Forfusion Logo

Cyber-Security: Do You Have an Evil Twin? Part 3

Part 3

An Engineer’s perspective:

In the first of our series on wireless security we touched on the dangers posed by “free” public Wi-Fi. We then elaborated on one of the easiest Wi-Fi attacks to perform – the Evil Twin. This is essentially a Man-In-The-Middle (MITM) attack in which a rogue access point lures your device to connect by broadcasting a higher RSSI than the AP that is being imitated. The attacker then seamlessly forwards your session to the destination after it traverses the rogue AP. While connected the attacker has unrestricted access to everything that is sent and received in the clear and even encrypted traffic when using the correct toolset.

In this blog we are going to go into a few attacks that are possible if you fall prey to a wireless MITM. Being wireless, these attacks are much easier to perform than traditional wired MITM attacks as they do not require physical access to the network and can be brought up in minutes.

Traditionally, a popular choice of attack is Phishing in which the attacker can harvest personal data from unsuspecting users to either sell or use for personal gain. In traditional phishing, the attacker tries to pry personal information from you by masquerading as a trusted company or site. Such methods usually implement some form of social engineering such as an email requesting account verifications of user name and password or even a phone call to directly ask for details. Such scams are so widespread now that most people are aware enough to prevent the majority of them.

Wireless phishing on the other hand is growing increasingly popular especially with the widespread usage of mobile smart devices and the ever growing reliance on mobile data.

So back to the scenario, you are connected to what you believe is a legitimate public hotspot which is in reality a rogue access point set up using the same SSID as your intended trusted one. The attacker can now set up simple attacks such as DNS poisoning and ARP spoofing using freely available tools such as Cain to point your traffic to wherever they choose, i.e. set their own device as the default gateway so all traffic routes through the Evil Twin and alter the DNS cache of the devices so that requested sites reroute to the attacker’s malicious server which is hosting similar sites.

A popular Wi-Fi phishing technique is for an attacker to display a page welcoming you to the free Wi-Fi and asking for details such as selecting a password and to provide an email address to allow you unrestricted access. How many people use the same email and password combination for multiple sites? All the attacker has to do is record the sites you visit and then try the supplied password.

Redirection of legitimate sites by DNS poisoning is also popular. As you elected to visit these sites why would you question the validity of the site that appears?

These sites pose no other purpose than to gather information on the user and to introduce malicious content onto the target machine for future exploitation. Unfortunately, visiting these sites and giving away a few personal details are just the beginning of what can possibly come.

Once the foundation blocks of redirection are in place other attacks are relatively simple to implement, some examples are:

Evilgrade is a fantastic tool for exploiting devices once under a MITM attack. The purpose of this tool is to “upgrade” software applications on the victim’s machine by manipulating the automatic upgrade functionality of installed applications. The user opens the application, is prompted to upgrade, clicks on the link provided and thanks to the earlier DNS poisoning the user is redirected out to the attackers malicious website complete with exploited software ready to be unwittingly installed. From here the attacker can spawn command shells to the victim’s device and have full access to all personal data on the device. This tool has an ever increasing repository of upgrades and covers multiple popular vendor applications.

Of course SSL/TLS would solve this problem by stopping the attack vector itself? Tools are already in place which can transparently intercept such sessions and effectively split them in two. SSLsplit terminates user to server SSL/TLS at the MITM device and then initiates a new SSL/TLS connection to the original destination address. All data is available in clear to the attacker while it appears to be encrypted at both ends of the transmission.

These types of MITM attacks can only exploit the user while they are connected to the fake hotspot. Once the user disconnects, the attack ends. Unfortunately there are other attacks which have been developed to continue the exploit long after the initial attack has ended. Persistent cache poisoning is such a method which has the goal of replacing a piece of JavaScript within the victim’s browser cache with a malicious one.

For example, the user connects to a site which in turn then redirects the user to another server which hosts the requested JavaScript file, possibly via the JavaScript library which is embedded in many sites. The attacker then attaches his malicious code to the end of the file as it passes through him and then forwards it back to the user. This file now resides in the browser cache for as long as it stays “fresh” and each time the target visits the page, the cached version is always loaded and content is executed.

Such an attack can only remain viable while the cache timeout is still valid as once this expires a request is sent to refresh the cached page, though the attacker can alter the lifetime parameters in the header to ensure the script resides in the cache for many months.

The best protection from such an attack would be to completely disable the cache, unfortunately this renders all the benefits of caching obsolete. Other methods would be regular clearing of the browsers cache to remove malicious entries. User education is always a necessity to increase awareness of common and new techniques. When browsing using HTTPS, check the validity of the certificate that the site is supplying. Ensuring you use different passwords for different sites is another best practice to limit the damage if one of your passwords is compromised.

This concludes our series on Wi-Fi security although we are currently working on a new series of collaboration blogs which will be hitting our site in the next few weeks.

Categorised Under: Government Secure Services

1st Sep 2014