Wireless connectivity is something that we may take for granted nowadays, with most of us owning at least one portable device which requires internet connectivity.
We use laptops, mobile phones and tablets in our personal lives, as well as our professional ones. But there are some dangers that are associated with having such convenience.
Wireless connectivity can be an easy target for hackers depending on its configuration and can ultimately lead to eavesdropping on your communications, harvesting your credentials, or in some situations, a total compromise of your device.
In this post I will be detailing a scenario in which an attacker could act against an unsuspecting individual whilst using a public hotspot, either in a personal or corporate context. This could happen to you in your personal life, or within your company using your company’s assets. This is the first in a series of posts focusing on the different types of wireless attacks.
Setting the scene
Imagine the scenario: you come across your favourite coffee shop and decide to take a break. You sit there sipping your preferred coffee whilst catching up on some work using your corporate laptop. You’re connected to the internet, reading your email and browsing various websites. You didn’t need to connect to the establishment’s Wi-Fi as you’ve connected before and your device has remembered the details, or so you think.
This time is different; this time you’re directly connected to a hacker’s device.
Hackers can utilise software, or even purpose-built devices, (see Hak5 Wi-Fi Pineapple) to create a rogue access point, which has been used in this scenario.
When your device has connected to Wi-Fi hotspots in the past, by default it has saved those details in order to connect to the same network again when it’s nearby, solely for your convenience.
Think of your device calling out: “Hey home Wi-Fi, are you there?”. When you’re at home your home Wi-Fi responds with: “Hey laptop I’m here, let’s connect!”
What an attacker does with their device is create the access point using the configuration of whichever Wi-Fi hotspot they want to target. In this case, your favourite coffee shop. The attacker creates a rogue access point using the same Wi-Fi name (for example coffee shop free Wi-Fi) and uses the same device details such as MAC address and channel. They then use a technique whereby they disconnect you from the legitimate hotspot and on to theirs. This is called a DE authentication attack.
So, when your device now shouts out: “Hey coffee shop, are you there?”, the rogue access point responds with: “Hey laptop, I’m here! Let’s connect! (Evil Grin)”.
Understanding man-in-the-middle (MiTM) attacks
You’re now connected directly to the attacker’s device where several attacks can happen. The first one to be aware of is where the attacker is situated. Because you’re connected to the rogue device via the attacker and then on to the internet, the attacker is now the man-in-the-middle (MiTM).
“The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication” – OWASP
The attacker can now capture any data which you send over that connection. For instance, should you send any unencrypted data, such as usernames and passwords, it would be easy for the attacker to harvest them.
Beware of rogue lnding pages and captive portals
The second attack which may happen is that the attacker sets up a fake Wi-Fi landing page or captive portal. This is an example of a landing page used at a McDonalds in the US.
Most landing pages require various pieces of information such as the following
- Email address
- Social media account details
- Access codes
The attacker can literally create anything that matches the scenario in which the rogue access point is being used. Again, in this case a coffee shop. The attacker creates a malicious landing page/captive portal with the branding of the coffee shop and asks you to login using your various credentials, so you opt for your Google account as it’s easiest for you.
You hit connect and voila you’re now surfing the internet none the wiser that those credentials you just inputted into the portal have now been sent to the attacker.
What can I do about this?
There are several things you can do to try and mitigate such an attack. Firstly, set your devices so that they do not automatically connect to known Wi-Fi hotspots. Secondly, use a trusted VPN provider to tunnel your data over an encrypted connection.
Bridewell’s penetration testers are experts in the field of wireless security, researching new wireless attacks and simulating them in our own attack labs. We can run a series of scenarios that range from trying to compromise your wireless access points, through to simple configuration reviews. This is certainly worth considering, especially in smaller, less mature businesses where Wi-Fi is often connected directly into the network where key systems and data may reside.
If you would like advice on how to protect your employees and corporate assets from such attacks whilst using publicly available Wi-Fi, get in touch with our team of experts at: https://www.bridewellconsulting.com/penetration-testing
Written by James Smith – Principal Security Consultant and Head of Penetration Testing Services