Getting Phished: Why SSID Spoofing (Still) Matters
January 29, 2007
Protect yourself from rogues and honeypots on any wireless network home, office, or hotspots.
Phony access points (APs) that use spoofed service set identifiers (SSIDs) to lure wireless users are nothing new. Also called evil twin or honeypot rogue APs, these look-alikes have grown common in venues frequented by business executives, including airports and hotels. The next time you connect to any WLAN, ask yourself: are you really certain the AP is legitimate? If not, you could be setting yourself up for a variety of nasty phishing attacks, with personal, professional and financial consequences.
Spoofing Has Never Been Easier
It's always been simple to configure an AP with someone else's hotspot, corporate or residential SSID. SSIDs are trivial to sniff from an active WLAN and cannot be completely hidden, even if omitted from beacons. Because most wireless clients connect to SSIDs, not APs, nearby users are just as likely to choose a phony or illegitimate AP as they are a legitimate one. Jacking up transmit power and sending deauthenticates can improve the odds of successful misdirection.
Once connected, a phony AP can use its man-in-the-middle vantage point to launch a plethora of attacks. For example, the AP can intercept Web requests and supply bogus responses carrying corrupted images or malware
Unfortunately, easy-to-use platforms are readily available to create a phony AP that phishes for identities and snarfs returned values:
- For Windows, a 4-in-1 USB adapter like the ZyXEL G-220 turns any laptop into a software-based host AP, using ICS and another 802.11 or 3G card to relay traffic to the Internet. DNS and HTTP servers installed on the laptop can redirect users to fake Web pages, designed to trick them into revealing sensitive values.
- For Linux, there is KARMA, a toolset that combines a host AP and fully-automated SSID spoofing with built-in DNS, HTTP and POP servers for "Bring Your Own" exploits. KARMA takes advantage of wireless client automatic network selection, spoofing any or all of the SSIDs being probed by nearby clients.
- For a turnkey appliance, the Airsnarf: Rogue Squadron firmware converts a Linksys WRT54G router into a phony hotspot, complete with login portal, redirection to phishing pages, and Internet backhaul over WDS. Add a WEP cracker, Web page spoofer and common snarfing tools, and you have Evil Bastarda proof of concept demonstrated at Shmoocon 2006.
There's a big difference between knowing that phony APs exist and actually protecting yourself from them. First, let's dispel some popular myths:
- Phony APs only affect hotspot users. Wrong. Any SSID can be spoofed; with tools like Hotspotter and KARMA, it is not even necessary to target a single pre-configured SSID. Wireless users at home or work should also be concerned about verifying AP identity.
- Using WEP or WPA-PSK stops phony APs. No. If the AP can observe at least some legitimate traffic, either of these static values can be cracked using tools like Aircrack or coWPAtty applied to the phony AP's security settings.
- SSL, SSH or VPN protects anyone connected to a phony AP. Not necessarily. A phony AP can use conventional man-in-the-middle tools (e.g., ike_crack, THC-pptp-bruter, sslsniff, sshsniff) to attack all of these protocols. Clients that fail to verify an SSL server's certificate, SSH server's key or VPN gateway's identity can still end up disclosing usernames, passwords or tunneled data.
Steps That Can Help
It is hard for an end user to visually differentiate between a legitimate AP and one using a spoofed SSID (and perhaps MAC address). But a wireless intrusion prevention system (WIPS) has a broader, full-time view of activity throughout your office. It can spot an AP that wasn't there an hour ago, APs operating with spoofed SSIDs, unusual deauthenticate messages, excessive client roaming between APs, and other signs of possible attack. Companies can deploy WIPS to spot all kinds of rogue APs (including those with spoofed SSIDs), automatically deauthenticating connections made to them by employees.
Outside of the office, SSID spoofing detection is harder. Users are surrounded by an ever-changing world of unknown APs. But depending upon the operating system, you can run a WIPS program on your laptop itself. These host-resident programs watch for forbidden or hotspot SSIDs, APs or client behaviors. Some generate alerts to warn users; others can stop connections that violate configured rules. Examples include the Shmoo Group Hot Spot Defense Kit (HSDK), AirTight Network's SpectraGuard SAFE, AirMagnet StreetWISE, Network Chemistry's RFprotect Endpoint, and AirDefense Personal.
Proactive steps can also be used to avoid connecting to phony APs in the first place. First, wireless client policies should be configured to connect only to known SSIDs in Infrastructure Mode. This cannot evade phony APs, but it makes a huge dent in accidental or risky connections to unknown SSIDs. For Windows XP clients, client probing can be reduced using the nonbroadcast network option (see Microsoft Knowledge Base article KB917021). To avoid errors when users configure their own security parameters, and to prevent users from even seeing forbidden SSIDs, configure IT-managed wireless policies.
ActiveDirectory wireless policies in Windows Vista.
Next, connect only to WLANs that employ 802.1X authentication with an EAP-type that lets the client verify the authentication server's identity (e.g., EAP-TLS, EAP-TTLS, PEAP).
When configuring 802.1X connections, it is critical to have the client automatically check both server and issuer certificates before sending username and password (or any other type of client credential). When implemented correctly, this makes it difficult for a phony AP to pose as a legitimate AP, because phony APs do not match the legitimate server's digital certificate, and cannot issue their own valid certificate from your certificate authority.
Protected EAP Properties window
802.1X is most often employed by corporate WLANs, but can also be used at some hotspots (e.g., iBAHN, T-Mobile.) It can be helpful to use hotspot connection manager programs that automatically check the server's identity during login. But be careful not to accidentally fall back to the hotspot's open, unauthenticated WLAN.
To use 802.1X with a home WLAN, you'll need an AP that supports WPA-Enterprise or WPA2-Enterprise (most new APs do) and a simple RADIUS authentication server like WinRadius, FreeRadius or SecureMyWiFi. Some home routers even have a RADIUS server built in.
Finally, it is still an excellent idea to utilize higher-layer security measures like SSL, SSH or VPN to protect traffic sent across the Internet or any other public network. Just don't rely on them as a substitute for preventing connections to phony APs.
No matter what type of network you use, strong server authentication should be enforced before the client supplies the user's identity. This concept is the key to avoid being phished.