By Ryan Orsi, Director Product Management, WatchGuard Technologies
We all know the use of Wi-Fi is pervasive because people crave a constant digital connection. So much so, that they’ll spend the day jumping from free public hotspot to free public hotspot. As a matter of fact, Wi-Fi now accounts for 60 percent of all connections to the Internet, according to Cisco’s 2016 VNI report. The same report estimates there will be more than 540 million worldwide public Wi-Fi hotspots by 2021.
What people don’t often think about, is that public Wi-Fi comes with a dark side – it’s ripe for exploitation by hackers. That’s right, hackers are hiding in the shadows waiting to spoof SSIDs and launch man-in-the-middle attacks in order to gain access to devices and steal sensitive information.
When we think about hacking, we tend to remember headline-grabbing incidents, for example Yahoo losing another billion user account identities, the Ashley Madison hack, or Russia tampering with the U.S. Presidential Election. These attacks are generally considered layer 7 attacks, which are easier to see in the application layer. But, Wi-Fi hacking occurs much lower in the stack, down at layer 2, or the data link layer.
Since they’re buried, they usually go unnoticed. (If you recall the OSI model is as follows: layer 1–physical, layer 2–data link, layer 3–network, layer 4–transport, layer 5–session, layer 6–presentation and layer 7–application.) But what’s the anatomy of these layer 2 hacks?
The most commonly used Wi-Fi attack is a man-in-the-middle (MiTM) attack. A hacker spoofs a Service Set Identifier (SSID), and a landing page if one exists, and tricks a user into connecting to it, for example at a coffee shop. Though the victim may think they’re logging into a secure page, they’re actually handing email and password information directly to the MiTM that’s perfectly mimicking the “Coffee Shop” splash page.
This is also known as an evil portal and is just one of the ways a MiTM can extract sensitive information from a victim. All Wi-Fi hacks stem from someone (or something) becoming the MiTM.
Another type of Wi-Fi attack is called a Karma attack. Dating back to 2005, the Karma attack runs code on an attacker’s access point (AP) and listens for beacon requests for connections like “Airline Wi-Fi” or “Coffee Shop.” It then begins broadcasting that SSID into the air hoping a user associated with it.
Most devices automatically save past open SSIDs, so the next time the user is in range of the “Free Wi-Fi Coffee Shop” SSID, the device auto-connects without asking for permission. When Wi-Fi is left activated on a device, it sends out beacon frames into the environment looking to see if any saved SSIDs are in range.
A Karma attack reads these beacon frames and imitates the SSID a smart device is looking for, tricking it into connecting without requiring the user to press a button. Once that device is connected, attackers can monitor the traffic to and from the device, looking for sensitive information like passwords and credit card information, or direct the user to sites that load malware or even ransomware on the device.
(Pro tip: if you ever find that your phone is connecting an SSID from some past connection, for example, you’re in San Francisco, but it’s connecting to one from a recent trip to Hong Kong, shut off your Wi-Fi, you could be in the presence of a hacker.)
Wi-Fi hacking with MiTM and Karma attacks historically has required serious domain knowledge and command-line skills. But today, a YouTube search for “Wi-Fi hack” generates more than 2.8 million hits, with “how-to” sitting atop the results. These tutorials can teach anyone with a spare weekend how to hack over Wi-Fi.
If searching YouTube wasn’t easy enough, there are also tools like Hack5’s Wi-Fi Pineapple that are freely available for purchase starting at $99 USD. They include an intuitive GUI, how-to videos, and a third-party module marketplace for powerful hacking tools. The Wi-Fi Pineapple does the job that hardcore Wi-Fi hackers used to do manually and it makes MiTM’ing very simple. An attacker could have one in their backpack performing a Karma attack, listening for SSID beacon requests, adding those SSIDs to a list to broadcast through the AP radios and voila! Victims start to connect.
Recently at the RSA conference, I broadcasted fake SSIDs for public Wi-Fi (for research purposes only) to see how many attendees would carelessly connect. We had more than 2,400 connections. Had we been hackers, we could have wreaked significant havoc on the users. Instead, we directed them to a splash page with security best practices. (Read the entire blog post about this research here.)
If a hacker really wants to get fancy, he/she could even break the connection between a legitimate AP broadcasting “Coffee Shop” and a client by spoofing the BSSID (the MAC address) of the AP. Then use the Pineapple to flood the client with IEEE deauthentication frames. This will tell the client that the AP no longer wants to play. The victim’s device then rescans for “Coffee Shop,” this time finding the Wi-Fi Pineapple ready and willing to accept the connection for a fake “Coffee Shop.”
As you can see, Wi-Fi hacking doesn’t have to be all that complicated, and easy-to-use graphical hacking tools are accessible to anyone willing to learn. Unfortunately, people are not even safe when browsing encrypted HTTPS websites. After MiTM’ing a victim, it’s very possible to intercept credentials for bank websites, email, shopping and more.
New, easy-to-use tools have resurrected an old tactic from 2014 called SSL Stripping. It tricks web browsers into bypassing HSTS (HTTP Strict Transport Security) policy and sends information to the MiTM over plain text.
The reality is that credential interception happens every day across Wi-Fi networks around the world. It offers one of the highest rewards versus risk payouts for cybercriminals, and these “little” hacks could have huge implications on the threat landscape. Consider this: if a senior executive has his or her Gmail password intercepted while sipping a cappuccino and accessing email on public “café” Wi-Fi, it’s not likely he or she knows they’ve been hacked. But, this information could be used to gain access for a larger hack or breach. That’s why Wi-Fi hacking is so scary.
If these attacks are so prevalent, why isn’t the industry doing more to prevent them? First, the victims often don’t know they’ve been hacked. The public puts blind trust into these public networks, which is surprising considering users can get passed off from their carriers to a public network without knowing it.
Second, it’s really hard to trace these types of attacks due to the MiTM and the fact that it’s over a public network. And third, AP vendors haven’t traditionally had a good solution for the problem, so they’re not working to raise awareness.
If using public Wi-Fi exposes the public to a variety of security risks, and the MiTM attack is the root of most Wi-Fi evil, what’s the solution? VPNs (Virtual Private Networks) can make connecting safer, but not everyone knows how to use a VPN and it relies on the end-user taking action.
Passwords on SSIDs can also help, but the four-way WPA2 handshake is easily decrypted in minutes by GPU accelerators or other resources on the dark web.
What’s the answer?
In part two of this series titled “Defending Your Airspace,” I’ll explain how organizations can use the latest technology to provide secure public Wi-Fi and take the end-user out of the “security equation.” In the meantime, be diligent when at the local mall or coffee shop.
About The Author
Ryan Orsi is Director of Product Management at WatchGuard, a global leader in network security, providing products and services to more than 75,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive wireless products to the WLAN, IoT, medical, and consumer wearable markets. As VP Business Development in the RF industry, he led sales and business development teams worldwide to success in direct and channel environments. He holds MBA and Electrical Engineering Degrees and is a named inventor on 19 patents and applications.
Ryan can be reached online at @RyanOrsi and at our company website www.watchguard.com/wifi