Android Hack: Cracking WiFi passwords with your phone

The WiFi adapter in your laptop has a special mode – monitor mode – that can be used to listen in on WiFi traffic and, with a little patience, can be used to crack a WEP password. Surprisingly, this monitor mode can’t be found on any Android device due in part to the limitations of the hardware. A group of three researchers, [Ruby], [Yuval], and [Omri], decided to spend their vacation adding monitor mode to their Android smartphones, allowing for a much more portable version of WiFi pwnage tools.

The phones used by the researchers – the Nexus One and Galaxy S II – used Broadcom chipsets that didn’t support monitor mode. To get around this limitation and allow the OS to see full 802.11 frames the team needed to reverse engineer the firmware of this Broadcom radio chip.

The team has released a firmware update for the bcm4329 and bcm4330 chipsets found in the Nexus One and Galaxy S II. The update may work for other phones with the same chipset, but don’t take our word on that.

There’s still a lot of work [Ruby], [Yuval], and [Omri] need to do. They’d like to add packet injection to their firmware hack, and of course create an APK to get this into the wild more easily.

If you have experience with kernel development and would like to help out, send the team an email. The source can be found at google code  if you’d like to play around with it.


  1. CoolMod says:

    The first link is incorrect. Please fix it!

  2. Corrosion says:

    I was like XD

    Then they said no packet injection and I was like

    -_- uh…. Yeah I’m not going to use this.
    I’ll keep an eye out for the update though

  3. hospadar says:

    Awesome! I’ve been waiting for this forever. So much easier that waiting for my friends to try and remember where they keep that slip of paper with their dumb password on it.

  4. Erik Johnson says:

    I’m glad to see this isn’t just an aircrack port like that shitty iOS version where you need to capture on a laptop then use the iOS to analyse (totally lame).

  5. Zs says:

    Can I use it? I have bcm432x. Is it a kind of bcm4329?

    [48028.238084] =========== WLAN going back to live ========
    [48028.238701] bcm432x_sdcc_wlan_slot_status: 93 1
    [48029.126377] wlan0: Broadcom Dongle Host Driver mac=5c:xx:xx:xx:xx:xx
    [48040.612794] wlan0: no IPv6 routers present

  6. KG4MXV says:

    Good luck cracking my password I use all 64 characters and change it every 2 weeks. And that is not my only defense.
    In my neighborhood THere are so many wifi networks it is not funny. With just the pitiful antenna in my laptop I can pick up 15 nets and 90% of them are on cannel 11 . I use the 5ghz and have no problems. I am thinking of making a 1W 2.462ghz beacon to clear the congestion.

    • barellinger says:

      If you’re so security-conscious, why are you using WEP instead of WPA (serious question, my understanding is that WEP is deprecated due to vulnerabilities that can be easily accessed on simple (e.g., cellphone) hardware).

    • S says:

      Maybe if you’re going to brag about violating FCC law and in general being a jerk (if you’re in the 5Ghz A/N band, why do you care who’s using 802.11b?), you shouldn’t do so with your ham license as your sig,

      –EDITED– do not post other people’s personal information. even if they are being jerks. –

    • unaB says:

      Good luck, Im behind 64 characters!

    • Dojo66 says:

      1W CW or noise jammer on wifi channel has very limited jamming range. Think 20m.

      The ‘problem’ is that wifi detects if the channel is free by using energy detect (which you trigger with your jammer, but the threshold is quite high), wifi mostly relies on false carrier detect. A preamble is transmit before every wifi frame containing information about the following transmission (speed, modulation method, etc, it is always transmit at 1mbit/s btw).
      When the card can receive such a frame, it assumes the channel busy for the duration specified in a frame.

      Thus a jammer spamming these pre-headers (google PLCP header) would have a jamming range equal to its reception range, while still being invisible to 802.11 sniffers.

      This is a by far more dangerous attack against Wifi as for example a 1W jammer connected to a proper antenna would jam in a circle of more than 500m. Completely blocking the communication (as the cards voluntarily stop communicating since they think the channel is busy!) while being undetectable to trained ‘cisco enterprise wifi specialists’ and such. Detection with a spectrum analyser is obviously possible, but at least the signals looks like a legit wifi signal so it isn’t as obvious as broadcasting noise.

      Another more stealthy approach is to estimate the transfer function from you to the access point (which you can do, since it periodically broadcasts beacons and data). Simply interpolate the phase and amplitude of the pilot tones using fft interpolation. Since the access point and jammer don’t move the transfer function changes only a little due to the environment changing (which LMS will track without problems). Using a tracking filter such as LMS is optional, it will improve the transfer function estimate while the jammer is operating, making it work better against distant stations.

      Now whenever your jammer hears a packet from a client, it calculates the transfer function client->jammer in the same way as with the access point. Again a tracking filter may be used for better performance in bad SNR situations.
      The next step is calculating the inverse of the pilot tones sent by the client and transforming them with the inverse of the jammer->ap transfer fuction and the client->jammer TF. This will result in the AP receiving the OFDM frame with the pilot tones being zero, making demodulation impossible. You only transmit a very short time during the transmission of the client, just enough to corrupt the packet and you do so in an optimal way. This approach easily gets 15-20dB (especially against single antenna routers and clients) of processing gain. Rhis is because the pilot tones are used for equalising the channel, if the signal on these few frequencies is damaged, the other frequencies cannot be used. You do not even have to make the pilot tones zero, it is enough to make the demodulator channel estimation fail, you can remotely observe the amount of packets dropped and adjust your signal.

      You need a very fast digital spectrum analyser to see the extremely short jamming bursts (in a band already crowded with burst type signals), since your transmit signal only uses the theoretical least amount of power necessary to jam the current transmission (you will transmit less for a distant client, since you have actually estimated the channel between client and AP)

      You best leave beacons alone as not doing so will make the list of received networks empty and then the jamming is obvious. Also they are broadcast traffic so your jamming will be less optimal since the final signal will be a compromise made by combining a jamming signal for every AP->client TF.

      I think this type of jamming in a commercial environment would take a very long time to be found and taken care of.

      BTW: When looking at a channel estimation of a wifi channel and the access point is moved (or someone moves nearby), the changes are quite large. You could stop jamming for a random time after the access point has been ‘tampered’ with to make it just seem like bad reception that was fixed by moving the router a little bit.

    • TacticalNinja says:

      Then we’ll just have to crack that password every two weeks.

    • Bill Stewart says:

      If 90% of them are on Channel 11, that’s easy to work around :-) Go find a quieter channel. If your equipment will all do Channel 13 or 14 it’s usually pretty quiet over there. Otherwise, stick to the US channels, and use a signal strength monitor to find whether 1 or 6 has less total energy on it (which is different from “number of networks”, because distances also matter. I’ve had good luck with Android apps for signal strength.)

      Also, what’s your threat model for the security key? Other people have pointed out that WEP is useless if crackers actually want to get in and you should use WPA2, but do you care more about preventing unwanted guest users, or about eavesdropping on your connections? They’re independent problems – I’m fine having “guest” as the password for authentication, and if one of my neighbors wants to leech off my internet connection occasionally, that’s not a problem.

    • Drew says:

      You might want to change your username, dude. Using your callsign as your username means your full name and address are literally a google search away.

      By the way, how’s the weather down there in Dixie?

    • mcjagger says:

      What exactly is 90% of 15? How are there 13.5 networks on channel 11 in your neighborhood? U counting at&t DSL service as half a network or something? JW

  7. Morbidpete says:

    ONG burned so hard!!!!!!

  8. rasz says:

    Why not just connect wifi USB dongle to the phone? they all have usb hosts now.

  9. JohnLF says:

    Great! The one thing I could do with my Nokia N900 3 years ago that I haven’t been able to replicate on the GSII. Looking forward to its completion…

    • jaap says:

      I just bought a N900, it’s amazingly open. Nokia has a web-page explaining how to enable root access, the aircrack-ng ARM Debian package is in the default app-manager. (and for everything else, the gnu C complier runs fine on the phone itself)

  10. Notn4 says:

    For anyone wondering which other phones use those chips, the Galaxy Nexus uses the bcm4330 :) has a few GREAT teardowns of different phones where they usually investigate every chip on the board

  11. KG4MXV says:

    I am secure enough that I don’t have to hide.
    And anyone that has tried to test me has failed.

  12. lothardan says:

    n900 guys n900!!

    • TacticalNinja says:

      but that’s old caveman tech we have androids now :( sure it works (but I just can’t stand using the resistive touchscreen)

    • Isaac says:

      Yep. And it does it far better. Walsh/reaver/WPA bruteforce. Then you’ve got tools like ssl strip and YAMAS. N900 is still miles ahead of droid :P

      • Andre G says:

        Yes, Maemo is a tiny bit more advanced than Android for network penetration-testing. For about another month.

        By simply installing Complete Linux Installer (an Android app from the Play Store), one can grab Backtrack on any rooted device that supports a loop filesystem in the kernel (most ROMs do, including AOKP). Thus, wash, Reaver Pro, reaver-wps, aircrack-gui-m4, sslstrip, and many other tools are instantly available.

        Note that is also possible to run wash on a pcap file, so in theory even iOS supports detection of active WPS on reachable APs.

        Because Android is Linux, I find it silly to argue about this, but I do like the N900 and Maemo, especially the Cleven project. Perhaps a similar app can be ported to Android?

  13. Bill Stewart says:

    Doesn’t every modern phone have USB drive capability built into it by now? :-) (Well, anybody who’s following the micro-USB power cord standard, anyway.)

  14. Maave says:

    Sweet, more drivers. The G1 and G1 can do monitor and packet injection with the WL1251 chipset (same as the N900) but the Nexus One and the SII are much faster. I hope more stuff like this happens.

  15. alp says:

    Is that going to require custom ROMs to be installed or is it going to work fine with official firmware, too?

  16. visionxorb says:

    what about phones using qualcomm atheros chipsets since those usually have monitor mode in there pcie/usb chipsets.

  17. lugi34 says:

    thx men

  18. jox says:

    how do you install that cm build? what commands are used? (sorry for asking but i’m a noob), how well does it work? and is an apk out?

  19. PCpower says:

    Hi, this is my first time here and I love the thread, and even more love the site. I wanted to ask a purely noob question, so please don’t call me a moron, lol.
    I just wanted to know if the Samsung galaxy s2 must be rooted in order to bypass security on a WEP router signal.
    Not doing anything illegal, just sick of crappy 4g connection out here on the acreage and my parents won’t let me use their wifi.
    They think I’ll use up their data on a phone! So you see what I have to deal with?
    The only reason I don’t want to root my phone is because I have no experience and I don’t want to crash the OS or anything like that.

    Any ideas?

  20. janjan says:

    Real ?

  21. john says:

    Samsung galaxy tab 2 7.0 p3100 can use?

  22. THOMAS says:

    my phone wifi is connect but want to see my wifi password how its possible

  23. Joe says:

    Is not supported by the Galaxy S3 is it? cant make it work, getting error….

  24. praba says:

    can made the aditional device using through usb or data cable?

  25. nick12344356 says:

    You can easily hack into computers with this new and advanced app for android, just watch the video to find out how to get it.

  26. michael lark says:

    Hello everyone stop searching for wifi hacker because i have got it. I had bought a wifi hacker from famous hacking team with $100 secretly and now i am easily hacking wifi near my house in less than 2 min. The cost of this software is very high. But,you don’t need to be worry,i am providing you absolutely free. Just download it from below link and start hacking your neighbour wifi very easily.


  27. Fred says:

    Only a nearby-network of your Mobile it is able to crack

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,423 other followers