Are public wireless networks (Wi-Fi) dangerous to protect our privacy? those who deal with technology know the answer. What they do not know is that an Israeli hacker has demonstrated how easily a free Wi-Fi network of a whole city could take.
One day, on the way to his home from work, Amihai Neiderman, head of the research team at Israeli Equus Technologies, found a wireless hotspot he had never seen before. It was unusual because it existed in an area that had no buildings.
It turned out that the Wi-Fi Hotspot it was called “FREE_TLV” and was part of the city's free wireless network and was set up by the local administration of Tel Aviv.
Neiderman wondered: How safe is it?
Over the next few weeks, he tried to breach the network in his spare time. First, it was connected to the network via one of the access points that existed across the city to check the Internet Protocol (IP) address. This is usually a public address assigned to the router through which everyone who wants to use Wi-Fi can access the Internet.
It then disconnected and started scanning the IP address for open ports. So he discovered that the web-based login interface was in the 443 (HTTPS) port.
When he tried to log in from his browser, the device manufacturer's name appeared (Peplink) without any other information related to the device type or model. An analysis of the web interface did not reveal vulnerable points, which could grant him access with some SQL injection.
The researcher realized that a more in-depth analysis was needed to discover the real firmware of the device.
Recognizing the device to find the exact firmware was not an easy task. Peplink manufactures and sells many kinds of devices for various network services. However, he thought of downloading the 5 version firmware for the Peplink Balance 380 high-end load balancing router.
The firmware used basic XOR encryption to make it more difficult for third parties to reverse engineer the firmware file system. But his circumvention was relatively easy. Immediately after, Neiderman loaded the unpacked components into an emulator and was thus able to access the CGI (Common Gateway Interface) scripts that existed on the router's web interface.
As you can see, it didn't take long until the researcher discovered a buffer overflow vulnerability in the CGI script that handles the log-out process. The flaw could be exploited by sending one cookie with a very long session time (long session cookie) in the script and granted it full control of the device.
Neiderman presented his findings Thursday at the conference security DefCamp held in Bucharest. Of course he declined to say whether he actually got into Peplink's Balance routers used for Tel Aviv's free Wi-Fi network, because there was a legal issue.
However, when reporting the flaw in Peplink, the company confirmed the vulnerability and upgraded the firmware somewhat overwhelmingly.
Vulnerabilities in routers are not unusual. But this case stands out because it shows that a skilled hacker could attack thousands or tens of thousands of users connected by large public Wi-Fi networks.