iot device transmits plaintext wifi password & essid
#1
So I found out that my "smart" lights actually transmit the set wifi password & essid,
when the said access point is out of range(off).
Looking at the hcxpcapngtool outputs, I immediately spotted the old access point details.


How common is that? Do you guys stumble on this a lot?
I believe these lights have Esspresif 8266 Wi-Fi chips. Are they all vulnerable?

Did Hcxdumptool did something impressive? And how do I find out?
I'm quite new to this, does it make sense to have a look in the capture file and look if it's there in plaintext?
(that would be with Wireshark I think?)

Sorry for all the questions, google seems especially not helpful when it is about wifi security.
When I type in anything in combination with Iot devices, I only get the standard run-of-the-mill news articles
Reply
#2
well you could do some research yourself by trying to change your password and essid, try hiding your ssid/essid and see what happens when you sniff again

what kind of "smart" lights we are talking about?
Reply
#3
Detect a weak point - precisely for this purpose the tools (hcxdumptool, hcxlabtool series and hcxtools) were developed.
Regardless of whether the target is an ACCESS POINT or a CLIENT (regardless of whether they are connected to each other or not), hcxdumptool /hcxlabtool series) retrieves all available information from it and hcxpcapngtool convert this information to a format accepted by hashcat or JtR.
More information is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Information about the PMKID attack vector is here:
https://hashcat.net/forum/thread-7717.html

a nice example is here:
https://github.com/evilsocket/pwnagotchi...-598597214

In addition to that RKG (https://github.com/routerkeygen) and hcxpsktool calculate some more (default) weak passwords which are based directly on the target.
Both tools are based on deep analysis of wpa-sec (https://wpa-sec.stanev.org) submissions.

The entire development history (start from the point when Atom persuaded me to go open source, like hashcat) is here:
https://hashcat.net/forum/thread-6661.html

BTW:
I fully agree, tshark and Wireshark should be the first choice to analyze dumped unfiltered(!) traffic.
Reply