Passive WIFI Surveillance and Access Point Hijacking

Published
December 16, 2015
Type
Info notes

Introduction

IEEE 802.11 (WIFI) is the most ubiquitous wireless networking standard nowadays. It is used for connectivity in most laptop computers, tablets, mobile phones, and other internet enabled mobile devices. Especially due to its use in mobile phones (smartphones), most people carry at least one such device with them wherever they go. Since its introduction there has been good progress in security standards used by WIFI and provided that best practices in password composition or key management are used, establishing a secure WIFI connection is easy and accessible to everyone.

However, even when networks are encrypted, some of the traffic is in the clear. This unencrypted communication carries information that has serious, easily exploitable privacy issues; furthermore, it can also be used for (automated) social engineering and technical attacks. Moreover, it can be used to trick a device to automatically connect to network access points (AP) that are under the control of an attacker, who can then use various phishing, social engineering, and man in the middle techniques to gain access to the user's private data. An attacker can perform these attacks without being in close proximity of the targeted device.

WIFI probe requests

In order to make the discovery and selection of an AP easier, a Service Set Identifier (SSID) is assigned to it, which is human-readable "name" for the network with a maximum length of 32 characters. Generally, AP devices have a unique SSID assigned to them at manufacturing time, but many users customize them for their convenience. A user who desires to connect to a network, needs to select the SSID from the list of nearby networks and provide the corresponding password to establish a secure connection.

To reduce user burden when re-connecting to known AP, devices typically cache credentials and SSIDs   and scan for nearby APs. If a known AP is discovered, the device re-connects automatically to it. Although APs periodically announce their SSID and it is possible to scan them passively, the preferred way for scanning is active scanning by the client using WIFI probe request frames. A probe request is essentially a broadcast question: "Is AP with SSID xxxx listening? Please respond". (http://www.rfwireless-world.com/Terminology/WLAN-probe-request-and-response-frame.html) These probe requests are sent out in bursts, one for every saved AP SSID, usually once every 60 seconds. Between the bursts the radio can be turned off, which saves power. Whenever an AP receives a probe request with its assigned SSID, it responds with a probe response frame and connection is initiated.

Abusing WIFI probe requests

Profiling based on leaked location information

A probe request burst contains SSIDs of all the APs that the device has been connected to in past. This information can be used to look up physical locations of these devices from online databases and other open source intelligence sources. As a result, a detailed list of physical locations the person frequents can be compiled. The SSID name itself can also hint on its purpose, home use and office use brands may have different default SSIDs or be renamed to something identifiable. (http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf)

Linking that data with publicly available sources can easily reveal the target's identity, home address, workplace, identities of family members, colleagues, acquaintances, travel habits etc. (http://blog.viraptor.info/post/your-wifi-shows-me-where-you-live-work-and-travel) Research shows that extensive networks of human relations can be compiled using mass surveillance in points where many people pass through, such as train stations or airports. This relation data can be very useful for phishing, targeted attacks, or even blackmail. There are also companies who commercially offer tracking services and customer behaviour analysis based on identification through WIFI data leaks.

Technical and social engineering attacks by rogue AP

When an AP with specially designed firmware receives a probe request for another SSID, it can reply affirmatively and send back connection information pretending to be the requested AP. In this case the client will often automatically connect to it. This allows complete interception of client traffic and various attacks based on

  • further collection of private information,
  • modifying web page contents to include fake information, malicious links or malware downloads,
  • modifying replies to DNS requests to transparently redirect user to fake versions of legitimate sites,
  • the use of specialized tools like Social Engineering Toolkit (SET) to automatic password phishing page generation for popular services (Facebook, Gmail etc.), and
  • the attempt of man in the middle attacks on encrypted communication like web pages and mail. If the certificate checking is poorly implemented or user carelessly accepts the warning, complete control over encrypted traffic is achieved.

For non-technical persons, there are cheap off the shelf devices with preconfigured tools available to achieve all of the above through a simple user interface. (https://www.wifipineapple.com/)

Conclusion and recommendations

There are reports that most recent versions of popular mobile OS (Apple iOS 9 and Android 5) do not send out probe requests for all known SSIDs anymore. It is recommended to upgrade devices to these newest versions if possible. However, hidden SSIDs are an exception - if the device has saved the connection information to a hidden SSID, it will be broadcast. Consequently, to enhance privacy, users should not make their home and work APs hidden, but leave them as defined in the factory, or change them to something unidentifiable. (http://frdgr.ch/wp-content/uploads/2015/06/Freudiger15.pdf)

However iOS versions 8 and below and Android 4 and below do broadcast SSIDs in some conditions. The simplest and most secure option of course is to manually switch off WIFI when it is not used. Finding and disabling the option to automatically connect to WIFI networks should have similar effect. There are also apps for Android in Google Play to add WIFI privacy (Wi-Fi Privacy Police, WiFi Advanced Config Editor, Llama - Location Profiles, Wi-Fi Matic - Auto WiFi On Off, etc.).

For operating systems used on laptop computers, the situation is more complicated. Different producers use many different behaviours, settings and options for WIFI. The option to not scan or automatically reconnect to known APs may not be present or may be ineffective disabling probe requests. In these cases it may be necessary to disable option to remember network for sensitive networks, to not use the device in places where monitoring is probable, and to manually switch off WIFI whenever possible.

The only certain way to determine device behaviour and its settings effectiveness is by testing it with packet scanner (https://www.kismetwireless.net/).

About “Info Notes” from ENISA

With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (cert-relations@enisa.europa.eu).

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more