WLAN Security - Beware of (Unknown) Wi-Fi Hotspots

  • Security
  • Published Jan 3, 2012 Updated Jan 2, 2012

In its issue 1/2012 German c’t magazine published an article about security in Wi-Fi networks. The authors describe how very easy it is to gain access to other people’s accounts and passwords in a world where travelers happily connect to any wireless network they can get hold of. This is a short summary of the original article, intended to highlight the dangers.

The attacks described here are made possible by the following:

  • For reasons of ease of use, public Wi-Fi networks often do not use encryption, e.g. WPA2. Data is literally flowing through the air completely unprotected.
  • Even in encrypted networks communication between individual computers is often not disabled, making ARP spoofing attacks possible.
  • The WLAN standards do not include any functionality to authenticate an access point. Wireless networks are identified by name only which makes it trivial to set up a fake “Telekom” network, for example.

Attack #1: Information Sniffing

NetworkMiner uses the capture driver WinPcap (known from Wireshark) to extract data from a (wireless) network. It fully automatically stores all images, other files, cookies, usernames and passwords:

NetworkMiner

Setting up this attack is more than trivial: download and install WinPcap and NetworkMiner. Join any public wireless network. Run NetworkMiner and wait.

Attack #2: Account Hijacking

DroidSheep works similarly to Firesheep but runs inconspicuously on a smartphone. It captures session cookies from most sites and injects them in the attacker’s browser, making identity theft a matter of a single tap on a touchscreen.

Setting up this attack is easy: root your Android phone, install DroidSheep, join any public wireless network and run DroidSheep. As soon as another user on the network accesses a website requiring authentication, you are “in”. You can use that site with the other guy’s account, read messages, post status updates or steal the account by changing e-mail address and password.

Attack #3: Honeypot

An even easier way for capturing other people’s data than connecting to the Wi-Fi they use is to make them connect to you. To set this up, enable the mobile hotspot functionality of your Android phone and choose a name used by a popular hotspot provider. In Germany that could be “Telekom”. Then install a network packet capturing tool like “Shark for Root” which is tcpdump with a simple UI. That is all.

Other smartphones which have connected to the network called “Telekom” in the past will connect to your access point automatically. All internet traffic of those devices will be routed through your phone. Unencrypted data can easily be extracted from the captured traffic afterwards.

Remedy

Unfortunately, there is no real remedy as long as the WLAN standards lack significant security features like access point authentication. Here is what you can do today:

  • Use UMTS (3G) instead of Wi-Fi.
  • Only use known secure Wi-Fi networks, e.g. at home and at work.
  • If you operate a Wi-Fi network, prohibit communication between endpoints.
  • Create a guest Wi-Fi network which is separated from the internal production network.
  • Use SSL/TLS encryption wherever possible. Unfortunately, many websites switch to unencrypted HTTP after the login making account hijacking by cookie theft trivial. Even worse, with smartphone apps there is practically no way to determine whether they communicate securely or not.

c’t explicitly does not recommend to use a VPN with a smartphone because the combination simply is not safe: after a temporary connectivity loss the internet connection via WLAN or 3G is restored automatically, but the VPN connection is not.

Account HijackingDroidSheepHotspotNetworkNetworkMinerSecuritySniffingWi-FiWLAN

Comments

Related Posts

How Forcing Password Changes Actually Weakens Security

How Forcing Password Changes Actually Weakens Security
When was the last time you got that not too friendly message stating that your password has expired and asking you to change it? Probably only a few weeks ago, and just as sure as day follows night, it is going to appear again only too soon. At least that is the typical user’s point of view. Security conscious administrators see this differently: they seem to think that passwords become weaker over time, like human beings growing old, and therefore force a rejuvenation process every couple of weeks. But is that really necessary? I do not think so.
Security

Latest Posts

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration
After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.
Website