By Lucian Constantin
Nov. 11, 2016
In a perfect example of how public wireless networks can be dangerous for privacy and security, an Israeli hacker showed that he could have taken over the free Wi-Fi network of an entire city.
On his way home from work one day, Amihai Neiderman, the head of research at Israeli cybersecurity firm Equus Technologies, spotted a wireless hotspot that he hadn't seen before. What made it unusual was that it was in an area with no buildings.
It turned out that the hotspot he saw, advertised as "FREE_TLV," was part of the citywide free Wi-Fi network set up by the local administration of Tel Aviv, Israel. This made Neiderman wonder: How secure is it?
For the next few weeks, finding a way to compromise this network became a side project to do in his free time. First he connected to the network through one of the access points spread around the city and checked what his new IP (Internet Protocol) address was. This is usually the public address assigned to the router through which all Wi-Fi clients access the internet.
He then disconnected and scanned that IP address from the internet for open ports. He found that the device was serving a web-based login interface over port 443 (HTTPS).
This interface displayed the manufacturer's name -- Peplink -- but not other information about the device type or model. An analysis of the web interface didn't reveal any basic vulnerabilities either, such as SQL injection, default or weak log-in credentials or authentication bypass flaws.
He realized that a more thorough analysis of the device's actual firmware was required. Identifying the device and finding the exact firmware to download from the manufacturer's website was not easy, because Peplink creates and sells many types of networking devices for various industries. However, he eventually pinned it down to firmware version 5 for Peplink's Balance 380 high-end load balancing router.
The firmware used basic XOR-based encryption to make it harder for third-parties to reverse-engineer the firmware's file system, but this was relatively easy to bypass. Once everything was unpacked and loaded into an emulator, Neiderman was able to access the CGI (Common Gateway Interface) scripts that made up the router's web interface.
It didn't take long until the researcher found a buffer overflow vulnerability in the CGI script that handled the log-out process. The flaw could be exploited by sending a very long session cookie to the script and successful exploitation resulted in arbitrary code execution and full control over the device.
Neiderman presented his findings and reverse-engineering efforts Thursday at the DefCamp security conference in Bucharest, Romania. He declined to say whether he actually tested his exploit on the live Peplink Balance routers used to operate Tel Aviv's free Wi-Fi network, because that could land him in legal trouble.