Hacker Explains How He Hacked Into Tel Aviv's Public Wi-Fi Network In Three Days

An anonymous reader quotes a report from Motherboard: Israeli hacker Amihai Neiderman needed three days to hack into Tel Aviv's free public Wi-Fi. He only worked during the evenings, after he came home from his full-time job as a security researcher. The 26-year-old said the difficulty level was "a solid 5" on a scale from 1 to 10. The hack, performed in 2014 and recently explained in detail during the DefCamp conference in Bucharest, Romania, shows how vulnerable public networks can be and why we should encrypt our web traffic while accessing them. He hacked his city out of curiosity. One day, he was driving home from work and he noticed the "FREE_TLV" displayed on his smartphone. He had no idea what it was, but got intrigued. It turned out to be Tel Aviv's free municipal Wi-Fi network. The hacker connected to it and checked what his IP was, using http://whatismyip.com. This way, you usually find the address of the router that links you to the internet. To hack Tel Aviv, he needed to take control over this device. Neiderman got home and found out that the router had one port open. He tried it. This step allowed him to determine the manufacturer of the router. It turned out to be Peplink, a company he had never heard of. It made the mistake of having the administration interfaces online. At this point, he still didn't know what device he was connecting to. He compared different products displayed on the company's website and looked for additional clues in the messages sent to him by the unidentified device. He finally found out it was a high-end load balancing router. All he needed was a vulnerability to exploit. But breaking the firmware of the router seemed time consuming, as files were encrypted, so the hacker took a different approach. He found a less protected version of the firmware, used for a different device, and found a vulnerability there. To his luck, the same glitch was present in the version installed on the very devices that made up "FREE_TLV." He tested the hack at home, emulating the city's network, and it worked. A real-life test would had been illegal.

Aand what so special?

[fubarrr]

Did he do hacking on Saturday?

Re:Aand what so special?

If it is a free network what is there to hack?

Re:Aand what so special?

[Big+Hairy+Ian]

It took me three days to have sex with Keira Knightley! Well actually it was an inflatable doll but I call her Keira

Besides the obvious informmercial

[ruir]

Where is an article not written for 5 years old how was the vulnerability found?

Re:Besides the obvious informmercial

[TWX]

Let's be fair. The summary is more like a ten year old's bookreport where aforesaid ten year old doesn't consider that the audience has no previous knowledge of what he's going to talk about so important details are omitted.

Re:Besides the obvious informmercial

[Donwulff]

The summary is pretty much just a cut & paste of the whole article from Vice, just as the summary of the summary says.
And yes the article skips the only interesting part, which is how he found and tested the exploit when the article says he acquired one of the company's routers only after the supposed hack.
It also leaves it entirely in air how accessing a "public"/"free" (as it's identified, and which allowed him to freely access the Internet) WiFi counts as a hack, and what was the actual threat there.
Open access to their internal network I assume, but that would have been assumption on his part as well if he never tried it -- despite the Vice headline proclaiming he took it over.

Re:Besides the obvious informmercial

[Digicrat]

The article is admittedly useless in giving details of the hack, or what he managed to do.

Assuming though that the exploit gave him full access to the router's configuration (which the article seems to imply), that would make it trivial to add a sniffer to intercept unencrypted traffic, alter DNS settings to point to a compromised database, or otherwise instigate man-in-the-middle attacks of unencrypted traffic. The article specifically says that we should encrypt all of our traffic over public Wifi, which (combined with not ignoring bad certificate errors) is the only way to avoid/detect such MITM attacks.

Re:Besides the obvious informmercial

[Donwulff]

It's specifically said the router's firmware was encrypted so he couldn't read it, much less install sniffers or backdoors. About only thing it's reasonable to expect him to be able to do is disable some firewalls between internal and the public Internet. And even that is assuming their internal network was directly connected to "free, public WiFi" and city officials had password lists and locations of the nukes on unsecured shares on their desktops... which is, kinda large leap of faith. Especially since the article says they worked with him solving the problem, so they must've been all like "Oh you found an exploit to get into our secret unprotected network? Oh no, please don't use it or leave any backdoors, or we'll be in big trouble, we'll just let you secure them."

With regards to unencrypted communication over public WiFi, all he'd had to do was put a high-powered WiFi router with same SSID up. Certificates won't even be much help if the attacker is in charge of the network and can re-direct traffic via a proxy "faking" the site or just forcing TLS off. No hacking of routers required. Though if this was their public Internet gateway, likely all that'd give him would be a glimpse of the city servants Facebook chatter and pr0n searches.

Re:Besides the obvious informmercial

[jrumney]

It's specifically said the router's firmware was encrypted so he couldn't read it, much less install sniffers or backdoors.

And yet he managed to emulate it on his home network to avoid breaking the law by hacking an actual router belonging to the city...

Some other things don't add up: The hacker connected to it and checked what his IP was, using http://whatismyip.com./ This way, you usually find the address of the router that links you to the internet. ... an actual hacker has many faster and more reliable methods of finding the router's IP at their disposable, that don't involve asking remote websites what your IP address is and guessing based on assumptions of how the network owner might have allocated their addresses.

Re:Besides the obvious informmercial

If you want the IP on the outside of the NAT you will need to ask some external party to tell it to you, since the NAT rewrites this information to make the system work.

Re:Besides the obvious informmercial

I seriously doubt many hackers have that type of software installed on their smartphone. Those types of apps are usually used by people that don't know what they're doing (just check the comment section of any one of them). The "summary" says he noticed the wifi network on his smartphone and didn't know what it was. If he had ever seen it from home, he'd probably have had the same curiosity...and would then have those tools. However, you should probably assume he couldn't connect to the network from home...else he'd not have had much curiosity as to what it was when he was on his way home from work.

Reads Like A 2600 Article

The summary reads like an article in 2600 magazine. You know, the magazine that occasionally has easy construction articles with resistors called out as 'yellow purple red resistor' instead of just saying 4.7k.

Re:Reads Like A 2600 Article

4.7k ought to be enough to anybody

Re:Reads Like A 2600 Article

[Hognoxious]

A shite article on vice.com? Shocked I am, shocked!

Re:Reads Like A 2600 Article

To be fair, the description "yellow purple red resistor" would actually be much more useful to me. I would have to lookup the color code if you just told me 4.7k.

Re:Reads Like A 2600 Article

Hand in your card on the way out.

Re:Reads Like A 2600 Article

[rtb61]

So free government wifi, there is definitely a story in that, so what would an extremely suppressive government like Israel do with free wifi accessible throughout major cities, now I bet there is a more interesting story in there, that is yet to be reported. I wonder how many other autocratic governments will start offer low bandwidth free wifi in metropolitan areas. I wonder how many smart phones have been hacked in those regions, all of them?

Some rather important information missing...

[TWX]

...from the summary...

It jumps straight from checking out the SSID that he found on his phone and seeing his IP address to somehow having a device in his hand that he could manipulate?

Re:Some rather important information missing...

Maybe from eBay. Israel also has large electronics surplus markets so he may have obtained a device from there.

Re:Some rather important information missing...

The article is not better in terms of detail content.

Re:Some rather important information missing...

[udachny]

He might have created a GUI interface using Visual Basic to track the IP address...

http

isn't it past time we blocked port 80. come on people.

So he DIDN'T hack it, then

[wonkey_monkey]

He tested the hack at home, emulating the city's network, and it worked. A real-life test would had been illegal.

Oh, right. So he hacked the city's network the same way I robbed a bank with a gun, only it wasn't a bank, it was my friend with some monopoly money, and it wasn't a gun, it was a banana. But we both acted like it was real, so it totally would have worked.

Re:So he DIDN'T hack it, then

obviously he did hack it. He just *says* he hacked it at home.

Obviously on Slashdot the details of the vulnerability would've been far more interesting than "finding the IP and port scanning the device" - aka. shit we all learned when we were 10 years old.

Re: So he DIDN'T hack it, then

it makes assuptions for the real thing. it might be correct or not when he did it.

Re: So he DIDN'T hack it, then

probably

Re: So he DIDN'T hack it, then

assuptions. . .

Re:So he DIDN'T hack it, then

[Macfox]

Give this man a mod point!

Re:So he DIDN'T hack it, then

[wildstoo]

On the other hand, I'm surprised they haven't thrown him in jail yet for "having knowingly simulated computer access without authorization or exceeding authorized access".

You know, just to be safe.

Re:So he DIDN'T hack it, then

I saw a presentation he gave in tel aviv ,
it was pretty clear from what he said that he didn't test it at home, but rather hacked the actual router.
he couldn't say directly that he broke the law, so he heavily implied that's what happened

Kind of like saying you did Angelina Jolie

But then when you get home and look at the video, you find out "she" ain't a women no more.

Re:Kind of like saying you did Angelina Jolie

It seemed like a good idea at the time

Capcha: moments

HACK THE PLANET*

*for very small values of "hack" and "planet"

yes, a resistor color code joke. you're welcome

[Thud457]

awwww all I have is a gold red purple yellow, now I can't hack

worst story ever

it's like the time I robbed a pirate ship, but then I woke up and it was all a dream.

captive portal

Didn't even bypass a captive portal? So lame.

the story is boring because no test was done.

[gl4ss]

the summary is okay.

the story is boring because he doesn't know if the municipal network was running the same firmware he hacked.

if taken to extreme, it would be the same as me claiming to have hacked the US Navy network because I hacked windows XP. furthermore it's pretty dated so it would be more like me claiming that I hacked Finnish Defence Forces network because I looked up an exploit for Windows NT 4.0 tcp/ip stack online. well, not too much like that but the idea is the same why it makes the actual story boring - he doesn't know if the network was vulnerable and it's a long time ago so all he should get is "cool story bro", not media attention.

Re:the story is boring because no test was done.

The story, as written by the author of that summary, may sound boring...however DefCamp thought otherwise. I'll take their opinions, about security, with more than a grain of salt.

Listening to you, instead of them, would (probably) be akin to listening to someone that knows nothing about the Arts, or Sciences, tell me how Leonardo DaVinci was a no talent smuck...who put out boring work.

He hacked INTO a free open public wifi?

This is an achievement, how?

WRONG this is shit article

A) the ip your assigned by a router is not the routers ip.....
ya know like 24.x.x.x vs 192.168.1.1

B) Cause the article effectively states he um er hacked himself HAHAHHAHAHA

C) my whatsmyip.org ip is NOT my internalrouterip...and if i have remote off YOU cant see it....

D) if later another pc /device was assigned that IP and it had a open port the dummy just hacked that device UGH

E) WHAT KINDA MORON SITE IS THIS...of course to break into a open port that dopesnt use that said protocol proper you need a remote exploit....

so what port was it 23 , 80? lol ugh retard.....

whjole article is bullshit

A security issue due to poor administration

You never have your device management interface exposed to the wifi radio. ever. The management interface should be configured on the wired management network. Which usually is a VLAN on the wired end. The VLAN should be encrypted as well.

The public Wifi end should never be enabled to allow management traffic. EVER!

I am willing to bet they farmed out the work because engineers in Israel are not stupid. The security issue here was exploited because whoever configured and managed the Wifi network was stupid.

A bit of insight

Hey! I'm Amihai(the guy who did it...). There seems to be some confusion about what I did... Well, I found an open wifi and scanned it's external IP address when I got home. I found that the device that was answering my port scanning was the load balancer of the network (it's a whole different story on how I found what it was).

I worked for a few hours to extract the file system from the firmware update and found a logical vulnerability that helped me to identify the exact version of the firmware on the load balancer in ny city's network.
After that i found a different vulnerability (a memory corruption in one of the cgi files) that I exploited. I checked it on a test model on a VM and..... Well .... That basically all I can say about that :)

You can see a video of the talk: https://www.youtube.com/watch?v=OQ0NhdD5v_Y&index=4&list=PLNiWLB_wsOg4YPY6v76waeuTyWVAgo0Bx&spfreload=10

FT Hyperbole

The headline of the TFA says "A Hacker Took Over Tel Aviv’s Public Wi-Fi Network to Prove That He Could" and slashdot complains I don't read TFA