TRY HARDER: A Blog About Discovery
Author: Brennan Turner @BLTSEC
[Security Awareness Training] “Free” WiFi
Scenario: An attacker has placed a rogue access point in a heavily populated area on campus, many students, faculty, and staff congregate in this area every day. The attacker has created a WiFi network named “BasicACU” in order to entice unsuspecting users. The network is not password protected but does prompt the user to enter their ACU account credentials in a captive portal window. Once the user enters a set of credentials the captive portal will display a “success” message, the user will then be able to browse the internet. The attacker cloned the http://www.acu.edu homepage and included words and images that would ensure the user that the portal should be trusted. The harvested credentials are written to a text file that is uploaded to the attacker’s server hosted on the internet for later use.
Disclaimer: This is a test environment and some of the below methods shouldn’t be done in a production environment without proper authorization and documentation. Use these techniques responsibly and ethically and always test every flag, switch, command, and exploit in your own test environment prior to running in a customer’s environment. In this scenario, the malicious network was created off-campus and the iPhone shown in the video below was the only mac address whitelisted and allowed to connect to the network.
Engage: Now watch as an unsuspecting user connects to the open wireless access point and submits their credentials. Once the user enters credentials they will have access to the internet and will never be prompted with the captive portal again. This type of attack is a very effective social engineering attack because its behavior is not uncommon when connecting to other open wireless networks in other environments such as restaurants, coffee shops, and airports.
Exploit: This type of attack exploits human nature and behavior, we as consumers like “free” and tend to compromise when it comes to standards and expectations as long as we receive something in return. When a user is prompted with the captive portal to submit their credentials in order to have free internet access the user understands something may be needed in order to gain this “free” gift. Entering credentials to proceed further usually doesn’t carry the same weight as having to provide payment for a service. This is why the attack is so effective, especially coupled with the location of the fake access point. The screenshot below shows the attacker’s server as he views the text file that contains credentials submitted through the malicious captive portal. Another reason this attack is effective is because once the access point is configured and running the attack doesn’t require attacker intervention in order for the attack to succeed. The attack can simply check back at a later time and view the results.
Escalate: One can probably imagine what other types of malicious campaigns an attacker could orchestrate once a user is connected to an “evil” network. Attacks even more covert than this one such as sniffing network traffic, profiling internet browsing history, redirecting dns traffic, and uploading malware to a user’s system. Wireless network names can even be spoofed and broadcasted based on networks a device connected to in the past, this essentially creates an “Evil Twin” network that client’s would be enticed to connect to given their familiarity. I will be covering many of these topics in future Security Awareness Training (SAT) blog posts and will link to them on this post.
Mitigations: The most obvious choice to completely mitigate the risk associated with this type of attack is to never connect to an open wireless access point. This might be hard to do in some cases and isn’t practical. An important note to make is that it doesn’t matter which wireless network you’re connected to ie cellular, business, vpn, etc. someone owns your network traffic and any of those entities can view your network traffic so you are never “completely” safe from spying eyes. However, here are a few good tips that will usually apply in all situations:
- Only submit credentials over trusted channels that implement https and ssl
- Use your company’s VPN to tunnel your traffic through their network
- Report or inquire about questionable access points or behavior
- Turn off network and bluetooth sharing on your device
- Turn off WiFi when you’re not using it
- Keep your device updated and patched
- Enable host firewall
- Use Two-Factor authentication for everything
One final recommendation is to purchase a VPN if your company doesn’t provide one. Typically there isn’t a legitimate VPN service or company that is free and I recommend staying away from those if you find one. Many of those “free” services will monitor your traffic and possibly sell the data collected. I will also not recommend the one I use for privacy concerns but I will direct you to a site that ranks VPN services by various criteria. If you have any questions I’ll be happy to help out in any way I can.