A rogue access point at RSA Conference? Here’s what happened

Ever since businesses began to offer Wi-Fi access to customers, experts have warned that open hotspots are not secure. Open Wi-Fi hotspots don’t ask a user for a password, so most data ferrying between users’ devices and the access point(s) are not encrypted. Essentially, anyone connected to an open Wi-Fi hotspot could potentially have their data intercepted by a lurking evil-doer also connected to the hotspot.

rogue access point

These are all things that we all know, right? And at RSA Conference, where the world’s best and brightest security experts gather to learn from each other, no one would just automatically connect to something that seems familiar, or would they?

This is what the WatchGuard team decided to test. We used a common method bad actors use to steal data: a rogue AP. There are a few kinds of rogue AP’s, but in this case we had an AP broadcasting a few common network names. We wanted to test our theory that it’s common to chose to save the Wi-Fi network names that users connect to and “automatically connect” the next time they are in the area of the hotspot. Being the good guys, we setup our rogue AP so that it could do no harm to anyone and we did not capture any personal information.

Rogue access point usage results

We managed to lure 2,456 show floor attendees’ Wi-Fi devices into connecting to our rogue AP, most likely without any human interaction. The client devices included a mix of smart phones, laptops, tablets, and smart watches. Each broadcasting their make and model to our rogue AP. If we were the bad guys, we could have taken a number of actions to infiltrate these devices using known exploits, phish for login credentials or credit card data using bogus splash pages, or snooped for other sensitive data with Man-in-the-middle attacks. However, being the good guys, all we did was offer them secure internet access through our UTM appliance.

Although we cannot disclose the Wi-Fi network names used (SSIDs), it was not hard to imagine what SSIDs we all have been connected to at our local coffee shops and public areas. Also interesting and a bit surprising for a security-focused audience that the number one destination for these 2,456 devices was peer-to-peer file sharing.

Wi-Fi to the danger zone

The data at risk is vast and includes keystrokes, usernames, passwords, credit card numbers, in short, anything entered on the connected device. Many websites have adopted HTTPS, which encrypts the traffic to and from the website, but even this traffic is not impervious to the prying eyes of someone equipped with Wi-Fi hacking tools. In fact, YouTube now offers more than 300,000 self-help videos teaching anyone with a smartphone and/or laptop how to hack a Wi-Fi network.

In this case, we were really good guys offering this open network and just letting people have free internet access. However, what could we have done if we had bad intentions? Once folks joined our open network, nothing is holding us back from using tools like:

  • Dsniff to capture and record any credential or piece information from their unencrypted communications. This is the kind of tool that is used at events like DEF CON to show their “Wall of Sheep.”
  • We could use SSLStrip to man-in-the-middle the SSL (aka HTTPS) traffic of any out of date client, and then even sniff their encrypted credentials.
  • Or, we could even leverage automated tools like Karmetasploit, which not only make setting up these open Rogue APs easy, but leverages metasploit’s “Autopwn” functionality to automatically hack any vulnerable computer or device that connects, offering backdoor access to that machine. At that point the bad actor can literally do anything on the device that victim user would be able to do.

Our experiment proved that setting up a rogue AP is easy and tricking Wi-Fi devices to connect to it even easier. So, what can end users or businesses do to help protect against this obvious Wi-Fi security threat?

End user tips

1. Think twice about choosing to “save Wi-Fi network” and “automatically reconnect” when joining Wi-Fi networks, especially open ones. Unless the network is at your home or office, or other secure and trusted location, we recommend not choosing these options, and many clients have settings that specifically make the device “ask” you before joining a wireless network.

2. When using an open Wi-Fi hotspot, check to see if the website is using encryption with HTTPS by looking near the address bar of your browser for either “HTTPS” or a padlock icon. Never input login credentials, credit card information, or other sensitive data on unencrypted sites.

3. For any other non-web network connections, be sure you use some form of encryption, such as a VPN connection. Be aware, many network protocols, like FTP, pass traffic in the clear. Without additional encryption some neighbor could grab your passwords and files from the air.

4. If you join open networks with traditional devices (laptops), make sure they have endpoint protection. On open networks, your neighbors can directly scan your devices. You’ll want a local firewall and at least some basic threat or malware protection to keep bad neighbors from directly hacking your device.

Tips for businesses offering Wi-Fi hotspots

1. If you host a guest network, it’s in your best interest to protect those customers, and more importantly keep foul play outside of your jurisdiction. Invest in solutions that offer intrusion prevention, malware detection, and application identification on your wireless network. The solutions keep bad stuff from coming in or out, and can allow you to block the most dangerous or seedy parts of the Internet. Choose Wi-Fi network infrastructure that supports rogue AP detection and alerting.

2. Work with a service provider and Wi-Fi equipment vendor that can advise you on security topics such as auditing, compliance (PCI if processing point of sale transactions), and reporting.

3. Use network segmentation to isolate the public hotspot traffic from the internal business network in order to keep your company data safe.