Past EED rants


Live leaderboard

Poker leaderboard

Voice of EED

Thursday 20 January 2005

Wireless hax0ring [Lurks]

Cranfield University came up with or exposed, however you want to look at it, a new concept for a wireless network attack. It's so simple and so profound, I wondered why I didn't think of it before much less the legions of black-hat scumbags out there.
The simple idea is this, one just sets up a computer to be a wireless access point with an appropriate SSID which makes it seems kosher. The wireless access point could masquerade as one of the well known commercial hotspot providers or it could be something which otherwise makes people think they're onto a good one having discovered a full-Internet access hotspot for free.
To all intents and purposes, it looks like you get an Internet connection. You do, I mean. You can read your mail, you can browse sites. There's nothing to arouse suspicion. The thing is, if you visit something like paypal, ebay, online banking or something like that, then the black hat's proxy stops forwarding you over the real internet connection and redirects you to a fake.
So the carefree wireless Internet user happily chucks in their ebay, paypal or online bank passwords and whallop, those are captured and some form of generic error which arouses no suspicion is displayed. Then the black hat goes across to one of the services and fleeces your account dry of course.
It's not a hard concept to understand but it makes you think. I like to think I'm no fool but I've certainly connected to free wireless access points and read my email. I've never had occasion to log into my online banking and with the benefit of hindsight I'm saying I probably wouldn't but really... might I have done that?
Shit yes, I might have as well as the legions of people out there who are far less security concious and just got wireless as a shiny cool thing on the new notebook they bought at PC World.
The message here is clear. Even if you think you're on some legitimate wireless network, really you'd be a fool to do anything sensitive. You don't know if the network is a clever fake or maybe the whole thing is being sniffed anyway (easy given that these free wireless access points are unencrypted).
You can't really trust wireless Internet unless you're just doing some general browsing. Even checking your email might seem innocuous but you could be handing someone to means to check your email when they like.


  1. Due to the high risk of having plaintext authentication and browsing being snooped over an unenceypted public acccess point, it is always best practice to establish an encrypted tunnel to a remote gateway you trust. When I'm using an airport, hotel or other public access point I establish an SSH tunnel to my home network. I use my own DNS servers and do all my browsing out over my own gateway.An easier way to do this is to simply run PPTP to the network where you email is etc. Unfortunately, since mid December 2004 when the asleap project added brute forcing of weak PPTP passwords to it's feature set, PPTP is no longer something I'd gamble on.

  2. So much for this "news"These guys wrote software to demonstrate this proof of concept 2 years ago even wrote a defence kit to check for changes in the ESSID and MAC address of the Access point.

  3. It doesn't really matter if it's news or not, I didn't know it and I'm sure other people didn't. I tend to use wireless hotspots a lot when I'm out on the road. I could set up a tunnel to my home box I suppose but I think it's safer and easier just to consider the wireless connection inherently insecure and not use it for sensitive stuff.