My next class:

WiFi Still Remains a Good Attack Vector

Published: 2016-10-11. Last Updated: 2016-10-12 06:56:12 UTC
by Xavier Mertens (Version: 1)
12 comment(s)

WiFi networks are everywhere! When we plan to visit a place or reserve a hotel for our holidays, we always check first if free WiFi is available (be honest, you do!). Once we connected our beloved devices to an external wireless network, they will keep trying to connect to it forever or until you clean the list of known networks. As a small test, I checked on a friend’s computer and I found 87 saved wireless networks:

You can see that the default behaviour is to remember all the networks. Your devices may not only connect to dangerous networks but also disclose interesting information about yourself. A long time ago, I wrote a script to collect SSID's broadcasted from wireless devices present in the neighbourhood[1]. The amount of details you can learn about people close to you is just crazy: where they work, where they went on holidays, if they go to the hospital, etc...

October is the month of security awareness and it's good to remind you why unknown wireless networks remain dangerous. Last week, I made a demo during a corporate event about the cyber security landscape and was authorized to deploy a rogue wireless access point for security awareness purposes. The setup was simple:

  • A Pineapple[2]
  • One laptop running Dofler[2]

Dofler is a "dashboard of fail" or a "wall of sheep” used, mainly in security conference (I'm using it at BruCON) to raise the attendees' security awareness. Its main feature is to extract on the fly pictures from the web traffic generated by the user:

As you can imagine, many people felt into the trap and their smartphone connected to my rogue AP. An interesting finding: a smart watch connected to the honeypot but the paired smartphone had wireless disabled! The demo was not too invasive, no SSL MitM was performed and I collected only some pictures live from the network flows. No impact for the users, except maybe for the one who was discovered playing Minecraft during the presentations.

However, things may go wrong and more evil actions may be performed against the victims. Yesterday, we received a message from one of our readers, Siddhu Yetheendra[4], who implemented the same kind of attack as the one implemented by Mubix[5] a few weeks ago. Based on USB-sized computer devices, he found a way to steal user's credentials from a locked Windows computer. The principle remains the same but via a rogue wireless access point, the responder[6] tool is poisoning the network and collect credentials hashes (NTLM responses). If many computers are vulnerable to this attack, they are hopefully limitations. The victim computer:

  • must be a corporate device joined to a Windows domain
  • must be running Windows 7+
  • must have the option 'Connect automatically' enabled

Note that the vulnerability has been fixed by Microsoft (MS16-112[7]).

Basically, only "open" networks will work because computers will always try to reconnect to "known" networks transparently. Corporate wireless networks are not affected. But the risk comes, as always, from the end user. How to prevent him/her connecting to the local Starbucks network while drinking his/her morning coffee?

To mitigate this attack, the classic advices are: Patch your systems (MS16-112 has been released in September), do not use the "connect automatically' feature and do not use wireless networks in public areas. Stay safe!

[1] https://blog.rootshell.be/2012/01/12/show-me-your-ssids-ill-tell-who-you-are/
[2] https://www.wifipineapple.com/
[3] https://github.com/SteveMcGrath/DoFler
[4] https://zone13.io/post/Snagging-credentials-over-WiFi-Part1/
[5] https://room362.com/post/2016/snagging-creds-from-locked-machines/
[6] https://github.com/SpiderLabs/Responder
[7] https://technet.microsoft.com/en-us/library/security/ms16-112.aspx?f=255&MSPPError=-2147217396

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

12 comment(s)
My next class:

Comments

"...do not use wireless networks in public areas. Stay safe!"

Given that real life is some balance between security and function, is this really practical or just security-speak. Rule #1, don't make rules folks can't follow. Maybe better rule is make sure the wifi network you are connecting to is in context - don't connect to "Hilton Wifi" in a Starbucks and make sure you use HTTPS (be observant of warnings) to connect if you are logging in or viewing anything even remotely sensitive.
I am a huge fan or airodump, and yes you can tell a lot about what is going on around you with it, and trust this i have heard of a lot of this access point spoofing, at places like walmart, home depot, etc etc all the big box retailers that have the same ap name. I myself ALWAYS, I mean ALWAYS DELETE DELETE DELETE every network connection that isnt to my own personal AP.
I observe that rule: I never connect my laptop to public Wifi.
"I observe that rule: I never connect my laptop to public Wifi."

I think all individuals involved in security practice better IT hygiene than the general population. Obviously different for every business, but I'm interested in the policies you are able to put in place and the overall costs of the various solutions necessary to enforce them.
[quote=comment#38019]"...do not use wireless networks in public areas. Stay safe!"

Given that real life is some balance between security and function, is this really practical or just security-speak. Rule #1, don't make rules folks can't follow. Maybe better rule is make sure the wifi network you are connecting to is in context - don't connect to "Hilton Wifi" in a Starbucks and make sure you use HTTPS (be observant of warnings) to connect if you are logging in or viewing anything even remotely sensitive.[/quote]

True but also more and more people can avoid wireless and keep using their 3G/4G connectivity. Price is decreasing and monthly quota is growing. Personally, I don't loose my time to search for wireless networks, I just use a connection with my mobile phone.
Avoiding public wifi networks sometimes is not avoidable, for me when im inside a walmart or lowes, or any other giant store, and i want to use their stores app, a lot of times my device wont be able to see any 3g/4g or it is incredibly slow. still, outside or that, yes i never ever connect to public wifi, but i am about to take a trip and will be in a hotel, and this is making me contemplate using their wifi.
Why isn't a VPN a reasonable compensating control?
I realize most VPNs are really a MitM since they effectively only work between the laptop/smartphone and the VPN provider. But they do encrypt the traffic that the wifi hotspot sniffer could see. Am I being overly naive?
The current situation is much like RFC 7435 states: "Opportunistic Security: Some Protection Most of the Time".

The world would be a safer place if the WiFi standard would impose that access points authenticate themselves using a digital certificate (provided that the asymmetric key pair is unique and generated using a cryptographically secure random number generator).

A self-signed certificate would at least imply that you have TOFU (Trust On First Use), while a label on the device showing the certificate's (or public key's) fingerprint would make things more secure; this would be fine for home users.

Owners of public WiFi access points could replace the self signed certificate by a commercial one, confirming their identity.
[quote=comment#38019]"...do not use wireless networks in public areas. Stay safe!"

Given that real life is some balance between security and function, is this really practical or just security-speak. Rule #1, don't make rules folks can't follow. Maybe better rule is make sure the wifi network you are connecting to is in context - don't connect to "Hilton Wifi" in a Starbucks and make sure you use HTTPS (be observant of warnings) to connect if you are logging in or viewing anything even remotely sensitive.[/quote]

I respectfully disagree with this reply and agree with the advice of not connecting to public WiFi. Given that you can use pretty much and smartphone as a personal hotspot I highly recommend doing so as opposed to using the public WiFi that is setup and run by the local coffee house that is really only interested in getting advertising money from the ads that are displayed.
[quote=comment#38033]Why isn't a VPN a reasonable compensating control?
I realize most VPNs are really a MitM since they effectively only work between the laptop/smartphone and the VPN provider. But they do encrypt the traffic that the wifi hotspot sniffer could see. Am I being overly naive?[/quote]

Yes it's true all VPNs encrypt the traffic but your laptop/smart phone is still connected to a possible hostile network. Don't just think internet traffic/browsing, think what could someone do to my laptop/smart phone while I am connected.

If you are going to use public WiFi (and yes I have.do this from time to time) at least make sure you are not doing really sensitive stuff and absolutely make sure your laptop has it's firewall on and configured to block any and all inbound connections.

Diary Archives