the Sky Wifi routers i’ve seen so far (friends houses, mine, etc) all have passwords of the following format;
- 8 Upper Case A-Z characters.
‘be safe online, choose good passwords’ is drummed into us everywhere now, (I even saw some posters on the London underground!) so most of you will see the problem, 8 characters of uppercase A-Z requires a hell of a lot less guesses at the password than if we threw in some numbers, or some lower case characters, or some special characters (* ~ @ etc).
We could also make the password longer, or a mixture of all of the above.
How bad is it?
OK, looking at it technically, any combination of 8 A-Z characters gives you 208827064576 possible combinations.
26 ^ 8 = 208827064576
Sounds like a lot of guesses, but for a modern graphics card, 80,000 to 300,000 guesses a second is pretty trivial depending on the card.
208827064576 / 80000 = 2610339 seconds.
2610339 / 60 (minutes) / 60 (hours) = 725 Hours
So one entry-level graphics card at 80,000 guesses a second would take 725 hours (30 days) to guess every possible password the router could have by default.
Thats not very long considering your neighbours likley posses the computing power needed to be on your network in less than a month.
To the Cloud!
Someone with a graphics card can do the above, but more concerning, anyone with a bit of knowledge can actually guess much quicker for a fraction of the price!
Introducing Amazon web services (AWS), offering computing and number crunching power in the cloud, hired by the second/hour/day; A solution for millions of businesses and startups that don’t want to buy and manage their own server farms. AWS likley powers apps you use every day. Netflix being one example.
But these resources can also be used to speed up our guessing process, here we have an AWS instance (computer in the cloud) offering 16 graphics cards in one, for the low low price of £11.70 an hour.
16 times the power!
So now the guessing process just got 16 times quicker, without having to buy any graphics cards or have any computers running at home at all.
Here we can see the AWS instance running a brute force password guessing attack against my router, using all 16 graphics cards at once.
Knowing the password will be 8 upper case A-Z characters makes automating this attack much easier. This tool can just be left running.
We can see that each of the 16 graphics cards is producing over 80,000 guesses a second, giving us a total of 1394,000 guesses/second.
208827064576 / 1394000 = 149805 Seconds
149805 / 60 (minutes) / 60 (hours) = 41.7 Hours
So now we 100% know, that we will have found the password within 41.7 hours. It could take less (remember that 100% is every possible guess, chances are the actual password won’t be the last one we try.. so we could get lucky and find the password after 10%, 40% etc).
You see i’m 4% through, with 1 hour and 20 mins elapsed and 1 day and 15 hours to go. Thats slightly less than our calculator estimate above.
24 + 15 + 1hr20 = 40 Hours 20 Mins.
Say 41 hours in total (including setup of the Amazon AWS machine). Thats £480 and less than two days to guarantee I have access to your network.
Now this may sound like a lot of money, but consider malicious intent, be it corporate espionage, ransomware, spying, further hacking the computers on the network (e-mail, facebook, online banking etc).. £480 is actually affordable to most.
Not Just Sky
I feel it necessary to say i’m not having a go at Sky specifically here. They just happen to be my ISP and I noticed the default passwords were A-Z only.
There are many, many other broadband providers that ship WiFi routers with the same style of A-Z only 8 character passwords. Check yours and if necessary, log into the router and change your password to something more secure, see below for details.
Whats the solution?
So heres the thing about password guessing, knowing the format of the password ahead of time ( 8 characters, all A-Z uppercase for example) makes knowing the amount of guesses simple, as you saw with our easy calculations above.
Changing that length, or changing the ‘known format’, makes an attackers life much harder.
Lets say for example, the attacker knew the password was A-Z uppercase, and between 6 and 8 characters long. Suddenly, they would have to try guesses for
- A-Z combinations with 6 characters (308915776 guesses)
- A-Z combinations with 7 characters (8031810176 guesses)
- A-Z combinations with 8 characters (or original 208827064576 guesses).
Thats an extra 8340725952 guesses on top of our original number in order to guarantee we crack the password.
8340725952 / 1394000 (guesses a second) = 1.67 hours
Costing the attacker an extra £19.53
Now obviously, i’m not suggesting making your WiFi password shorter. I’m just saying that not knowing the exact format and composition of a WiFi password can make the process harder, longer and less effective.
Lets look at what we should do, and the implications to an attacker…
A single extra character, still A-Z uppercase:
5429503678976 possible combinations = 45 Days on our AWS setup = £12,000
Two extra characters, still A-Z uppercase:
141167095653376 possible combinations = 1172 Days (3.2 years!) on our AWS setup = £329,098
8 characters, combination of A-Z upper and a-z lowercase.
54507958502660 possible combinations = 452.5 days on our AWS setup = £127,062
8 characters, combination of A-Z upper, a-z lower and numbers 0-9
221919451578090 possible combinations = 1842.5 days on our AWS setup = £517,387.5
So there you have it.. more characters is good, different ‘character sets’ (numbers, lowercase etc) is good.
I’d recommend not going for <Dictionary Word>123. or <Dictionary Word><Dictionary Word> as other ‘dictionary attacks not covered in this post will try combinations of words to crack the password instead.
Personally, I prefer the options above, random with more characters and character sets, or if you do want to use words to make it really long, add a good number of letters + numbers of randomness at the start, middle or end.
Either way, you’re going to be in a much better position than an attacker seeing a ‘SKYABCD’ style WiFi network and knowing he has a guaranteed way in.
Comments or corrections to twitter @mattdashj