By Lisa Phifer
August 20, 2007
Just when you thought it was safe to check webmail over Wi-Fi, the boys at BlackHat demonstrate why it’s not.
Unless you’ve been hiding in a cave for years, you know that everything sent over Wi-Fi is vulnerable to eavesdropping. A handful of hotspots now encrypt user data—usually with WPA—but the vast majority still expect customers to protect themselves. Sadly, many users continue to ignore even this simple threat. Those who know better often defend their data by using VPNs or SSL-protected websites.
Unfortunately, hotspot users who visit websites like Gmail, HotMail, and Yahoo! Mail may be more exposed than they thought.
Live from Las Vegas
During a recent presentation at BlackHat, Errata Security raised a few eyebrows by showing a pair of point-and-click “SideJacking” tools dubbed Ferret and Hamster. The approach taken by Hamster—web session cookie cloning—is not particularly new.
However, by exploiting live BlackHat user traffic to gain access to attendees’ GMail accounts, presenter Robert Graham made the threat posed by SideJacking perfectly clear:The next time you use an open Wi-Fi hotspot to access a vulnerable website, you may not be alone.
SideJacking is the process of sniffing web cookies, then replaying them to clone another user’s web session. Using a cloned web session, the jacker can exploit the victim’s previously-established site access to change passwords, post mail messages, download files, or take any other action offered by that website.
Unlike some better-known HTTP attacks, SideJacking isn’t about stealing logins or disruptively taking over the victim’s session. It’s about transparently sharing authorized site access with a legitimate user, after that user has already logged in.
According to Errata, “The victim continues to use his/her session, blissfully unaware that we are also in his/her account (although signs such as additional e-mails in the ‘sent’ folders might give a clue).” Worse, for websites that use authentication cookies to persistently maintain login state, the jacker may continue to enjoy that access indefinitely.
Describing a theoretical attack is one thing. Seeing it in action is quite another. To illustrate the real-world risk and raise public awareness, Errata developed a pair of compact, easy-to-use, Windows SideJacking tools.
By combining Ferret and Hamster with freeware WinPcap, a Wi-Fi adapter, and an ordinary web browser, anyone can try his hand at SideJacking. Start by running ferret to sniff web cookies sent by other nearby Wi-Fi users, writing them to hamster.txt. Then run hamster, a tiny (77K) HTTP proxy that clones cookies drawn from hamster.txt. Configure your favorite web browser to use that copy of Hamster as its HTTP proxy. Then browse http://hamster, select an IP address from the list of potential victims, and click on any listed URL to SideJack that web session.
For good measure, Errata included practical how-to hints and step-by-step illustrations in Hamster documentation. For example, to capture live traffic sent by other Wi-Fi users, one needs a Wi-Fi adapter that supports RFMON mode. But the bottom line is that launching a SideJack attack is undeniably easy. Anyone can do it. This is precisely why hotspot visitors to potentially-vulnerable websites like GMail, HotMail, Yahoo! Mail, MySpace, and Facebook should sit up and take notice.
The lesson to be learned from this BlackHat demo is that hotspot users really cannot afford to be lax about encrypting data sent over Wi-Fi.
Users who already protect their data with Wi-Fi encryption (e.g., WPA, WPA2) or some type of corporate or personal VPN (e.g., HotSpotVPN, AnchorFree HotSpot Shield, JiWire HotSpot Helper) need not worry about being SideJacked. These measures are still your best bet to stay safe in public Wi-Fi hotspots.
However, users who rely upon visited websites to protect data sent over Wi-Fi must become more vigilant. When establishing an account on any website, take note of whether and how that site uses SSL encryption (usually denoted by https in the URL and a tiny padlock icon). If the website only applies SSL to the login exchange, but fails to protect data sent after login, then the site may well be vulnerable to SideJacking.
On some websites, options exist to use SSL encryption throughout the session—doing so can deter both ordinary eavesdropping and SideJacking and is strongly recommended. However, to prevent offline SideJacking at a later time, also delete cookies immediately after using vulnerable websites—for example, by explicitly logging out of those sites or clearing cookies from the browser. Post-BlackHat BugTraq reports suggest that many websites may be vulnerable to SideJacking when cookies generated during encrypted SSL sessions are cloned and sent at a later time over unencrypted HTTP sessions.
Thanks to the buzz generated by this BlackHat demo, hotspot users have been warned. But given the number of users still surfing websites in the clear, the biggest potential target of this demo may be those website operators who fail to use SSL persistently and are less than strict about authentication cookie reuse. Raising threat awareness is merely the first step—we can only hope that this warning does not fall on deaf ears.