Browser password hack puts millions of home Wi-Fi networks at risk
If you’re a regular Komando.com reader, you’re most likely familiar with the numerous Wi-Fi router hacking techniques that have emerged these past few months.
Who can forget the scary KRACK Wi-Fi flaw or the dangerous VPNFilter malware that made the rounds and gave everyone serious security scares? (These flaws are still out there and exploitable, by the way.)
Unfortunately, Wi-Fi security threats don’t stop with the big ones. Software security researchers keep finding smaller flaws, however difficult to exploit, in routers, browsers, and Wi-Fi security, that it’s sometimes hard to keep up.
Take this newest Wi-Fi hacking threat, for example. Its researchers are claiming that it can put millions of home Wi-Fi networks at risk. But is this true? Read on and find out.
Chrome and Opera autosaved passwords are at risk
Researchers from software security company SureCloud recently published a report about a security flaw in Chromium-based browsers, like Chrome and Opera. The issue appears to revolve around a browser’s password autosaving features and the way home routers use unsecured HTTP connections on their administration pages.
SureCloud researcher Elliott Thompson warned that a combination of these flaws can then be used to gain access to home networks without cracking (or brute-forcing) a single WPA 2 handshake, putting millions of home Wi-Fi networks at risk.
“The browser behaviour relates to saved credentials,” Thompson wrote. “When credentials are saved within a browser, they are tied to a URL and automatically inserted into the same fields when they are seen again. The accepted home router weakness is simply the use of unencrypted HTTP connections to the management interfaces.”
But is it a real and present threat? It sounds like there are many factors to consider before this specific attack can be performed. Let’s take a closer look.
“Karma” is a must
For this attack to work, a successful “Karma” attack is mandatory.
Karma is an old form of attack where a hacker exploits a gadget’s ability to connect to open Wi-Fi networks automatically.
By renaming a malicious Wi-Fi access point to impersonate yours, a hacker then waits until your gadget connects to the fake router under his/her control, hoping that you won’t notice the difference. Once connected, the hacker can then have full control of your traffic and perform all sorts of “man-in-the-middle” attacks.
Keep in mind that Karma is an old and specific vulnerability itself and most software makers have already patched their products way back in 2012 to protect against these specific types of attacks.
What else? This also means that the attacker has to be physically within range of your home router.
Is that your real router page?
Next, after a successful Karma attack (which is already quite tricky to pull off), the attacker will then wait for the target to open their router’s non-HTTPS administrator webpage with its username and password already saved in Chrome or Opera.
At this point, the attacker will then serve a fake router portal page and grab your auto-saved administrator credentials from there. Think of it as a garden-variety phishing attack.
But these admin credentials are still unusable if the hackers are not connected to your home network anyway, right?
Yep. It’s not clear how the attackers were able to connect to the original home network at this point but Thompson wrote that they released the target back to its own network with their fake page “sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript.”
They then used another man-in-the-middle technique with a command called “XMLHttpRequest” to log in to the real router admin page, and they grabbed the WPA 2 password directly from the web interface.
Unlikely to happen?
Hmm, all these prerequisites seem so exacting, don’t you think?
So, aside from a targeted Karma attack (which requires physical proximity to a Wi-Fi network), the attacker will have to guess your router model, mimic its administrator webpage, then hope that you actually log in to it while you’re connected to the fake network using a Chrome or Opera browser.
Not only that, the attackers will still need to successfully join the target home network by having the target linger on the fake admin page then wait until the “XMLHttpRequest” command pushes through.
That way, they could simply log in to the real router admin page, then lift the WPA 2 password in plain text.
The question is, why even bother? Why go through all this trouble if the gadget is already compromised with a Karma attack and open to many other, more serious man-in-the-middle vulnerabilities in the first place?
Granted, although it is unlikely to have practical uses in the real world, this is just a proof-of-concept demonstration that proves it is possible.
Watch the video below to see the attack in action.
How to protect yourself
SureCloud wrote that it has shared its findings with Google’s Chromium project on March 2 of this year.
Google responded that Chrome is “working as designed” and that it would not be updated despite this alleged security flaw. However, Google released a statement on Wednesday saying that it “will study this closely and see if there are improvements to make.”
For now, if you’re concerned about this attack, SureCloud recommends these precautionary steps:
- Only log in to your router using a separate browser or incognito session
- Clear your browser’s saved passwords and don’t save credentials for unsecured HTTP pages
- Delete saved open networks and don’t allow automatic reconnection
- As it is nearly impossible to tell if this attack has already happened against your network, change your pre-shared keys and router admin credentials ASAP. Again, use a separate/private browser for the configuration and choose a strong key.
Click here to read SureCloud’s full report.
Tags: Google, hackers, malware, network, phishing, router, security, Wi-Fi