No.5 ▣ August 2, 2019
Bad WiFi configuration calls for the attacker
What’s more annoying than having a great WiFi connection, but slow internet speeds? - Security flaws!
When our service provider or we deploy WiFi in the Office, Airports, Hotel, Coffee shops, etc. we optimize for performance. The planning phase will spend most of the attention on assuring high-speed connection everywhere. Use of many Access Points will keep our devices roaming transparently maximizing performance and reducing switching time to a near-zero figure.
On the other hand, many times, fewer resources and panning will be spent on security. The designers may not review all the embedded security risk in the current design. For example, how easy is it for an attacker to launch a Rogue Access Point or Evil Twin that will smoothly become part of the public network. Or, how easy it is for the Attacker to steal personal information when connecting to the "Free" WiFi network.
An example of such a flaw:
Last month, I was traveling to London. Upon arrival, and while being in the terminal, I did what thousands of people do in the airport every hour: connecting to the Heathrow Free WiFi network.
Using WifiWall at Heathrow Airport shows: “open” WiFi network
I immediately noticed that it is an "open" WiFi, meaning, there is no communication encryption. When selecting the Heathrow Free WiFi, I was getting a connection form to complete. Almost every Public WiFi will require you to fill such form before providing an internet connection. It is kenned as "Splash Screen."
So, upon connection, my Phone was diverted to the Heathrow WiFi Splash Screen. The screen requires me to fill a form with personal information. Specifically, the Heathrow WiFi requires to add my name, last name, birthday (I can fake that) email and phone number. If I specify a wrong eMail address or wrong Phone number, I will not get an access code to connect to the internet, so at least that data must be real.
What is the problem?
All needed is a simple "sniffing" application to get the personal data of everyone on this WiFi network. Most of the users of this WiFi network will complete all the required data. This constitutes a severe private data leak.
There are even more devastating design flaws that we encounter in Public WiFi networks:
1. The RSN Diversity (also known as "Crypto Drop" attack):
WiFi network encryption must be the same across all Access Points. This means that all Access Points should have an equal "RSN" value. However, WiFi networks change over time. An Access Point may stop working, and a technician may replace it with a new Access Point with different RSN. Or, when adding WiFi coverage to a new area, the implementation may have a different RSN. We may think that this never happens and all Access Points of a specific WiFi network share the same encryption level. However, in reality, we may find a "Free Paris WIFI" with no password to connect near one that requires a password to connect. This mal configuration makes the life of WiFi attacker very easy. The Attacker adds his Rogue Access Point with different RSN (or none), and no one can see the difference between the Rogue AP and the other APs with different RSN reading.
2. Multiple WiFi networks (multiple SSID) within the same range:
When attackers find many SSIDs belonging to the same WiFi network owner, it is straightforward for him to add Rogue Access Point. For example, image a WiFi network called "Costa Free WiFi" and on the same location, we may find "Costa Management WiFi" and "Costa Suppliers" SSID. The motivation for Costa Company is to "isolate" the different WiFi network. However, the Attacker may add a Rogue Access Point called "Costa Finance." This SSID will confuse and lure some Company employees into connecting. Some of the most popular Access Point vendors, such as Meraki, supports many SSID on the same Access Point.
3. Use of "open" WiFi combined with Splash Screen:
I already talked about the Heathrow Airport example and how easy it is to still personal information of travelers. This time, I will explain that Splash Screen, in general, creates considerable risk. The Attacker can easily set a Rogue Access Point, hosting the same HTML page of the Splash Screen (they are all HTML pages). When connecting to the Rogue Access Point, the user will see no difference from the original Access Point Splash Screen. However, the Attacker may include Malware, Spyware, Trojan Horse, or any other malicious content in the same Splash Screen. The user cannot "see" the malicious content which is transferred to the user device. From that point, the malware is traveling with the user and is active even when the VPN is loaded. The Attacker gets full control over the content and device of the user. This attack is so bad that I recommend not using at all Splash Screen in any WiFi network.
4. Same SSID name for 2.4GHz and 5.0GHz networks:
Everyone is assigning same SSID name for their 2.4GHz and 5.0GHz networks. This makes the user life easier. The differences between the 2.4GHz network and 5.0 GHz network are a wide bandwidth in the 5.0GHz network but about 2-3 times the range with the 2.4GHz network. The Attacker wants to be as far as he can from the victim. However, the victim mostly will be connecting to the 5.0GHz network. Therefore, the Attacker will get close to the victim, connect to the 5.0GHz network, and will send an 802.11 control frame, instructing the victim device to switch to the 2.4GHz network. Now, the Attacker can be far away, and carry the attack using long-range on the 2.4GHz network. The user will get no indication this is happening. If we keep different SSIDs for each network, the Attacker can not use this method. The "cost" is forcing the user to select a 2.4GHz when they are far from the Access Point.
5. Losing track of all Access Points in the network:
Many public WiFi owners will invest in improving the connectivity of their WiFi network. This, by itself, is very positive. It also means that from time to time, they may add new Access Points to improve coverage. If they do not manage a White List of all their Access Points, (including all details such as BSSID - MAC Address of the Access Point), they may run into problems. Having a White List is vital, so if there is a new SSID/BSSID combination that is showing in their network, it must be a Rogue Access Point.
Without a special tool to detect Rogue Access Point, the owner of Public WiFi must maintain and manage AP White List.
6. Limit the number of supported channels across Access Points:
Some Public WiFi owners define multiple and different channels to every Access Points. In such a rich Channel configuration, it may be common for an Access Point, to instruct user devices to switch the channel. The Attacker is also using the technique of channel switching frames to divert user device to its Rogue Access Point. It is harder to detect such attack, in a WiFi network that is saturated with Channel Switching
When we design a WiFi network, we must allocate the necessary resources and attention to security. From my experience, the more simple is the design, the fewer components we add to the design, it is usually safer.
Munich Airport “open” WiFi network Add text to your email.
No.4 ▣ July 29, 2019
WiFi Attack, What to do next?
One of the biggest challenges is knowing you are under WiFi attack. WiFi becomes the media of choice for foreigner government attackers, criminals, business intelligence and all other types of hackers. It's relatively easy to do, and there are many tools one can buy or download at no cost. WiFi also allows them to reach VIPs in strategic locations (Airports, prestige Hotels, elite conferences &, etc.) and penetrate their devices, leaving no trace behind.
The first thing Wifiwall did to our customers is to let them know that their device is under WiFi Attack. Behind the scene, it also disconnects their attacked device from the WiFi networks, which happens too fast to be noticed in order to prevent cyber damage.
As a result, we are getting inquiries such as:
I am getting this WiFi attack report, what does it mean?
Or even more important:
I am getting this attack alert, what should I do now?
To best answer these questions, we need to understand the dynamic of WiFi attack. The main goal of the attacker is to disconnect the victim’s device from the current WiFi connection gracefully. Now the attacker transparently and smoothly switches the device to an alternate connection which he created. This switching allows the attacker control and visibility to the victim's data.
The attacker may need a window of seconds to inject malware or spyware to the victim's device. It may be by redisplaying the splash screen, the Hotel or Airport first screen we usually face when connecting to such public WiFi. When the user sees gain the familiar splash screen, the embedded malware is injected into his device.
The first step of such attack may be sending a DeAUTH 802.11 frame to the victim's device.
The attacker takes advantage that the control and management frames of WiFi, called 802.11 frames, are not encrypted and uncontrolled (even with VPN is active). Also, it is legal to send such frames from any station to any station. The DeAUTH frame causes the victim's device to disconnect from a current WiFi connection. Practically, the device will automatically try (this is the default of all our devices) to reconnect to the same WiFi network or other "approved" WiFi network.
This is precisely where the attacker is waiting. The attacker prepares a fake Access Point (called Evil Twin) that "looks" exactly like the original Access Point so now the victim's device will establish a connection, with the attacker Access Point. Now the victim's device is in the attacker's hand. All of this happens in a few seconds, and the user will not notice the difference.
Other attack technique may request the victim's device to switch communication channel (this usually happens when the noise level is high on the current channel) and again, the attacker Evil Twin will be waiting in the new channel to intercept and control the victim's device communication and data.
The last example is the Rogue Access Point attack. The attacker publishes an independent Access point which is part of the Public WiFi and will attract people to connect to, believing that they are connecting to a legitim Access point.
For example, at SFO airport the Rogue AP SSID name will be “SFO free WiFi”, “Starbucks WiFi” at Starbucks and etc.
Switching back to WiFi attack alert.
WifiWall detects and alerts the first DeAUTH frame of the attacker. WifiWall distinguishes between a legitimate DeAUTH frame that is sent by the origin Access Point to the station ( this will be a result of initial session termination request by the device) and an unassociated attacker device that is initiating a WiFi attack. Alternatively, WifiWall may detect an illegal channel switch request sent by the attacker.
In both cases, WifiWall will end the session of the user's device and the attacker Evil Twin.
Is this is enough?
We strongly recommend our customers to avoid any WiFi communication with this network for the next 30 minutes.
Usually, the attacker launches multiple attack techniques.
He is using a library of attacks, so the probability to an immediate follow-up attack is very high, and this WiFi network is considered dangerous for the near future.
WifiWall continuously scans the vicinity and identifying every Active WiFi network. It carries an in-depth investigation on every WiFi network identifying Rogue Access Point and Evil Twins. Any attempt to connect to such malicious Access Point generates alert and disconnection from it.
Here again, we recommend our customers to "forget" every SSID reported as malicious and immediately disconnect from it.
We also recommend informing the management of such Public WiFi network event and include all the details as shown in the Mobile App "WifiWall connect."
Usually, A service provider manages the Airports, RailStations, Hotel, Restaurant WiFi networks. The Service provider has the technical means to carry investigation and shut down the attack.
By reporting the event with the details provided by WifiWall, we are helping the Service Provider, The host of the WiFi network and other users of this network.
If your WifiWall alert WiFi attack:
Wifiwall initiates a WiFi disconnection command for prevention.
Avoid using this WiFi network for the next 30 minutes.
Forget this WiFi network to avoid auto reconnection.
Disconnect all your other devices (not attacked...yet) from the hazardous network.
Report the attack to the owner of the business the WiFi network belongs to with the details (keep in mind these details contain your device’s MAC address).
When you log in to the network again after a safety period of time, do not log in without WifiWall.
No.3 ▣ July 19, 2019
Recent Massive WiFi Attack Explained
On November 19, 2018, the Marriott management confirmed a significant hack into their reservation database. Personal data including credit cards, passports, date of birth, etc. of 500 million people has been stolen. The Hotel management said it first became aware of a security breach in early September, but further investigation revealed unauthorized access to the guest reservation database dating back to 2014.
The reality is that while Hotels seams less attractive than financial institutes, they’re hacked almost as often because of the high data value they store combined with weak security technology and procedures. Most of the Hotel industry leaders have reported breaches, including Hilton Worldwide Holdings, InterContinental Hotels Group, and Hyatt Hotels.
A different non-related event, on June 26, 2019, the Bloomberg report written by Patrick Clark, was based on the exploits of a team of “white hat” hackers, employed to perform a penetration test (Pen-Test) to a Hotel Property Management System (PMS). The Hotel management is using the PMS to charge credit cards, issues room key, access the loyalty program, etc.
The Pen-Test team searched for the easiest and most effective 'door' into the PMS. The first door was plugging the laptop into internet cable from the room’s smart TV. This first attempt hasn't led them to gain PMS access, so they kept searching network ports including in the ceiling panel. The wired networks attempts did not open the expected door (the wired security was better than the team expected).
Next, they turned on their phone creating WiFi network naming it after the Hotel WiFi network (same SSID, a straightforward Rogue AP). Within 60 seconds, six guest devices joined the network. Of course, using a professional Rogue Access Point kits, such as 'pineapple' could perfectly do the job and attract most of the Hotel guest to connect. This is already bad; however, they are after the Hotel's PMS. All attempts so far, including investigating the IP range of this Hotel could not open the door to the PMS.
The next target was the WiFi network. All they needed was a device that is authorized to connect to the PMS via authorized user information. They scanned the WiFi network identifying “Jamie’s iPad” as their victim. A series of disassociation de-authentication frames from multiple sources kicked it off the network. Now, they spoofed the MAC address of the victim device, and hijack its communication. That's it, and they are in.
The nature of WiFi attacks keeps them undetected. The WiFi traffic is not logged and therefore is difficult to detect. More, while the wired network has a rich set of security tools, and everything is recorded, there are no many tools to detect and report WiFi attacks in real time, nor for later investigation.
Referring to the massive Marriott attack, we don't know exactly how it happened; however, we know that they spent about five years inside the Hotel network, leaving no signs.
Bloomberg Businessweek The Hotel Hackers Are Hiding in the Remote Control Curtains
The Guardian ’ Warning: free hotel WiFi is a hacker’s dream‘
No.2 ▣ May 19, 2019
Is this is the end of WiFi security saga?
Over the years, the IEEE 802.11 group introduced many WiFi Network security improvements. Starting in 1997 with the WEP protocol, continue with a big step forward of WPA and later WPA2.
Every generation of WiFi security algorithm promised a new era of WiFi security; however, soon after the WiFi attackers demonstrated further attacks proving that the fundamental of WiFi network security did not change.
A year and a half ago, post the KRACK attack demonstration (breaking WPA2 in less than a minute), IEEE 802.11 group introduced the new WPA3 protocol including many improvements over the later. Will WPA3 end the saga, and declare WiFi networks are safe?
Widely adaptation of new WiFi security protocol takes many years. Whenever new hardware and software of Access Point and Station is released, it mandates everything (computers, phones, WiFi cameras, IoT devices, etc.) to be replaced (due to hardware changes and profound software changes).
We are twenty years after the release of the WEP protocol, and sixteen years after the release of WPA and yet, about 6% of the worldwide WiFi networks are based on WEP or WPA security. Think about the effort required to replace every Access Point in every airport, restaurant, hotel, offices, homes, etc.
WPA3 protocol was introduced in 2018. We now start to see a few vendors’ products available to purchase. A good friend and top Wireless security specialist that is running "red team"s' ‘catch the flag’ games, recently introduced a new break a WAP3 WiFi Network competition. The mission of the white hat attackers was to obtain a data resource located on a specific machine within a WPA3 based WiFi network. Except for one mention (https://hackercombat.com/serious-vulnerabilities-detected-in-the-wpa3-protocol/) we do not know of any WPA3 vulnerability, yet, almost all the attackers, caught the flag quickly.
How did they do it?
Very simple, every WPA3 network, supports WPA2 protocol. This is mandatory for backward compatibility and allowing newly introduced devices to connect to existing WPA2 WiFi networks. We expect that WPA3 WiFi networks will be the most popular networks only within 8 - 10 years. Users of new WiFi devices must be able to communicate with WPA2 networks or otherwise be offline.
All the attackers forced the WPA3 equipment to downgrade to WPA2 (requesting WPA 2 support), and here, penetration was a question of seconds.
Is WiFi security issue is like the OS vulnerability? Can we fix the weaknesses?
Modern Operating Systems security is relatively stable. It’s true that Attackers still finds vulnerabilities, and with a significant number, however, the fundamental of the OS security is stable. There will always be weaknesses and vulnerabilities, at least as long as humans will develop the software.
This is not the case with WiFi security. WiFi security suffers from design and structural problems that create major weaknesses on top of the “normal” human errors that create vulnerabilities. The fundamental and basics of WiFi security are wrongly implemented. Since WiFi networks broadcast openly in the air, they are much more vulnerable than any wired network.
The WiFi Access Point manages the communication with other Stations and AP using 802.11 frames. The most critical frames are the management and control frames. These frames body is never encrypted. Even when using WiFi encryption protocol and a VPN server, they are still not encrypted (only the encapsulated data in the data frame is encrypted). As a result, every Attacker can use widely available equipment (sniffer) to see that content.
More, the communication between the AP and the Station does not include any identity verification allowing the Attacker to control and manage a Station that is assigned to any other AP. We call it Rogue AP or Evil Twin AP.
Combining these two factors makes any WiFi entity an easy target.
These architectural flaws are on top of the “standard” vulnerabilities in other systems.
How can we fix it?
A dramatic change in protocol is required. A few years ago, there was a protocol that encrypts WiFi management frames: MFP - Management Frame Protection. It was published and released, but yet, seldom found in reality.
WPA3 is a big step in the right direction, but as mentioned earlier, the transition will be over many years.
Therefore, I believe that the only remedy that can ill the problem today and continues to bring substantial value when WPA3 is widely deployed is a 3rd entity that is overseeing the flow of WiFi management frame.
There is a lot of similarity between the current WiFi situation and the early days of the WWW and TCP/IP. Then, every server that connects to the WWW could access any other connected server. The concept of the Firewall was born.
This is why we called our WiFi security product WifiWall.
It is an independent entity, that monitors all WiFi traffic, searching for Attacks that are based on the architectural flaw in WiFi network and adding restrictions and governance. It also searches for vulnerabilities and exploits.
WifiWall, look for 802.11 frames that should not be transmitted, representing WiFi attack such as man in the middle, hijack a connection, Rogue AP and Rogue Station, etc.
They police the WiFi networks similar to a Firewall job over TCP/IP.
Why is the Firewall not doing the work of WifiWall?
Firewall do TCP/IP communication control. Based on a defined policy, the Firewall allows or denies TCP/IP communication between IP addresses and ports.
WifiWall police the 802.11 communication. 802.11 communication is layer 2 and 3, while TCP/IP communication is layer 4.
The equivalent to IP addresses in layer four is the MAC addresses. The Firewall doesn’t see the 802.11 frames, but TCP/IP packets and therefore cannot control 802.11 communication.
No.1 ▣ May 19, 2019
The next Cyber Attacks after APT
Recently we see an increasing number of Single Step Advance Attacks. In a Single Step Advance Attack, the Advance Attacker starts with all the necessary intelligence and privileges needed to access the target and achieves his goal by avoiding unnecessary or lateral movement. For example, by identifying the target and using previously obtained superuser privileges, the Attacker logs into the critical server dump the necessary data and send it out via one of the company’s VPN servers. As a result, the attack duration is short, the damage is significant, and there are no traces left behind.
The Attack looks like a legitimate action of IT personnel. A post-attack investigation of the IT team finds they were not involved, and digital forensics do not find evidence of the attacker acts. The zillion event records we expect to see in the logging systems are missing. Even more, there is no evidence that someone deleted the event records and it looks like, event records were not created.
Usually, an ultra-damaging Cyber Attack is carried by APT (Advanced Persistent Threat) over a long period. The Attacker penetrates a machine inside the corporate network, performs orientation and investigation steps, to identify the landing place, the privilege level of the current user, and where can he move forward. In many following steps, sometimes hundreds and even thousands, the Attacker pushed his malicious agent from station to station, harvesting higher privileges and finally achieving access to the specific server or assets he is looking of targeting. This process can take a few months and even a few years. Many of the most damaging and famous attacks are APT attacks.
As more APT detection and prevention system had been developed and deployed (including the fantastic illusive networks solution, which I was part of bringing it to the market, the Advance Cyber Attackers realize that the lateral movement inside the victim network exposes their acts. The longer they move inside the site and the more stations and servers they "touch" the detection probability increases.
Therefore they searched for a network "zone" that is entirely in the dark. A zone that no event logs exist and yet, the Attacker can harvest superuser privileges quickly and safely. They realized that those high profile IT personnel and corporate executives with superuser permissions travel and use their mobile stations (laptop and phone) from conferences, airports, hotels, etc.
These ultra busy executives need to retain connectivity when traveling and mostly needs a high-speed connection to do their tasks. The 3G/4G connection is not good enough for a video conference or downloading multi-gigabytes presentations via a VPN connection.
Conferences and Airports WiFi networks are the most dangerous networks. They host Rogue Access Points and Evil Twin Access Points that looks exactly like the official WiFi network. There are many publically available Rogue AP kits, that automatically duplicate the WiFi landing page and divert all URLs to a spoofed landing page: "Welcome to JFK WiFi". The only difference between the original splash screen and the spoofed one is malware or trojan horse embedded in the spoofed splash screen. This step is happening much before the VPN client is loaded, making it immune to VPN solutions.
Connecting to these WiFi networks leaves no audit trail and therefore will fail the post-attack investigation.
Attackers load these AP traps in public WiFi and wait. In average they harvest thousands of user's credential, many with high privileges. They know to which corporation network they connect and at any time later can log in and attack.
Recently, a major USA corporation suffered from a Single Step Advanced Attack. Initially, it looked like a senior IT team member logged in the most important server of the company, dump a highly confidential database and upload it encapsulated in encrypted data packets via one of the company VPN servers to an external server. When the Attack was found (a few months after) an investigation was launched. The immediate suspect was an IT team member, but a human investigation found him clear. The digital forensics found nothing but a legitimate server login record, a connection to the company VPN and regular flow of encrypted data outside, and That was it.
An additional human investigation found that an IT member was called before catching a flight to help and diagnose a problem on the company servers. This superuser could not help before the flight and after landing was rushing to his car in public parking. Additional calls convinced him that the problem could not wait for him to return to the office, he opened his laptop and connected to the parking free WiFi. He was caught by a Rogue AP that hijack the connection, and before routing him to the internet, it captured his user name and password. These were the superuser credentials used later for the Single Step Advanced Attack.
WiFi attacks are becoming an easy step to obtain all the information necessary to carry a Single Step Advance Attack. It replaces the lateral movement inside the victim's network, saves time, and dramatically reduces the attacker exposure. It is shortening the attack time and makes it almost impossible to be detected.
WiFi networks become the Attacker preferred penetration option.