Lure10: Exploiting Wi-Fi Sense to MITM wireless Windows devices
Karma has long been a staple man-in-the-middle attack used in authorised wireless security assessments and unsanctioned ones, but as many modern operating systems now provide effective countermeasures, other approaches for tricking wireless clients into automatically associating with a rogue access point are wanted.
Enter Lure10 – a new attack that, by taking advantage of Wi-Fi Sense, tricks wireless devices running Windows into doing exactly that.
What is Wi-Fi Sense?
Wi-Fi Sense, enabled by default on Windows 10 and Windows Phone 8.1, is a feature that automatically connects users to crowdsourced open wireless networks it knows about.
Based on information previously collected by devices that connected to one or another of these open networks, Microsoft evaluates whether they provide a good-quality connection and, if they do, adds it to the list of hotspots that will be suggested by Wi-Fi Sense.
The Lure10 technique
The success of the attack, which was presented by security engineer George Chatzisofroniou at this year’s Hack in the Box conference in Amsterdam, relies on:
- The victim’s device being fooled into believing it is within the geographical area of a Wi-Fi Sense-tagged open wireless network
- The attacker successfully disrupting the victim device’s existing Wi-Fi connection (by spoofing DEAUTH frames), and
- The attacker successfully mimicking the Wi-Fi Sense network in question (broadcasting a network with the same ESSID – extended service set identifier – is enough to do that).
That last prerequisite can be achieved by finding a Wi-Fi Sense network that exists in an area relatively close to the victim (e.g. in their home city), and collecting its ESSID (e.g. “AIRPORT_FREE”).
At the same time, through, the attacker also needs to collect the BSSIDs (the MAC addresses of the access points) of the other wireless networks in the same area, as this information is used by Windows Location Service to determine the location of a device.
By broadcasting beacon frames with these BSSIDs, the attacker fools WLS into thinking the device is in the area of the impersonated network (first prerequisite of the attack).
Once the attacker goes through the two steps, the fact that the rogue access point is sending out beacon frames with the ESSID of the Wi-Fi Sense network it mimics is enough for the victim device to connect to it automatically – IF the victim device has no shared WLANs in its Preferred Networks List and Available Networks List.
But even that last condition can be achieved (see Chatzisofroniou’s presentation slides for more details).
How to protect yourself?
The Lure10 attack technique has been added to the latest version of the open source Wifiphisher rogue Access Point tool, of which Chatzisofroniou is the lead developer.
The engineer says that Microsoft has been informed about this issue and has acknowledged its impact, but has not taken steps to mitigate it, as they consider it an “accepted risk.”
Users can protect themselves against this attack by simply disabling Wi-Fi Sense on their device.
UPDATE (May 2, 2017): Apparently , Microsoft has decided to turn off the ability to automatically connect to open hotspots by default in early April, with the release of Windows 10 Creators Update (which also comes with clearer privacy options). The move was a direct result of Chatzisofroniou’s research.