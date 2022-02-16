A recent experiment by MyBroadband, which ran Pwnagotchi software on a Raspberry Pi Zero, revealed that numerous businesses have vulnerable Wi-Fi networks.

Pwnagotchi is a software project using reinforcement learning to train the platform to get better at its life goal: Collecting more Wi-Fi Protected Access (WPA) handshakes.

A WPA handshake happens between a device and a router when the device connects to a Wi-Fi network protected with the WPA security standards.

These handshakes are easily sniffed by a device monitoring the network and can be used to perform attacks to recover the Wi-Fi passcode.

It is important to note that these handshakes are not very useful on their own, and recovering a Wi-Fi passcode requires a lot of processing power and time.

The Pwnagotchi captures the crackable data passively when a device close by connects to a network while it is listening, and uses two different strategies to try to get more of them:

Deauthentication attacks: The Pwnagotchi kicks a client off the network, forcing it to reconnect and produce a handshake that can be captured.

PMKID Attack: The Pwnagotchi associates with the Wi-Fi network, to which some vulnerable routers will reply with a PMKID which can be cracked using a similar method to the handshakes.

These attacks are generally not noticeable to the victims. The worst typical symptom is a random connection drop for a few seconds as your device must reconnect to the network.

While this data is stored on the Pwnagotchi, it is not meant to be used as a hacking tool but rather as a learning tool about network security.

A Pwnagotchi is very easy to set up.

The software is written to a Micro SD card, and some starting parameters are set in the “config.toml” file.

This card is inserted into a Raspberry Pi Zero W, and it is left to boot and perform the rest of the setup itself.

The device can run without any human intervention, but it is recommended to either add a screen or connect it to a smartphone to see the status and the fun expressive face.

We used a smartphone with a Bluetooth connection and left it in an office block for a few hours. There were many Wi-Fi networks in this location, with many devices connected and switching between networks.

Depending on where in the world you find yourself, it may not be legal to collect this data from other parties.

MyBroadband gained consent before running these tests to ensure we do not get into trouble.

The experiment started slow, capturing only a few data points. It then accelerated as it had time to optimise the running parameters to the Wi-Fi networks.

After a few on and off cycles, totalling around 2 hours for testing, it had captured 24 usable data points.

When we left it on for an hour after this, it captured another 14, keeping our Pwnagotchi very happy.

While most Wi-Fi networks are vulnerable to this attack, you can keep your Wi-Fi secure using a long and complicated password.

These complex passwords are challenging to crack, limiting the value of the WPA handshake data.

Another option is to upgrade to WPA2-Enterprise or WPA3 protection, which would stop this kind of attack.