Public WiFi risks
This is the second collaboration with Justin Casey on cyber and information security risks for security operatives. The first one was about phishing attacks and was very well received. This month we are discussing the risks associated with public WiFi for security operatives. This is a critical risk area for security operatives to understand. How many of you connect to a public WiFi system in work and access emails or banking details or have done so in the local restaurant on your lunch? Each time you do this you expose yourself, your family and friends and potentially your employer to risk. Just lime the last article Justin has done most of the work on this one. I’ll pop in from time to time with these orange boxes and my own stories or opinions.
I bet that if I asked you to name 5 places around your town/city where there are public AED’s (defibrillator) that the majority would struggle to answer. However if I asked you to name 5 places around your town/city where there are public WiFi hotspots you would have no difficulty in listing off locations.
Everywhere we go we are surrounded by WiFi signals whether public or private. It has gotten to the stage where we actually expect there to be free WiFi in any pub, restaurant, hotel, bus, train, coffee shop etc. and if there is not, we are disappointed. It is no longer an optional luxury but rather-more commonly considered to be a mandatory “complementary” extension to any business or service being offered to the public.
Often times we take very little notice in connecting to these “Open” networks and even when we do once our end goal is achieved then we are happy. But just how safe are these public access hotspots??? Well quite frankly they are not safe at all! There are a number of methods and styles of attack which are used by those with more sinister motives in order to compromise your information or device itself.
Tony- It is not just criminals who use these methods. Security consultants and penetration testers will also often utilise these to test or audit security measures for companies.
First lets take a look at what we call the ‘EvilTwin’. This is when an attacker replicates the network to fool you and your device into thinking it is connecting and sharing data with a known ‘Friendly’ network. Most of the time this is done by mimicking the name of the WiFi network but making small subtle differences so at a glance everything seems fine to the normal eye. If you walked into a coffee shop and wanted to go online, you scan for available networks and see 2 options
- ‘Coffee-Shop Wifi’ and this has 5 full bars of signal.
- ‘Coffee Shop-Wifi’ and this only has 2 bars of signal.
Both are open with no passwords so which one are you going to pick????
Exactly! We are naturally drawn to the one with the strongest signal.
Have you ever been on Dublin Bus? If so how many times…..5,20,50??Did you connect to its WiFi ?
As there are a lots of Dublin buses that come in close proximity of each other whilst at traffic lights etc. Dublin bus WiFi use two different SSID’s so that if you are connected to one then your device wont jump onto the other one when another is near by. Although this is handy it also means that I could make a fake evil twin of one of the SSID’s and just because I am sitting close to you then the signal of my evil twin network will be stronger and this will encourage you to connect to my one just like in the image below would you know which one is the real Dublin bus WiFi?
One of my favourite pieces of kit in line to this topic is a piece of hardware called the WIFI-PINEAPPLE made by the team over at Hak5. The Wifi-Pineapple is kind of like a professional full time Evil-Twin access point. All of our devices that connect to the internet are constantly shouting out looking for known access points when the WiFi is active on the device.
Lets take your phone for example, you come home from work and walk in the door of your home, do you need to put in your wifi password into your phone everytime you come home?? NO….this is because you device constantly sends out what is known as a probe request, basically any WiFi that you have connected to in the past and told your device to connect to automatically so now your device is always looking for them, It is always silently screaming out the names of any of the access points it knows, the WiFi-pineapple on the other hand listens to what your device is looking for and then it sends out a signal pretending to be all of these access points your device has shouted out, so now your device thinks that ‘’home WiFi’’ or ‘’office WiFi’’ is in the area and just connects automatically without hesitation or asking any questions and sends all the data to the WiFi-pineapple.
Lets imagine your device is a delivery driver and sent to drop a ‘’Packet’’ to Mr.internet in some building. Your device does not know what Mr.internet looks like so it just walks in and starts shouting out for ‘’Mr.Internet’’. The wifi-pineapple is in the building listening and hears this device with a ‘Packet’ shouting out and then the WiFi pineapple lie’s to the device and says “yes I am Mr.Internet, I will take that ‘packet’ thank you”, the WiFi-pineapple then opens the packet reads it before closing it again and dropping it to the real ‘’Mr.Internet’’.
This is what is called a ‘Man In The Middle’ attack and lets be honest, no one likes a middle man.
There has been concerns around the powerful use of such hardware and the true scale of which these methods could be used, for example it has been rumoured that a voting station in America was victim to such style of attack in order to manipulate the outcome of the vote.
MITM (Man In The Middle)
Okay so now you have connected to my evil twin, you still get to access the internet and to be honest it will probably be quicker because not everyone in the vicinity is using its so its still working, its quicker and its FREE! Whats the problem?
You need to realize that I am now what we call the ‘Man in the middle’ before your device reaches the internet it must route all its data traffic through me so this means I can now potentially see what websites your visiting, what images you are looking at, your Usernames, Passwords and login credentials you enter into these websites.
There are a number of ways that an attacker could achieve this style of attack in order hoover up all your data.
When data is sent and received from your device it is done in individual ‘Packets’ lets just imagine that everytime you ask the internet for some information that you wrote it down on a piece of paper, put it in an envelope and then thrown that envelope in the air towards the internet but someone intercepts that envelope and reads it before sending it on to the internet.
This is essentially the Man In The Middle. The data packets are invisible to the human eye but in reality they are transmitting through the air from all the phones, laptops, tablets, printers, smart-TVs and everything else that may be connected to the modem. Attackers can use what is called a ‘Packet Sniffer’ in order to capture these packets right out of the air and try to analyse them to uncover sensitive information within the packets.
Although there are many various tools for Sniffing and MITM one of the most powerful and popular packet sniffer tools is a piece of software called WIRESHARK.
Wireshark is used all over the world by network administrators although it is often the go to tool for most attackers looking to capture your packets.
Tony – I have used this method successfully sitting in cafes next to large security company headquarters to get access to company emails, passwords and staff details. I’ve also used it while at a security conference in a hotel lobby. Its amazing what people do on phones and laptops at these conferences most of which I could intercept and read.
CASE STUDY: 001 – GRU – OPCW
The implications of a man in the middle attack can be very severe and as a result this method has been utilized not just by hobby hackers but it has also been used by nation state spies and intelligence agencies throughout the world. One such example is when Russian spies set up a MITM attack vector in order to obtain sensitive information. The GRU is the main intelligence branch of the Russian Military, in 2018 it was revealed that members of Dutch Intelligence had uncovered a serious covert operation in which a number of Russian spies linked to the GRU had conducted MITM attacks in an attempt to plant infectious malware onto a number of systems around the EU and other locations around the world. The investigation proved that the members of the GRU had loaded a rental vehicle with Wifi-Pineapple type equipment and deployed the vehicle outside Hotels and Offices so as to achieve a successful MITM attack on the target networks and devices.
The Russian Operatives where tasked with infiltrating the office of OPCW – Organization for the Prohibition of Chemical Weapons. Thankfully Dutch Intelligence had somehow identified and traced the source of the attack which led to the seizure of the vehicle and hardware although there was evidence present that suggested the attack had been carried out at a number of other locations prior to this.
Spoofing – DNS & ARP
To understand ARP spoofing first we need a basic run-down on how network gateways/routers work. Every device such as phones, laptops, etc. All have what is known as an IP – Internet Protocol Address and a MAC- Media Access Control address.
Example of IP address : 127.0.0.1 (Local Host address) – This is the number used when connecting to the internet to identify the machine.
Example of MAC Address : AA:AA:AA:AA:AA:AA (Not real just to show the format)
The MAC address is allocated by the manufacture and Is the unique identifier of the hardware, essentially it is the ‘Finger print’ of the hardware.
Lets use your home wifi gateway/router as an example, lets say that you have your phone, laptop, pc and games console all connected to the router. All of these devices relay the information through the gateway before connecting to the internet. Each device has an individual IP address. When you google search ‘Facebook’, your device contacts the gateway and says ‘’hey its ‘192.0.0.1’ can you get me the results for searching ‘Facebook’?’’ The gateway then asks the internet for the results and when it gets them it shouts out to all the connected devices and says ‘’Hey who is 192.0.0.1? I have the results you asked for’’ your device replies saying that it is them and the gateway then gives your the device the information.
However in ARP Spoofing an attacker who is connected to the network lies to the gateway/router and says it is ‘192.0.0.1’ and steals the results and can read or change the results before lying to the real device that they are the router so the device thinks the results it receives is actually the real genuine results.
DNS Spoofing – DNS: Domain Name Server
All webpages are stored on what is known as a web server, but the website is not stored on the server as a name/Domain, instead it is stored/listed as an ip address so when you go online to visit a webpage for example ‘www.facebook.com’ the DNS resolver listens to what Domain you want and gets the page for you, in this example you tell the DNS resolver that you want the webpage for the domain of Facebook.com but the webpage is not on the server as Facebook.com but as a numeric IP address so the DNS resolver needs to find out what the ip address for the domain is so it can get the webpage for you.
In DNS spoofing an attacker injects false information into the DNS resolver so simply put an attacker can make a fake replica of a webpage at an ip address, (in this example it is Facebook.com) so the attacker can change the real listed IP for the website with the IP address to their fake website so when the target/victim goes to the domain of Facebook.com now it is sent to the fake website instead of the real one so when the target tries to login to their account the attacker obtains their login credentials (Usernames & Passwords) or can inject malicious scripts to execute Malware, Ransomware, Spyware, etc.
Tony- These last two look pretty sophisticated but there are dozens of YouTube tutorials out there to show you how to do it. Just because it looks technical doesn’t mean that a person with criminal intent cant very quickly learn how to do it.
6 Steps to staying safe
- Always use a VPN (Virtual Private Network)
Tony – Its the year 2019. If you are on the internet and not using a VPN as standard then i have no sympathy for you if you get scammed. Its a basic. My personal favourite free one is HotSpot shield. Have one on your laptop, tablet and phone. Some phones come with one already built in so make sure you have it turned on.
What is a VPN? :
2. HTTPS Everywhere
Tony- As a very basic measure make sure that before you put any information into a website it has the little padlock symbol next to it in the toolbar
What is HTTPS? :
HTTPS Everywhere is a browser extension to make sure that all traffic is encrypted even on sites without HTTPS.
3. Enable your Firewall
What is a Firewall? :
4. 2FA – Two Factor Authentication
Tony- Again this is real basic. Make sure you have it enabled on all of your email accounts, apps and anything with sensitive information on it. Very simple to set up in all apps. Basically any time someone tries to sign into your account form a new device you will receive a text or email with a code to verify that its you. Simple but effective.
What is 2FA? :
5. Use Anti virus
Anti Virus is not full proof but it is a supportive layer to your security.
6. Don’t allow automatic connections to untrusted WIFI.
This week was a but heavy on technical information but it is important information nonetheless. This stuff will become essential information for any security operative in the next few years. Its only a matter of time before criminals begin to target customers in retails stores. nightclubs and concerts for this type of stuff. Security staff need to know what it looks like so they even begin to try to prevent it. Start learning it now before you need to.