Android Hack: Cracking WiFi passwords with your phone

The WiFi adapter in your laptop has a special mode – monitor mode – that can be used to listen in on WiFi traffic and, with a little patience, can be used to crack a WEP password. Surprisingly, this monitor mode can’t be found on any Android device due in part to the limitations of the hardware. A group of three researchers, [Ruby], [Yuval], and [Omri], decided to spend their vacation adding monitor mode to their Android smartphones, allowing for a much more portable version of WiFi pwnage tools.

The phones used by the researchers – the Nexus One and Galaxy S II – used Broadcom chipsets that didn’t support monitor mode. To get around this limitation and allow the OS to see full 802.11 frames the team needed to reverse engineer the firmware of this Broadcom radio chip.

The team has released a firmware update for the bcm4329 and bcm4330 chipsets found in the Nexus One and Galaxy S II. The update may work for other phones with the same chipset, but don’t take our word on that.

There’s still a lot of work [Ruby], [Yuval], and [Omri] need to do. They’d like to add packet injection to their firmware hack, and of course create an APK to get this into the wild more easily.

If you have experience with kernel development and would like to help out, send the team an email. The source can be found at google code  if you’d like to play around with it.

56 thoughts on “Android Hack: Cracking WiFi passwords with your phone

  1. Can I use it? I have bcm432x. Is it a kind of bcm4329?

    [48028.238084] =========== WLAN going back to live ========
    [48028.238701] bcm432x_sdcc_wlan_slot_status: 93 1
    [48029.126377] wlan0: Broadcom Dongle Host Driver mac=5c:xx:xx:xx:xx:xx
    [48040.612794] wlan0: no IPv6 routers present

  2. Good luck cracking my password I use all 64 characters and change it every 2 weeks. And that is not my only defense.
    In my neighborhood THere are so many wifi networks it is not funny. With just the pitiful antenna in my laptop I can pick up 15 nets and 90% of them are on cannel 11 . I use the 5ghz and have no problems. I am thinking of making a 1W 2.462ghz beacon to clear the congestion.

    1. If you’re so security-conscious, why are you using WEP instead of WPA (serious question, my understanding is that WEP is deprecated due to vulnerabilities that can be easily accessed on simple (e.g., cellphone) hardware).

    2. Maybe if you’re going to brag about violating FCC law and in general being a jerk (if you’re in the 5Ghz A/N band, why do you care who’s using 802.11b?), you shouldn’t do so with your ham license as your sig,

      –EDITED– do not post other people’s personal information. even if they are being jerks. –

    3. 1W CW or noise jammer on wifi channel has very limited jamming range. Think 20m.

      The ‘problem’ is that wifi detects if the channel is free by using energy detect (which you trigger with your jammer, but the threshold is quite high), wifi mostly relies on false carrier detect. A preamble is transmit before every wifi frame containing information about the following transmission (speed, modulation method, etc, it is always transmit at 1mbit/s btw).
      When the card can receive such a frame, it assumes the channel busy for the duration specified in a frame.

      Thus a jammer spamming these pre-headers (google PLCP header) would have a jamming range equal to its reception range, while still being invisible to 802.11 sniffers.

      This is a by far more dangerous attack against Wifi as for example a 1W jammer connected to a proper antenna would jam in a circle of more than 500m. Completely blocking the communication (as the cards voluntarily stop communicating since they think the channel is busy!) while being undetectable to trained ‘cisco enterprise wifi specialists’ and such. Detection with a spectrum analyser is obviously possible, but at least the signals looks like a legit wifi signal so it isn’t as obvious as broadcasting noise.

      Another more stealthy approach is to estimate the transfer function from you to the access point (which you can do, since it periodically broadcasts beacons and data). Simply interpolate the phase and amplitude of the pilot tones using fft interpolation. Since the access point and jammer don’t move the transfer function changes only a little due to the environment changing (which LMS will track without problems). Using a tracking filter such as LMS is optional, it will improve the transfer function estimate while the jammer is operating, making it work better against distant stations.

      Now whenever your jammer hears a packet from a client, it calculates the transfer function client->jammer in the same way as with the access point. Again a tracking filter may be used for better performance in bad SNR situations.
      The next step is calculating the inverse of the pilot tones sent by the client and transforming them with the inverse of the jammer->ap transfer fuction and the client->jammer TF. This will result in the AP receiving the OFDM frame with the pilot tones being zero, making demodulation impossible. You only transmit a very short time during the transmission of the client, just enough to corrupt the packet and you do so in an optimal way. This approach easily gets 15-20dB (especially against single antenna routers and clients) of processing gain. Rhis is because the pilot tones are used for equalising the channel, if the signal on these few frequencies is damaged, the other frequencies cannot be used. You do not even have to make the pilot tones zero, it is enough to make the demodulator channel estimation fail, you can remotely observe the amount of packets dropped and adjust your signal.

      You need a very fast digital spectrum analyser to see the extremely short jamming bursts (in a band already crowded with burst type signals), since your transmit signal only uses the theoretical least amount of power necessary to jam the current transmission (you will transmit less for a distant client, since you have actually estimated the channel between client and AP)

      You best leave beacons alone as not doing so will make the list of received networks empty and then the jamming is obvious. Also they are broadcast traffic so your jamming will be less optimal since the final signal will be a compromise made by combining a jamming signal for every AP->client TF.

      I think this type of jamming in a commercial environment would take a very long time to be found and taken care of.

      BTW: When looking at a channel estimation of a wifi channel and the access point is moved (or someone moves nearby), the changes are quite large. You could stop jamming for a random time after the access point has been ‘tampered’ with to make it just seem like bad reception that was fixed by moving the router a little bit.

    4. If 90% of them are on Channel 11, that’s easy to work around :-) Go find a quieter channel. If your equipment will all do Channel 13 or 14 it’s usually pretty quiet over there. Otherwise, stick to the US channels, and use a signal strength monitor to find whether 1 or 6 has less total energy on it (which is different from “number of networks”, because distances also matter. I’ve had good luck with Android apps for signal strength.)

      Also, what’s your threat model for the security key? Other people have pointed out that WEP is useless if crackers actually want to get in and you should use WPA2, but do you care more about preventing unwanted guest users, or about eavesdropping on your connections? They’re independent problems – I’m fine having “guest” as the password for authentication, and if one of my neighbors wants to leech off my internet connection occasionally, that’s not a problem.

    5. You might want to change your username, dude. Using your callsign as your username means your full name and address are literally a google search away.

      By the way, how’s the weather down there in Dixie?

    1. I just bought a N900, it’s amazingly open. Nokia has a web-page explaining how to enable root access, the aircrack-ng ARM Debian package is in the default app-manager. (and for everything else, the gnu C complier runs fine on the phone itself)

      1. Yes, Maemo is a tiny bit more advanced than Android for network penetration-testing. For about another month.

        By simply installing Complete Linux Installer (an Android app from the Play Store), one can grab Backtrack on any rooted device that supports a loop filesystem in the kernel (most ROMs do, including AOKP). Thus, wash, Reaver Pro, reaver-wps, aircrack-gui-m4, sslstrip, and many other tools are instantly available.

        Note that is also possible to run wash on a pcap file, so in theory even iOS supports detection of active WPS on reachable APs.

        Because Android is Linux, I find it silly to argue about this, but I do like the N900 and Maemo, especially the Cleven project. Perhaps a similar app can be ported to Android?

  3. Sweet, more drivers. The G1 and G1 can do monitor and packet injection with the WL1251 chipset (same as the N900) but the Nexus One and the SII are much faster. I hope more stuff like this happens.

  4. Hi, this is my first time here and I love the thread, and even more love the site. I wanted to ask a purely noob question, so please don’t call me a moron, lol.
    I just wanted to know if the Samsung galaxy s2 must be rooted in order to bypass security on a WEP router signal.
    Not doing anything illegal, just sick of crappy 4g connection out here on the acreage and my parents won’t let me use their wifi.
    They think I’ll use up their data on a phone! So you see what I have to deal with?
    The only reason I don’t want to root my phone is because I have no experience and I don’t want to crash the OS or anything like that.

    Any ideas?

  5. Hello everyone stop searching for wifi hacker because i have got it. I had bought a wifi hacker from famous hacking team with $100 secretly and now i am easily hacking wifi near my house in less than 2 min. The cost of this software is very high. But,you don’t need to be worry,i am providing you absolutely free. Just download it from below link and start hacking your neighbour wifi very easily.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s