PMKID Dumping: WiFi Password Attacks are Easier Than Previously Thought
It’s a little easier to attack some wireless networks than previously thought. That’s because Jens Steube, the developer of the popular password cracking tool hashcat, has found a new way to make the process easier, under the right conditions.
— hashcat (@hashcat) August 4, 2018
Previously, the primary method for cracking passwords for wireless networks using WPA2 encryption, was for an attacker to capture a four-way handshake between a wireless device and the router. The attacker then used other tools to attempt to crack the password that corresponds to the four-way handshake. However, there can be complexities with this traditional method. If no one is currently connected to or in the act of authenticating to the wireless network, the attacker may have to wait for quite a while to capture the four-way handshake. In some cases, an attacker would then have to use a deauthentication attack to force connected clients to reauthenticate. The deauthentication attack involves impersonating the connected devices and telling the router they are no longer connected. The attacker can then sniff the necessary four-way handshake as the devices automatically reauthenticate. These are not the only challenges a threat actor faces, using a conventional attack. Sometimes, the connected device is physically too far away from the attacker, making it difficult to sniff its authentication traffic to the router. Sometimes, a user connecting to the wireless network will mistype the password, making life further difficult for the attacker. Even worse, for an attacker, is if their deauthentication attack is detected by alert onsite network defenders, and they are taken away in handcuffs.
It turns out, all this handshake capture business is unnecessary though on some wireless networks. Steube’s new attack simply involves talking to the router and sending an association request packet. Certain routers will then reply with a PMKID (Pairwise Master Key Identifier). The attacker can then use tools to attempt to crack this PMKID, just like they would a four-way handshake. There is no more reliance on interaction with currently connected devices.
This definitely increases an attacker’s advantage, on certain networks. The attacker can now get what they need quicker, and stealthier. But researchers have noted it doesn’t change the speed of the actual password cracking process. The attacker will still need to use conventional cracking tools, which basically try a huge list of passwords against the captured data until the correct one is found. This means an appropriate defense can be a very lengthy, complex WPA2 password that would take decades to crack. Or, you could just upgrade to the new WPA3 encryption standard, if that’s feasible for you.
I've heard some people saying that this new WPA collection/cracking mechanism (PMKID) is faster to crack.
It's not. It's just a (sometimes) easier way to collect material to crack. pic.twitter.com/o2YYwoZAWS
— XORcat ☕️ (@XORcat) August 9, 2018
Members of the information security community are still performing research and testing to determine which routers and router configurations this new exploitation methodology can be used against. The attack has been confirmed to work on WPA/WPA2-PSK encrypted wireless networks with roaming functions enabled. Roaming is primarily a function of large corporate wireless networks, meaning that business networks may be at more risk than home users. However, some researchers have reported that they have been able to use this attack against consumer grade equipment, as well. In the end, it will likely come down to each device’s firmware and configuration that dictate whether this attack can be used against it. That’s why your best defense is going to be a strong password. No matter whether an attacker uses a traditional method to crack your network’s password, or the new PMKID method, it will be unfeasible if the password is lengthy and complex. If an attacker does compromise a network your device is on (perhaps a network you do not control), it’s important that you still maintain a high level of privacy and defend yourself from man-in-the-middle attacks, in which an attacker manipulates or sniffs your traffic. Among other defenses, using a VPN service can help protect you from man-in-the-middle attacks.
It’s really hard to call the new PMKID attack a vulnerability. Think of it more as a new exploit, or attack method. That’s why it was refreshing to see that Steube did not release his findings with the usual fanfare and hyped-up logo which are so common in the information security field today. His work helps highlight the impact of using a weak password, but the sky is not falling. Security is about layers. If you have properly secured your device and are using a VPN service, an attacker who breaks into the wireless network you’re on may become frustrated and move on. The goal is to give attackers a dead end.