Open Wifi SSID Broadcast vulnerability
0x00 Preface
A few days ago, I saw @ RAyH4c share an article about wifi phishing on Weibo. I thought it was good and I translated it. For the first translation, the level of English can only pass 4 levels. If the translation is poor, please forgive me.
Attached original address: https://www.os3.nl/_media/2012-2013/courses/ssn/open_wifi_ssid_broadcast_vulnerability.pdf
0x01 Abstract
Some vendors want to deliver better user experience, rather than better security, which is common. Based on this fact, the SNE lab conducted a study and confirmed that to ensure faster scanning/connection, some devices broadcast their saved SSID without notice. This research raises configuration issues, especially the public Wi-Fi SSID, and exposes a security vulnerability. There are two main concerns: what the device sends out and how to use it.
0x02 Introduction
Recent observations show that wifi devices that enable the active scan function expose some valuable information that is irrelevant to users but valuable to attackers. The idea of this project stems from this to gather the same information in a more effective way (less time, less effort. The idea is to design an automated method (device) by leveraging the active scanning (probe request) of devices available for wifi and the vulnerability of automatically connecting to an open Wi-Fi access point ). Obviously, by creating a device that can sniff and automatically create a forged SSID, you can scan many devices within a period of time to obtain the scope of this vulnerability. I will not mention the research conclusion that such devices can have many practical security-related applications. For example, any public entity, such as an organization or company (without any technical knowledge), proactively scans from wifi through their devices to assess the security level of their employees. In particular, High-level security entities (banks) are essential to enhance security measures. In addition, it is necessary to have no physical contact and complete a security analysis can provide better results. Needless to say, it can undoubtedly reduce the cost and delay of work.
0x03 background
1) connect the client to the Access Point
A key part of the process is to discover the WLAN and connect it later. In this process, the WLAN Network displays the SSID to notify it of its existence and sends a frame called Beacons. Then, the WLAN client sends a probe request frame to identify or connect to a better WLAN. The last two steps are authentication and connection. Considering that it is not directly related to our project, this section is not described.
2) IEEE 802.11 Beacons
Beacon aims to let the WLAN client know which network or access point is available in a given region. The access point may broadcast beacons from time to time. Although beacon may be broadcast regularly by access points, it will also be used for frame detection, authentication, and connection during connection (or reconnection.
3) IEEE 802.11 Probe
For the client, there are actually two methods to scan the available AP, active scan and passive scan: 1
Figure 1: connection process
1. active scan: During the active scan, in order to listen to the available AP probe response on a specific channel of the matched SSID, the client adjusts its IEEE 802.11 Broadcast to the channel to be scanned and broadcasts the probe request. The wait time for the client to respond depends on the vendor, but it is usually about 10 ms. There are two probe requests: Direct probe and broadcast probe.
Direct Probe: the client sends an SSID probe request with a specific name. Only the AP with the requested SSID can respond. (Figure 2)
Figure 2 direct Probe
Figure 3 broadcast Probe
Broadcast Probe: the client broadcasts a probe request without SSID. all APs receive this request and return the SSID they support.
2 passive scan: When a passive scan is performed, the client will still adjust its broadcast frequency to the channel it wants to scan, but it will wait for the broadcast beacon from the valid AP, instead of sending a probe request. 4
Figure 4: passive Scan
0x04 method 1) detect the device that sends the probe request
1 Installation
This part mainly captures information about all devices that send probe requests. The installation is mainly based on software configuration, so that it can be installed on a vro of a custom operating system (such as openWRT) or a notebook. Three types of data can be captured after the configuration takes effect.
The first part is network sniffing. Run a tcpdump process on the wireless listening device to monitor the traffic packets sent by all other devices. Then put it in the filter, and only save the probe request to the log file. The file format only contains the MAC address of the device and the SSID sent by the probe request.
The second part is device identification. To identify a device, an access point is set up to connect the device to it. The DHCP server assigns a permanent IP address to each device. Both the MAC address and the corresponding IP address are recorded in a file. All traffic goes through a local server that opens log records (here is Lighttpd ). The log file contains the IP address and the UserAgent string requested by the HTTP device. In fact, if a device connects to this access point and accesses a webpage, it will access the local web server and record its requests.
2. Collect data
To collect data, such devices are placed in different locations. These locations are public, but there are also user interactions. In every place, people are asked to connect to an access point to determine the device type. These locations include locations such as UvA, VU, and Amsterdam Central andcSchiphol airports. Before connecting to the device, place a sniffer to capture packets, and then run it for a short time after the last client is connected. This is to ensure that the sniffer can capture probe requests because they are sent every 60 seconds.
3. Save data
After data is collected, three files are generated for each login session, namely the issued SSID, DHCP lease, and HTTP UserAgent. All session files are merged into three large files and formatted to be imported to the database. In this project, we use the Mysql database. Each file is imported to the database and expressed as a table. In this way, the data in the database can be easily queried.
2) detect devices connected to forged AP
To know which device is connected to a forged access point, too many devices in different operating systems are placed in the evaluation process. The access point is configured as the SSID that the device has previously connected. The AP is set to an unprotected network. When the device is automatically connected, the type and version of the operating system are recorded.
3) Automated Spoofing
The concept of a dynamic access point is to automate the process of collecting the SSID and MAC address and be responsible for probe requests for those specific SSID. The next step is to automate the process of spoofing those SSID to identify which SSID is public. If a device is connected, the SSID is public and the setting is valid.
To automate the spoofing principle, you can use a hardware with customized software. Such hardware is called a dynamic access point (DAP ). It adjusts the spoofing process according to the input. The input can be user-defined or captured from the wireless interface. The DAP created here can use two attack modes: Normal Mode and direct mode. In normal mode, all probe requests are collected and used to set fake SSID. In direct mode, only the specified MAC address is used for probe requests. In this study, a TP-LINK router with OpenWRT as the operating system was used. Each part of the process uses two devices. The first part is to collect information that the device listens for wireless communication and is filtered out. To complete this step, I wrote a software. First, the wireless interface is set to the listening mode, so that all data packets can be captured. Then, all packages except the probe request are filtered out. From these probe requests, a list of SSID is generated. The first seven SSID are used for forgery. If the system is in direct mode, only the User-Defined MAC address SSID is used.
The second part is a TP-LINK router with OpenWRT. This route is set as an access point using hostapd as a service. Hostapd is a user process that processes client connections to the access point. Routers can use DHCP to distribute IP addresses and provide network access. When the first route collects enough SSID information, it generates a configuration file that the hostapd Service supports. It uses the scp command to send the via ssh file to the second route and re-run the service. After re-running, the second route becomes the Access Point of the provided SSID.
Figure 5 basic DAP operations
0x05 survey results
1) detect the device that sent the probe request
The results collected by the experiment are divided into three parts. The first part is a table containing the MAC address and the broadcasted SSID. A DHCP lease table contains the MAC address and corresponding IP address. The third table contains the IP address and the UserAgent string of the browser. To analyze this data, we performed a lot of complex queries. First, we use the following query in table 1 to obtain the most popular SSID.
SELECT ssid , count ( _ ) AS countFROM (SELECT ssid.mac,ssid.ssidFROM ssidWHERE ssid.ssid!= ""GROUP BY ssid.mac) AS PGROUP BY ssid ORDER BY count DESC
Next, query the UserAgent string of the client sending the probe frame. The result is only used to display the operating system, which can be seen in table 2.
SELECT useragent .useragentFROM ssid , dhcp , useragentWHEREssid.mac = dhcp.macAND dhcp.ip = useragent.ipAND ssid.ssid != ""GROUP BY useragent . useragent
2) detect devices connected to forged access points
In part 2, many devices connect to malicious access points. The connected operating system types and versions can be seen in table 3.
This data also reflects the number of affected devices in the market share. You can see in figure 7.
1. Automated spoofing SSID
When the dynamic access point starts to work, you can observe the following points. First, it takes about 30 seconds to start the device. However, when it is operating, it supports the basic SSID very well. When the device is in spoofing mode, it takes 10 seconds for the hostapd process to re-run and update the SSID list before the spoofed SSID works. When the device is running, it is obvious that the device can automatically connect to the forged SSID. This only tests a small number of devices, but all of them are connected.
0x06 conclusion
According to the collected data, a large part of Android, iOS and Blackberry devices send probe requests. Because these devices occupy a large market share, many devices are at risk. In addition, it has been proved that the automatic spoofing process is effective, and the device is easily spoofed to connect to the forged AP, which is a problem. This proves that some devices only rely on the SSID to connect to the AP, And the SSID is stored in the device.
0x07
More research on this topic can further improve the reliability of the market share of known devices that send probe requests. This study does not study every device, so this number is higher than we know. In addition, not all devices run on the default Operating System, and the custom ROM will improve different Wireless stacks. Some vendors may have changed the wireless stack, so more details need to be given in this field to make the scope of the problem more accurate.
Since the device only connects according to the SSID, it is also a good way to remember the access point. For example, devices should never remember insecure networks. In this way, spoofing becomes more complex. Another method is to record the BSSID of a known AP while saving the SSID. This method also makes spoofing more difficult because the spoofed AP needs to know both the BSSID (and the MAC address), and The BSSID will not be exposed in the probe request, which is not easy to guess.
More research studies show what are good strategies, and vendors should keep these good strategies. And since this problem already exists, we will further study the necessity of sending a probe request, unless necessary, not to use it.
More advanced technologies should be used in the future to increase the success rate of devices connecting to DAP. The SSID is marked as a higher priority than other things. Successful Connections also increase the priority of the affected SSID. Each SSID has a frequency attribute, which means that DAP should try to predict which SSID is more likely to be developed, depending on the tag mentioned earlier.
0x08 reference
[1] J. Bhardwaj, What is your phone saying behind your back?, Oct. 2012. [Online]. Available: http://nakedsecurity.sophos.com/2012/10/ 02/what-is-your-phone-saying-behind-your-back/.[2] Part 11: wireless lan medium access control (mac) and physical layer (phy) specifications, IEEE Computer Society, Mar. 2012.