We all share this feeling when connecting to a "FreeWiFi_secure" in a public area: "is it safe to use". I must replay to Jeff's WhatsApp message, and to Marta's email, that's it!
Can I do it using "FreeWiFi_secure", Mh... it doesn't sound right...
Ok, just WhatsApp, Facebook and no SignIn to my email or corporate CRM. Or, maybe I can use our VPN, this is why we have it, right?
Two minutes later, we are working on our CRM, buying online, sending photos, and the desert, using our Bank Account B-Bank101 to wire transfers.
Two weeks later, we will not remember it happened. Our Phone or Laptop may be slower. We may find "I never saw these " Chrome shortcuts, or worth and very frequent, we may get a nasty email, ordering us to pay ransomware with our B-Bank101 account within 24 hours, or.....
How do they know my name, my email and how did the hear of my B-Bank101 account?
There are many ways to attack a Phone, Laptop, Tablet; however, the highest exposure is when we leave our protected cozy offices and home networks, traveling and connecting to foreign Public Wifi networks.
Foreign Public Wifi networks are the Attacker's paradise. For example, let's take JFK airport. While sitting in a coffee shop, an attacker can reach thousands of WiFi stations every hour. Physically reaching VIP personnel is not possible (they are inside VIP rooms), but entering their phones, laptops, tablets via the air? - very easy!
So, how do they do it?
How do the Attackers, get to our precious device so easy and undetected?
What can we do about it?
Some of the attacks are 'Inside' the WifFi network, and others are 'Outside'.
In Inside attack, the Attacker addresses or connects to the WiFi network as every other station. He gets Access or Sniffs the traffic. In Outside attack, the Attacker attracts the passengers to his WiFi network that looks exactly like the public WiFi network.
Example of Inside Attacks:
The Attacker listens to the data transferred between clients and the access point. It's straightforward with open networks; therefore, it is essential to encrypt your networks.
The Attacker cracks the encryption on the network. Using a smartphone or Laptop and professional Wifi Adaptor, the attacker can “sniff” all network traffic. The Attacker can use different tools such as WifiPhisher, Aircrack-ng, (its Android interface: “Hijacker v1.3 – A Complete Wi-Fi Hacking Tool Kit for Android”), Reave, WPS cracker, and many other tools. The professional Attackers, build their tools or trade it in the Dark Web.
Men in The Middle Attack:
The Attacker sends De Authentication or De Association 802.11 Frame to the victim. Why would this even happen?
Wifi networks use Radio Frequency (RF). These channels may suffer from low reception or high noise level, and therefore, from time to time, the Router or AP request the Station to switch a channel. It happens without any notification to the user, and very fast.
Since Wifi allows any station to send frames to other stations, the Attacker station can order the victim’s station to switch the channel. The Router is not aware of that and therefore will stay with the same channel, but the Attacker station will “wait” for the victim’s station on the new channel, pretending to be the router.
Now a new connection is established between the Victim's station and the Attacker station.
Here the Attacker has many options:
If the original router sends a “splash screen” such as:
Splash Screen Spoofing:
The Attacker can send a similar screen (actually HTML page) with invisible Ransomware or Malware as payload. This Malware will act a long time after the victim left the location. The Malware will also follow the user when the user Sign in to his B-Bank101 account; everything is now open for the Malware that communicates and deliver it to the Attacker machine.
Alternatively, Attacker may become a “proxy” for the victim’s station, so it intercepts all victim’s traffic, decrypted it with the cracked password, copy or modify it.
These are the most frequent Wifi Attacks, known as Rogue Access Points, Evil Twin, Fake Access Point, etc. The Attacker can easily set up a Rogue AP often using the same name of the Wifi network (SSID): "FreeWiFi_secure".
Alternatively, Attacker can use a luring name such as ‘Free Airport WiFi’ etc. When the victim’s station connect to such AP, the AP may divert the request to a splash screen (see the example above for inside Attack), using a captive HTML page and a built-in DNS server that redirect any call to this captive page.
The attacker may allow the victim’s station to yet connect to the internet while not be aware that something is wrong. Of course, sensitive information entered online, such as email addresses and passwords, credit card numbers, or banking credentials can be stolen.
How does he act?
The Attacker can use a laptop or Open source Wifi Router (a long list may be found at OpenWrt: https://openwrt.org/ ) and load it with many publicly available attack tools.
This Evil Twin can have a powerful signal which may get more connection than the original Router and become a man in the middle for all traffic.
Rogue AP and Evil Twin are among the most common wireless network attacks, and it is surprisingly effective.
About 20% of Wifi users will be connecting to a Rogue Access point while they travel.
So, what can we do about it?
This will be discussed in Part 2!
Don't Wifi without WifiWall!