Hacker Explains How He Hacked Into Tel Aviv's Public Wi-Fi Network In Three Days

An anonymous reader quotes a report from Motherboard: Israeli hacker Amihai Neiderman needed three days to hack into Tel Aviv's free public Wi-Fi. He only worked during the evenings, after he came home from his full-time job as a security researcher. The 26-year-old said the difficulty level was "a solid 5" on a scale from 1 to 10. The hack, performed in 2014 and recently explained in detail during the DefCamp conference in Bucharest, Romania, shows how vulnerable public networks can be and why we should encrypt our web traffic while accessing them. He hacked his city out of curiosity. One day, he was driving home from work and he noticed the "FREE_TLV" displayed on his smartphone. He had no idea what it was, but got intrigued. It turned out to be Tel Aviv's free municipal Wi-Fi network. The hacker connected to it and checked what his IP was, using http://whatismyip.com. This way, you usually find the address of the router that links you to the internet. To hack Tel Aviv, he needed to take control over this device. Neiderman got home and found out that the router had one port open. He tried it. This step allowed him to determine the manufacturer of the router. It turned out to be Peplink, a company he had never heard of. It made the mistake of having the administration interfaces online. At this point, he still didn't know what device he was connecting to. He compared different products displayed on the company's website and looked for additional clues in the messages sent to him by the unidentified device. He finally found out it was a high-end load balancing router. All he needed was a vulnerability to exploit. But breaking the firmware of the router seemed time consuming, as files were encrypted, so the hacker took a different approach. He found a less protected version of the firmware, used for a different device, and found a vulnerability there. To his luck, the same glitch was present in the version installed on the very devices that made up "FREE_TLV." He tested the hack at home, emulating the city's network, and it worked. A real-life test would had been illegal.

Aand what so special?

[fubarrr]

Did he do hacking on Saturday?

Re:Aand what so special?

[Big+Hairy+Ian]

It took me three days to have sex with Keira Knightley! Well actually it was an inflatable doll but I call her Keira

Besides the obvious informmercial

[ruir]

Where is an article not written for 5 years old how was the vulnerability found?

Re:Besides the obvious informmercial

[TWX]

Let's be fair. The summary is more like a ten year old's bookreport where aforesaid ten year old doesn't consider that the audience has no previous knowledge of what he's going to talk about so important details are omitted.

Re:Besides the obvious informmercial

[Donwulff]

The summary is pretty much just a cut & paste of the whole article from Vice, just as the summary of the summary says.
And yes the article skips the only interesting part, which is how he found and tested the exploit when the article says he acquired one of the company's routers only after the supposed hack.
It also leaves it entirely in air how accessing a "public"/"free" (as it's identified, and which allowed him to freely access the Internet) WiFi counts as a hack, and what was the actual threat there.
Open access to their internal network I assume, but that would have been assumption on his part as well if he never tried it -- despite the Vice headline proclaiming he took it over.

Re:Besides the obvious informmercial

[Digicrat]

The article is admittedly useless in giving details of the hack, or what he managed to do.

Assuming though that the exploit gave him full access to the router's configuration (which the article seems to imply), that would make it trivial to add a sniffer to intercept unencrypted traffic, alter DNS settings to point to a compromised database, or otherwise instigate man-in-the-middle attacks of unencrypted traffic. The article specifically says that we should encrypt all of our traffic over public Wifi, which (combined with not ignoring bad certificate errors) is the only way to avoid/detect such MITM attacks.

Re:Besides the obvious informmercial

[Donwulff]

It's specifically said the router's firmware was encrypted so he couldn't read it, much less install sniffers or backdoors. About only thing it's reasonable to expect him to be able to do is disable some firewalls between internal and the public Internet. And even that is assuming their internal network was directly connected to "free, public WiFi" and city officials had password lists and locations of the nukes on unsecured shares on their desktops... which is, kinda large leap of faith. Especially since the article says they worked with him solving the problem, so they must've been all like "Oh you found an exploit to get into our secret unprotected network? Oh no, please don't use it or leave any backdoors, or we'll be in big trouble, we'll just let you secure them."

With regards to unencrypted communication over public WiFi, all he'd had to do was put a high-powered WiFi router with same SSID up. Certificates won't even be much help if the attacker is in charge of the network and can re-direct traffic via a proxy "faking" the site or just forcing TLS off. No hacking of routers required. Though if this was their public Internet gateway, likely all that'd give him would be a glimpse of the city servants Facebook chatter and pr0n searches.

Re:Besides the obvious informmercial

[jrumney]

It's specifically said the router's firmware was encrypted so he couldn't read it, much less install sniffers or backdoors.

And yet he managed to emulate it on his home network to avoid breaking the law by hacking an actual router belonging to the city...

Some other things don't add up: The hacker connected to it and checked what his IP was, using http://whatismyip.com./ This way, you usually find the address of the router that links you to the internet. ... an actual hacker has many faster and more reliable methods of finding the router's IP at their disposable, that don't involve asking remote websites what your IP address is and guessing based on assumptions of how the network owner might have allocated their addresses.

Reads Like A 2600 Article

The summary reads like an article in 2600 magazine. You know, the magazine that occasionally has easy construction articles with resistors called out as 'yellow purple red resistor' instead of just saying 4.7k.

Re:Reads Like A 2600 Article

4.7k ought to be enough to anybody

Re:Reads Like A 2600 Article

[Hognoxious]

A shite article on vice.com? Shocked I am, shocked!

Re:Reads Like A 2600 Article

[rtb61]

So free government wifi, there is definitely a story in that, so what would an extremely suppressive government like Israel do with free wifi accessible throughout major cities, now I bet there is a more interesting story in there, that is yet to be reported. I wonder how many other autocratic governments will start offer low bandwidth free wifi in metropolitan areas. I wonder how many smart phones have been hacked in those regions, all of them?

Some rather important information missing...

[TWX]

...from the summary...

It jumps straight from checking out the SSID that he found on his phone and seeing his IP address to somehow having a device in his hand that he could manipulate?

Re:Some rather important information missing...

The article is not better in terms of detail content.

Re:Some rather important information missing...

[udachny]

He might have created a GUI interface using Visual Basic to track the IP address...

So he DIDN'T hack it, then

[wonkey_monkey]

He tested the hack at home, emulating the city's network, and it worked. A real-life test would had been illegal.

Oh, right. So he hacked the city's network the same way I robbed a bank with a gun, only it wasn't a bank, it was my friend with some monopoly money, and it wasn't a gun, it was a banana. But we both acted like it was real, so it totally would have worked.

Re:So he DIDN'T hack it, then

[Macfox]

Give this man a mod point!

Re:So he DIDN'T hack it, then

[wildstoo]

On the other hand, I'm surprised they haven't thrown him in jail yet for "having knowingly simulated computer access without authorization or exceeding authorized access".

You know, just to be safe.

HACK THE PLANET*

*for very small values of "hack" and "planet"

yes, a resistor color code joke. you're welcome

[Thud457]

awwww all I have is a gold red purple yellow, now I can't hack

worst story ever

it's like the time I robbed a pirate ship, but then I woke up and it was all a dream.

the story is boring because no test was done.

[gl4ss]

the summary is okay.

the story is boring because he doesn't know if the municipal network was running the same firmware he hacked.

if taken to extreme, it would be the same as me claiming to have hacked the US Navy network because I hacked windows XP. furthermore it's pretty dated so it would be more like me claiming that I hacked Finnish Defence Forces network because I looked up an exploit for Windows NT 4.0 tcp/ip stack online. well, not too much like that but the idea is the same why it makes the actual story boring - he doesn't know if the network was vulnerable and it's a long time ago so all he should get is "cool story bro", not media attention.