Basically, two software developer Eric Butler and Ian “craSH” Gallagher have created and released a Firefox plugin at Toorcon 12 this year using which one can easily capture session cookies and hijack account of other users present in an open Wi-Fi network.
Though, the session hijacking is not a new attack and it has been talked, discussed and demonstrated in various security forums since 2007 (session hijacking was first revealed by Robert Grahm at Blackhat US in 2007), the key contribution is the attack has been made extremely naive for executors. I will use another post to talk about Firesheep tool and how the attack is carried out. In this post, I would like to keep security issues of an open Wi-Fi network as prime focus and would discuss merits and demerits of the solution presented by researchers of IBM'x X-Force group.
There are three major security issues of open Wi-Fi networks:
1. Passive Data Sniffing :
A lot of web services are using http protocol which does not encrypt data exchanged between client and servers. Which means if such sites are accessed in an open Wi-Fi network, any malicious user present in the radio range of wireless client device or AP can passively sniff and capture data flowing to or from client. These data can contain user's private credential or website's cookie which can be further misused to steal user's valuable private information. A few web sites also use HTTPS protocol to provide services to users. Such websites are not vulnerable to passive sniffing. But establishing connection to HTTPS enabled websites is the crux. Sometimes users ignore certificate sent by web servers and hence their chances of getting hacked though they always use HTTPS enabled services are extremely high.
2. Man-in-the-Middle (MiTM) Attack
MiTM attack can be very easily carried out in an open Wi-Fi network. Due to lack of authentication, its very convenient for attacker to attract and establish connection with a wireless client device looking to connect connection with a public Wi-Fi hotspot or any open wireless network. Two attacks are mentioned here. Though they are alike, technically they differ in the way these attacks are launched.
a. Evil Twin Attack: Evil twin is a hacker planted AP present in the proximity of legitimate wireless network having same SSID or network name. Since clients use wireless network name to discover and establish connection. It's very difficult for client to differentiate between legitimate and attacker's AP. So it is very easy for a hacker to victimize client device. Sometimes, DoS attack is also launched to starve clients from connecting to legitimate networks.
b. Honeypot Attack: There is a subtle difference between Honeypot and Evil Twin. Honeypot is also a hacker planted AP but the name of the network is assigned to lure legitimate wireless client device. For example: hacker advertises "open wireless network" service. As soon as wireless client connect to Honeypot AP, hacker takes control of all its traffic.
3. Wireless Client's Preferred Network List (PNL) Poisoning
Whenever a wireless client device connect to open Wi-Fi network, an entry for that network gets created and remains there in the cache of the client. This is known as preferred network list or PNL. So far, wireless client does not automatically purge wireless network profiles present in the PNL. This cause wireless client device to always search for the availability of wireless network in the PNL and make an automatic connection as soon as a matching network is found. So an unintentional wireless connection (mis-association) is possible causing different other application to become active and start accessing web services. For example email client can start fetching emails from email server without you actually know about the activity or the network through which client has been accessing your private mailbox.
What exactly are they proposing?
The whole security community falls back to the same public key cryptography technique to solve all types of security problems. And the solution proposed by IBM researchers are no exception. As per the solution briefly described in their post, client should be able to receive a certificate which will authenticate the SSID used by a wireless network service provider. After that client and AP will establish a secure channel. This secure channel will be used to access Internet. Though, this is a wonderful idea and has potential to solve passive sniffing problem as well as Evil Twin, it might not be able to solve Honeypot attack completely. Further, Client mis-association will still remain a problem until and unless open cached profile of open Wi-Fi network is removed from each and every wireless client device.
The solution proposed is impractical in the sense that it requires software upgrade of wireless access points and clients. Now you may guess the number of wireless client devices being used in an open Wi-Fi network that would be required to undergo software upgrade. Essentially, the solution proposed is a subset of WPA2/802.1x. As per the proposal, the certificate can be used to differentiate between an authorized and a rogue wireless network. If you take out inner authentication from WPA2/PEAP, what you are left with is the same what is being proposed by IBM researchers. The fact of the matter is even private enterprises have not been able to adopt this security even after six years of finalization of the standard as the biggest bottleneck is managing and maintaining certificates. Here, they are proposing solution to one of the burning and most serious security threat of wireless networks. It would take at least few years if not months to implement such a solution.
The wireless community should put effort in creating a wireless infrastructure that can be trusted like wired infrastructure. Can we achieve that without spending years to solve open Wi-Fi network problems? Think!