Israeli hacker Amihai Neiderman needed three days to hack into Tel Aviv’s free public Wi-Fi. He only worked during the evenings, after he came home from his full-time job as a security researcher. The 26-year-old said the difficulty level was “a solid 5” on a scale from 1 to 10.
The hack, performed in 2014 and recently explained in detail during the DefCampconference in Bucharest, Romania, shows how vulnerable public networks can be and why we should encrypt our web traffic while accessing them.
Neiderman likes scanning Wi-Fi networks as a hobby, to see if they are secure. “You can find a lot of interesting pieces of data floating around the network, from all kind of applications, [and] they can reveal a lot of personal data,” he said.
If a hacker takes over a city’s public Wi-Fi, they can get their hands on usernames, passwords, pictures and sensitive information. “Companies should invest more in code auditing and security design before they release a product,” Neiderman said.
He hacked his city out of curiosity. One day, he was driving home from work and he noticed the “FREE_TLV” displayed on his smartphone. He had no idea what it was, but got intrigued. It turned out to be Tel Aviv’s free municipal Wi-Fi network.
The hacker connected to it and checked what his IP was, using http://whatismyip.com. This way, you usually find the address of the router that links you to the internet. To hack Tel Aviv, he needed to take control over this device.
Neiderman got home and found out that the router had one port open. He tried it. This step allowed him to determine the manufacturer of the router. It turned out to be Peplink, a company he had never heard of. It made the mistake of having the administration interfaces online.
The admin interface
At this point, he still didn’t know what device he was connecting to. He compared different products displayed on the company’s website and looked for additional clues in the messages sent to him by the unidentified device. He finally found out it was a high-end load balancing router.
All he needed was a vulnerability to exploit. But breaking the firmware of the router seemed time consuming, as files were encrypted, so the hacker took a different approach. He found a less protected version of the firmware, used for a different device, and found a vulnerability there. To his luck, the same glitch was present in the version installed on the very devices that made up “FREE_TLV”.
He tested the hack at home, emulating the city’s network, and it worked. A real-life test would had been illegal.
The hacker notified Peplink. He was amazed by how fast they replied to his email, and how dedicated they were to patching the flaw.
“[We] worked directly with Amihai so that we could release a fix as quickly as possible,” Eric Wong, evangelist at Peplink, said. The patch was soon available.
Their commitment to security made the hacker trust them. At home, Neiderman’s using a Peplink router, the one the company gave him as a thank you for notifying them.