Recently a neighbor told me she was getting cease-and-desist warnings about downloading copyrighted material. She was confident that she had never downloaded anything of the kind.
I checked her computer, and it did not contain any malware. She had not given anyone else her Wi-FI access code, and she had changed the default Wi-Fi access point admin password. But when I turned on auditing on her Wi-Fi router, we could see that someone else in her neighborhood was using her Wi-Fi network to illegally download copyrighted material using Tor.
I reset the Wi-Fi router to its defaults, downloaded the latest firmware, established a new SSID, and created even longer Wi-Fi and admin passwords. The illegal downloading stopped -- or so we thought. Within a few weeks, my friend received more warning emails from her Internet provider, this time threatening to turn off her Internet without prior notice and recommending that she obtain legal counsel.
I went back on her router and it showed that the same computer (identified by MAC address) had gained access to her Wi-Fi router and was again downloading illegal material. Although there are many ways to hack Wi-Fi routers, I was convinced that it had to do with WPS (Wi-Fi Protected Setup) hacking.
The WPS saga
Nearly every new feature intended to make computer security easier is bound to open up new vulnerabilities. Such is the case with WPS.
A Wi-Fi router typically requires either a digital certificate or a long and complex series of characters to protect Wi-FI channels against unauthorized access. WPS is a feature that allows anyone to push a button or enable a software mechanism that will automatically connect your computing device to your Wi-Fi router without onerous security prerequisites.
WPS comes in a few flavors. The most common method is where someone pushes the WPS button on the Wi-Fi router, and for a limited time anyone in the range of the Wi-Fi network can enable WPS on their device and connect. Alternatively, you can use a USB-storage device to transfer information between the device and the router.
But there's a third method that most people don't use: Located on the outside of most Wi-Fi routers is a sticker containing a PIN. Users can enable WPS and enter the PIN to authenticate to the Wi-Fi router. The thinking is that unauthorized hackers lack physical access to the Wi-Fi router and can't see the sticker.
An easy brute-force hack
A few years ago, however, hackers discovered that WPS is vulnerable to brute-force password guessing. All (unfixed) versions of WPS come with a (randomly selected) 8-byte PIN, which if guessed, essentially lets the guesser connect as an authorized device. Think about the inherent weakness of 8-byte protection: Today, the bare minimum number of acceptable bits of symmetric cryptographic protection is 128 bits (16 bytes).
But it's much worse. The 8-byte PIN is really only seven bytes long; the last byte is a checksum byte for the first seven characters. Moreover, the first seven characters are broken down into two sections: one four bytes long, and the other only three bytes. This means WPS is protected by a maximum of four bytes of protection! (And you thought LAN Manager hashes were weak.)
Attackers literally have to make only a few thousand guesses (which usually takes four to eight hours). Most WPS-enabled routers do not have a guess-attempt lockout protection. Many newer Wi-Fi routers come with some sort of protection, like guess-attempt lockouts for a preset period of time, but often, this isn't enabled by default. Worse yet, on some routers, even if you disable WPS, the vulnerability stays active. It's insane!
WPS-guessing attack tools are readily available. Reaver was one of the first and most popularly used. With these tools pointed toward a typical Wi-FI router, the router coughs up its protection in less than a day, which in today's password-guessing world is ridiculously quick. In 2014, another method, dubbed Pixie Dust, attacked WPS and claimed to be able to break it in less than 30 minutes (though I haven't verified this method).
WPS-cracking was a big deal back in December 2011, when it was first announced, and was used a lot in 2012, when all the Linux hacking distros added the necessary programs to their Wi-FI hacking toolsets. Since then, the attack has languished in media circles even though it remained possible on most Wi-Fi routers. You'll still occasionally read stories where gangs of hackers used the method to compromise a bunch of Wi-Fi routers in the service some larger evil.
Hacking the neighbors
I had disabled my WPS feature a few years ago on my own home router, and I don't do a lot of Wi-Fi penetration testing, so I had mostly forgotten about this attack vector. But with this recent event, I decided to test most of my neighborhood. Living on an island, I know most of my neighbors. They all have Wi-Fi routers. I contacted each of them, explained the situation, and asked if I could hack their Wi-Fi routers. They all gave me permission. Within the day, I was able to break into all but one.
Being the friendly computer security guy that I am, I updated everyone's router firmware code (none were even remotely up to date), changed any default passwords I found, and either disabled their WPS-feature or made sure that guessing lockout feature was enabled. The lockout feature essentially locks out WPS connections for a preset period of time and then automatically re-enables it. The feature locks out WPS for only a few minutes, but it's enough to stymie WPS PIN guessing.
Initially, I wasn't a 100 percent sure my friend's Wi-Fi router was being compromised by the WPS PIN guessing method, but after we disabled the WPS feature, the neighborhood hacker wasn't able to get back in. I'm guessing they were pretty frustrated. After all, I had locked up the whole neighborhood at the same time.
My advice to you? Update your Wi-Fi firmware to the latest version possible. Use a long and complex Wi-Fi network passphrase and admin password -- and disable WPS. That way you'll be less likely to be accused of downloading something illegally or doing something maliciously if it wasn't you.