Yea, this ^. This attack approach is interesting but any company that's serious about security needs to realize that anything opened up on wifi is a big hole - this used to be more amusingly exploited by war-driving, just driving around a neighborhood looking for someone with an open network that spills out into the street so you could download the latest episode of friends.
I don't work in this sort of security and it seems terrifying, the social engineering side is especially crazy.
This seems to be more self aggrandizement than something new. Like several have said, you can buy a off the shelf cell phone and do this with some code. This attack is only on wifi, and most companies don't place confidential or enterprise systems on wifi. Yes there are exceptions, but just pulling up to the side of a building would probably give you the same access to their wifi.
If you really want to be scared about wifi, using airbase I can spoof your probes into thinking you're at home/work/school and your device will just automatically connect to me.
Lets say you go to starbucks and I've got my honeypot running, you will automatically connect to my laptop and I'll just spoof your probes into thinking I'm your network. While connected to my smartphone or even starbucks wifi I can see everything you do in clear text, spoof ssl, and then with driftnet see all the images you look at, and use ettercap to steal your sessions if need be.
And the best part, if I show up and starbucks is already full of people I'd like to play with, I can just deauthenticate them all for a moment, and when I turn off the kill switch they all connect to me. None the wiser.
In a spot where I lived where there were 20+ networks visible, there was one very strong open network (they were obviously using a substantial antenna or two) that was around for more than two years. It was quite popular - you could routinely see a dozen or so clients connected in the evening. Connecting to that network would often yield a OS finger print scan + occasional attempts to exploit vulnerable services. Traffic going over router also very obviously was having its adsense traffic replaced. God only knows what else they were doing. Since it's on their network, it's very likely a lot of that wouldn't even be illegal.
I certainly wouldn't go around encouraging people to connect to random wifi networks. It's a different world out there than it was 5 or 10 years ago.
The problem is, that someone setting up a public wifi (in a restaurant for example), will be vulnerable to sniffing attacks (if they don't know what they're doing).
Isn't this a well known and old attack? There are even devices that can automate this, I think Pineapple WiFi. I'm surprised that a security researcher has not already heard of it.
This attack doesn't expose Wi-Fi network key, so I assume it doesn't let you join the network, just sniff the traffic of the targeted user (and also, in some cases, forge/inject packets).
Don't do any mitm or forwarding, but just sit with the CEO or CIO with one in his office for a few minutes, and show him how his iPhone is suddenly connected to his home network.
Then you can explain all the implications of this. Including that this is a readily available device for low cost. And that this particular attack has been known and documented since 2004.
It would seem unlikely that manufacturers of devices relying on WiFi are unaware of this. Run a bar across their cages to get this fixed.
Except the attack doesn't get you access to their wireless network. It allows you to redirect someone from their wireless network to your own (spoofed) wireless network and then you can snoop the traffic.
I would call behavioural heuristics of WiFi ‘attacks’ dubious at best. Knowing the specific software the attacker is using has minimal/no value in actually fixing the issue either.
Even worse, from what I've observed, such networks are often not secure even against a trivial ARP spoof attack, so anyone connecting to the coffee shop Wi-Fi could mount this attack.
Excuse my ignorance, but why is that a problem? Presumably, whoever is snooping on said broadcasts doesn't know how to find "my_awesome_wifi", do they? Would the attack be "harvest SSIDs from Starbucks and then drive around the neighborhood until you find the house it belongs to"?
I don't work in this sort of security and it seems terrifying, the social engineering side is especially crazy.
reply