Are public wireless networks (Wi-Fi) dangerous to protect our privacy? those who deal with technology know the answer. What they do not know is that an Israeli hacker has demonstrated how easily a free Wi-Fi network of a whole city could take.
One day, on the way to his home from work, Amihai Neiderman, head of the research team at Israeli company Equus Technologies, spotted one wireless hotspot he had never seen before. It was unusual because it existed in an area that had no buildings.
It turned out that the Wi-Fi hotspot was called "FREE_TLV" and was part of the city's free wireless network and was set up by the Tel Aviv local government.
Neiderman wondered: How safe is it?
Over the next few weeks, he attempted to hack the network in his spare time. First he connected to the network through one of the access points that were around the city to check what the IP address was (Internet Protocol). This is usually a public address assigned to the router through which anyone who wants to use Wi-Fi can and does access the internet.
It then disconnected and started scanning the IP address for open ports. So he discovered that the web-based login interface was in the 443 (HTTPS) port.
When he tried to log in from his browser, he got this name of the device manufacturer (Peplink) without any other information about the type of device or model. An analysis of the web interface did not reveal vulnerabilities that could give it access to an SQL injection.
The researcher realized that a more in-depth analysis was needed to discover the real firmware of the device.
Recognizing the device to find the exact firmware was not an easy task. Peplink manufactures and sells many kinds of devices for various network services. However, he thought of downloading the 5 version firmware for the Peplink Balance 380 high-end load balancing router.
The firmware used basic XOR encryption to make it harder for third parties to reverse-engineer the firmware file system. But bypassing it was relatively easy. Soon after Neiderman loaded them unpacked components in an emulator and was thus able to access the CGI (Common Gateway Interface) scripts that existed in the router's web interface.
As you can see, it didn't take long until the researcher discovered a buffer overflow vulnerability in CGI script which handles the log-out process. The flaw could be exploited by sending a long session cookie to the script and giving it full control of the device.
Neiderman presented his findings Thursday at the DefCamp security conference in Bucharest. Of course, he refused to say whether he actually entered the Peplink Balance routers used for Tel Aviv's free Wi-Fi network because there was a legal problem.
However, when reporting the flaw in Peplink, the company confirmed the vulnerability and upgraded the firmware somewhat overwhelmingly.
Vulnerabilities in routers are not unusual. But this case stands out because it shows that a skilled hacker could attack thousands or tens of thousands of users connected by large public Wi-Fi networks.