Are public wireless networks (Wi-Fi) dangerous to our privacy? techies know the answer. What they don't know is that one hacker from Israel, demonstrated how easily it could take over an entire city's free Wi-Fi network.
One day, on the way to his home from work, Amihai Neiderman, head of the research team at Israeli Equus Technologies, found a wireless hotspot he had never seen before. It was unusual because it existed in an area that had no buildings.
It turned out that the Wi-Fi hotspot was called "FREE_TLV" and was part of the city's free wireless network and was set up by the Tel Aviv local government.
Neiderman wondered: How safe is it?
Over the next few weeks, he tried to breach the network in his spare time. First, it was connected to the network via one of the access points that existed across the city to check the Internet Protocol (IP) address. This is usually a public address assigned to the router through which everyone who wants to use Wi-Fi can access the Internet.
Then it disconnected and started scanning the IP address for open ports. So he discovered that the web-based login interface was on door 443 (HTTPS).
When he tried to log in from his browser, the device manufacturer's name appeared (Peplink) without any other information about the type of device or model. An analysis of the web interface did not reveal vulnerabilities that could give it access to an SQL injection.
The researcher realized that a more in-depth analysis was needed to discover the real firmware of the device.
Recognizing the device to find the exact firmware was not an easy task. Peplink manufactures and sells many kinds of devices for various network services. However, he thought of downloading the 5 version firmware for the Peplink Balance 380 high-end load balancing router.
The firmware used basic XOR encryption to make it more difficult for third parties to reverse engineer the firmware file system. But his circumvention was relatively easy. Immediately after, Neiderman loaded the unpacked components into an emulator and was thus able to access the CGI (Common Gateway Interface) scripts that existed on the router's web interface.
Όπως καταλαβαίνετε, μετά δεν χρειάστηκε και πάρα πολύ μέχρι να ανακαλύψει ο ερευνητής μια ευπάθεια buffer overflow στο CGI script who handles it procedure of log-out. The flaw could be exploited by sending a long session cookie to the script and giving it full control of the device.
Neiderman presented his findings Thursday at the DefCamp security conference in Bucharest. Of course, he refused to say whether he actually entered the Peplink Balance routers used for Tel Aviv's free Wi-Fi network because there was a legal problem.
However, when reporting the flaw in Peplink, the company confirmed the vulnerability and upgraded the firmware somewhat overwhelmingly.
Vulnerabilities in routers are not unusual. But this case stands out because it shows that a skilled hacker could attack thousands or tens of thousands of users connected by large public Wi-Fi networks.