Results of the rogue Access Point experiment at RSA Conference 2017
The security of open Wi-Fi hotspots has been a subject of great concern for years. But, would you believe that we were overwhelmingly successful using Wi-Fi attacks dating back twelve years on the RSA Conference show floor in San Francisco? Either we are really good at getting lucky with old tools, or there is a serious Wi-Fi security pandemic out there.
To be clear, our Wi-Fi attacks were totally benign to the audience. Last year, at RSA Conference 2016, we performed a similar experiment: broadcasting eight globally common SSID names from our rogue access point (AP) on the show floor and calculating the number of Wi-Fi clients that automatically connected to them. 2,456 clients were tricked into connecting to our rogue AP in 2016.
Experiment setup
At RSA Conference 2017, we modified our experiment to include the same eight SSIDs broadcasting on our rogue AP and added a new tool: the Pineapple Tetra by Hak5. We also utilized WatchGuard’s AP320 configured as a dedicated Wireless Intrusion Prevention System (WIPS) sensor and Wi-Fi Cloud platform to collect analytics about the foot traffic around our booth.
The Tetra was configured to be our instrument for a Karma attack circa 2005, which listens for SSID beacon requests in the air coming from smart and wearable devices nearby. These SSID beacon requests are a part of the 802.11 standard protocol and are sent into the air as your smart devices look to re-connect to previously connected SSIDs. A full Karma attack would then broadcast these SSIDs and trick Wi-Fi clients into connecting and becoming man-in-the-middle (MiTM) victims. In our setup, we did not allow broadcasting of the SSIDs that our Tetra sniffed from the air or allow any client device to associate to the Tetra.
The results
Anecdotally, we tricked 2,043 more clients into connecting to our rogue AP than last year. Our WIPS sensor showed us that 8,206 unique Wi-Fi clients dwelled around our booth for at least a minute or two. The Tetra saw and captured beacon requests from these visitors resulting in 8,653 unique SSIDs captured. Lastly, using the same eight common SSIDs as last year, we managed to trick 4,499 Wi-Fi clients into connecting to our rogue AP, which harmlessly served them speedy Internet while their owners enjoyed live demos.
Although the higher number of client connections this year could be attributed to higher attendance at RSAC, it does make me wonder if this correlates to Cisco’s VNI report forecasting 7x the number of public Wi-Fi hotspots: 64M in 2015 to 432M in 2020, and that Wi-Fi is by far the dominant communication link for people accessing the Internet, ahead of cellular and wired connections.
Public Wi-Fi safety
The major security risk with public Wi-Fi is that the 802.11 standard makes it incredibly easy for a bad guy to insert themselves as a MiTM and inspect or inject packets into a victim’s datastream. Wi-Fi attacks function at layer two, which is incredibly low and undectable by most Wi-Fi platforms.
Once an attacker inserts themselves as a MiTM, an ocean of higher layer attacks opens up to them:
- Bettercap with SSL trip and HSTS bypass to strip SSL from webpages and steal your credentials, credit card numbers, etc in plain text.
- Toxic proxies to exploit Wep-Proxy Auto Discovery (WPAD) via DHCP and DNS to exfiltrate sensitive URL and browser session information.
Our simple rogue AP and Karma attack experiment at RSAC shows just how successful the low-layer MiTM attack can be in a typical public space.
Scope of the Wi-Fi security problem
As predicted by the Ericsson Mobility Report in June 2016, the fastest growing and largest install base of IoT devices are Wi-Fi enabled devices. These devices are not known for their security best practices and are forecasted to grow from an install base of 4.2 billion in 2015 to 14.2 billion in 2021. Project Isizwe, in South Africa, is an example that highlights how fast Wi-Fi is spreading, with massive open public hotspot networks covering entire municipalities, cities, and eventually nations.
Solving Wi-Fi security for my mom
As I say in all my public Wi-Fi presentations, if my mom can’t do it, it’s not a global solution. There is a large, very vulnerable demographic that needs the Wi-Fi security problems to be handled for them in a seamless, automatic way. A true Wi-Fi security solution needs to:
1. Automatically prevent the low level attacks I mentioned above, so no one can become the MiTM and higher level attacks are not usable. The solution shouldn’t rely on the user’s technical ability or require them to download any software and must pass the “my mom can do it” test.
2. Seemlessly apply security protection to any Wi-Fi client within range.
WIPS, I thought we were friends, why are you preventing me?
Just like the light and the dark side of the Force, ever since the first rogue AP was created, there existed the ability to detect it with Wireless Intrusion Detection Systems (WIDS). WIDS is just code running inside of certain business-class APs that scans the air and Ethernet network to try to find rogue APs. When these special APs have a settings turned on to automatically prevent the rogue APs from allowing client connections, the “D” turns into a “P” to make Wireless Intrusion Prevention System (WIPS).
On the surface, WIPS meets all of the criteria for a true Wi-Fi security solution. However, WIPS must have a false positive rate of near zero to avoid automatically blocking legitimate access points that were misclassified as rogue. Some WIPS are effectively unusuable because no one wants to get slapped with a huge FCC (or the foreign equivalent) fine. For example, here’s a FCC fine of $718,000 for misclassification.
Tips for companies that offer a Wi-Fi hotspot
1. Don’t invite your guests and customers to become Wi-Fi hack victims. Implement a Wireless Intrusion Prevention System (WIPS) with automatic prevention turned on, but be sure to ask your vendor or IT service pro if the WIPS solution has a near zero false positive rate. Trust me, any Wi-Fi attacker will know within seconds that your air space is protected and they will move on to less protected hotspots in search of victims.
2. Always use network segmentation to separate guest (hotspot) networks from private networks.
3. Implement content inspection at the gateway. Unified Threat Management (UTM) appliances can detect and prevent security risks such as malware and botnet command and control communication.
4. Hire a managed security services provider (MSSP) to evaluate your businesses needs, implement security solutions and oversee daily threat management.