WiFi hacking for the everyday spy


Ever used an RC car outfitted with a Raspberry Pi to penetrate a wireless network and set up a wireless repeater? I did several years ago when I lived in a rural area that wasn’t serviced by any wireless internet provider.

All that most of us had were personal mobile hotspots, and mine was struggling. This made persistent connectivity almost impossible.

The target property was too far for my laptop or phone to reach, so I strapped a Raspberry Pi to my RC car and went war driving across the way to the property next door. The Pi was armed with two WiFi adapters. This allowed me to maintain a persistent connection to my hotspot so I could issue commands to the Pi while using the other to carry out the wireless attack.

ADVERTISEMENT

Within minutes, I cracked the WPA2 password using a good old-fashioned dictionary attack using Wifite. With this password, I was able to install a wireless repeater attached to a portable battery, which broadcasted the target WiFi signal to my pirate base station at home.

Gintaras Radauskas Konstancija Gasaityte profile Paulius Grinkevicius Marcus Walsh profile
Don’t miss our latest stories on Google News

WiFi attacks and the art of interception

Now, imagine if the same attack were carried out late at night in the residential area of a defense contractor or someone of great importance whose network holds valuable secrets.

This isn’t fiction, and more importantly, the attack is easy. Take note of how imperative it is to understand how incredibly insecure wireless security can be, making it an easier attack point than most remote attacks carried out across the web.

In my 20s, I carried out an underground wireless attack against a shopping center which I used as a trial or test run for something bigger. Firstly, I didn’t steal money. I wasn’t interested in the money. I just wanted to see if I could do it.

Firstly, I was fascinated by underground storm drain systems and had been exploring them since I was a child, thanks to my love for Teenage Mutant Ninja Turtles. The goal was to create the perfect crime. With this experience, I would be ready to launch an underground wireless attack against a local police department, and they’d never see it coming. The flag was to gain access to the National Criminal Information Center (NCIC).

Because of the dense concrete that entombed me, I had virtually no signal strength at launch time. So, I had to purchase a USB cable, attach my WiFi adapter to it, and find a spot within the catch basin where I could pick up a signal.

ADVERTISEMENT

While perfectly concealed, I was able to carry out my attack against the retail shops, cracking the WEP password with ease using Aircrack-NG, launching a Man-In-The-Middle (MiTM) attack using Ettercap, and capturing sensitive information.

Most retail stores also broadcast public open authenticated WiFi hotspots, which presents a unique opportunity for hackers to launch data interception or redirection through MiTM attacks.

In the end, this experience prepared me for bigger goals. Although, I did not carry out the police department attack as planned. It was enough that I knew how to carry out the attack.

“What people should know about WiFi hacking or WiFi security auditing (Whichever term vibes with your moral compass) is that it's surprisingly easy because most of the tools run autonomously and require very little user input.”

Russian spies, WiFi hacking in recent news

What people should know about WiFi hacking or WiFi security auditing (Whichever term vibes with your moral compass) is that it's surprisingly easy because most of the tools run autonomously and require very little user input. Since most people have WPS enabled on their wireless routers – that’s not a convenient feature, that is a vulnerability.

Meaning, that regardless of the complexity of your password, I will inevitably get in.

You’ve heard the recent news about the state-sponsored Russian hacking group APT28 reported by the cybersecurity firm Volexity. In a nutshell, the threat actor broke into a remote network across the internet from the safety of Russia to the US and found a device on the network that was connected to the router via Ethernet, which also had WiFi connection capabilities.

Truly, the hard part was already behind them. Next, they daisy-chained the attack by breaking into a neighboring network within WiFi range.

This allowed them to hop from the initial compromised device and onto a new network within the immediate vicinity. Upon finding an unprotected computer running Remote Desktop Protocol, (RDP) they were able to get onto a desktop and exfiltrate sensitive data.

ADVERTISEMENT

The rest is history.

Russian spies caught attempting wireless attack

If the above story was an evolution from an attempted wireless attack carried out in 2018 by operatives from Russia's GRU military intelligence, then Russian spies are truly finding new ways to avoid detection.

However, in this case, they were apprehended in the Netherlands during an attempt to breach the WiFi network of the Organization for the Prohibition of Chemical Weapons.

The agency was actively investigating a chemical attack in Syria and the nerve agent poisoning of a former Russian agent. The spies had concealed an antenna in the trunk of their vehicle to carry out the hack, but their operation was disrupted before it could succeed.

“If drone-to WiFi-based attacks become commonplace, drone jamming technology will certainly become the next big thing.”

Modified drones and WiFi attacks

I own a drone. I also own a WiFi Pineapple by Hak5, a rooted Nexus 5 Android phone fitted with the Kali Nethunter Operating System, and, of course, a Raspberry Pi. Each of these is light enough to be carried by a drone. Drones can give an attacker greater mobility when trying to avoid detection in location-sensitive operations against an unsuspecting target.

In 2022, a cybersecurity researcher, Greg Linares, reported an instance in which a pair of modified commercial drones was used to stealthily carry out a WiFi attack from the rooftop of a financial firm. The attack was discovered after the firm noticed unusual activity on its Atlassian Confluence page on its internal network.

The attacker had impersonated its MAC address as an authorized user on the network, which created an irregularity during a security audit, which showed that the user was logged in miles away from home, and locally. Since MAC addresses are unique identifiers assigned to network interfaces, this duplication raised an immediate red flag.

ADVERTISEMENT

One of the drones was carrying a WiFi Pineapple, which I have described in a previous article as a ‘pocket-sized superweapon’ that streamlines wireless security auditing. The other drone was equipped with a Raspberry Pi, a 4G modem, a GPD mini laptop, several batteries, and an additional wireless device.

The operator landed it close to the building’s HVAC system but damaged it in the landing, although it was still functional. It was determined that the unknown operator had used one of the drones days before to penetrate the wireless network and capture the employee credentials.

If modified drones become an attack trend for wireless penetration missions, a lot of people are going to find themselves as easy targets. Wireless hacking has always been my preferred method of intrusion. Thus, let me be the first to say from experience that it’s easier than it sounds.

An interesting note about the majority of commercial drones today is that they operate on common sub-GHz band frequencies, such as 2.4 GHz and 5.8 GHz. Additionally, frequencies like 1.2 GHz, 1.3 GHz, and others are also utilized in the drone industry for communication between drones and their controllers.

The commercial camera drones you can buy in stores and on Amazon use WiFi frequencies, which operate on 2.4 and 5 GHZ which allows the users to stream video footage back to their phone or remote controller.

Although not the focus of this article, radio frequency jamming works by identifying the communication frequency between devices, such as a drone and its controller, and then generating continuous signals at that frequency to create interference, effectively disrupting their communication by overwhelming the signal with noise and lowering the signal-to-noise ratio.

If drone-to WiFi-based attacks become commonplace, drone jamming technology will certainly become the next big thing.

Disable WPS. Choose a password for your wireless router that consists of eight or more upper- and lowercase letters, numbers, and special characters. Most importantly, keep a keen eye on any changes to your network.

Aside from practicing good security hygiene, I like using Glasswire to actively monitor my network. This allows me to monitor any changes to the network, including devices, web traffic, firewalls, and event logs. If suspicious applications are consuming my bandwidth or an untrusted app is sending data to a malicious third-party site, I will detect it. Needless to say, this includes any suspicious activity happening on my wireless network.

Stay safe, my friends.

ADVERTISEMENT