Slashdot Mirror
'Evil Twin' Threat to Wireless Security
BarryNorton writes "The BBC are currently reporting on research from Cranfield University on the ability of unscrupulous third parties to spoof wireless networking clients into believing they are connected to a 'valid base station' and compromising their passwords for Internet banking etc. Of course the rest of the connection through the Internet, even from a trusted router, is insecure in any case and such sites should be using end-to-end security like SSL. Is there, therefore, anything (other than the cute name 'evil twin') to this story?"
...which you can do if you own any popular router anyway, which is why SSL includes various things that make man in the middle ineffective.
The interviewee seemed to be doing his best to simplify the concepts involved, but it sounded as if he were focused on the problem of the initial authentication. For example, the User goes to a public place like a cafe that has a pay-as-you-go model, e.g. he pays a certain amount per minute; such places often require a credit card to initiate the session. (Some business centers in hotels work this way for Internet access.)
If the user sits down at WiFi-R-Us to check his mail, he will have to enter a credit card number. However, there might be a 'rogue' WAP in the area configured to look legitimate, e.g. Wi-Fi-Are-Us, complete with ripped HTML, etc. to make the authentication page look legitimate. (See 'Phishing 101'). The user then enters his information on what he thinks is the proper authentication server.
It's an interesting issue, and I was glad to see it getting some broad[er] exposure.
I want to drag this out as long as possible. Bring me my protractor.
Shouldn't people already be doing this?
Yes, but I think that Windows XP, when looking for a WAP, is pretty indiscriminant. I seem to remember setting up a linksys wireless router for a friend, changing all the defaults, using the encryption keys. Then one day when his laptop couldn't find the network, it just went to the next available network, an insecure WAP that was his neighbour's.
"Now gluttony and exploitation serves eight!" - TV's Frank
I don't know the exact technical details but I believe the process goes something like this:
Client: I want to make an HTTPS connection to your server www.bankofslashdot.org. Get the ball rolling by sending me your public key.
Server: Here it is. [String of several hundred binary digits follow]
Client: (Examines key) Ok, it's signed by Verisign, and it applies to www.bankofslashdot.org, the site I'm trying to connect to. Sounds good to me. Can you give me a session key I can use to encrypt information I send you?
Server: Here's the session key you're going to use, signed by my private key, which you can verify using the public key I just gave you
Client: (Encrypted) looks good, here's the session key you can use to send me information.
(In general RSA encryption is used. RSA is dual purpose, it can be used to sign information and to encrypt it. RSA keys have a public element and a private element. The public element can be used to encrypt information and verify signatures, but cannot be used to derive the private key. How does it work? Products of two very big prime numbers, don't ask me more than that 'cos I seriously don't know.)
A "man in the middle" would have a little bit of difficulty, as there's no way they could sign the session key they send to the client because that session key can only be signed if you have access to the private key, which they don't have.
If the key is invalid, or there isn't one signed by an authority to begin with (they're not compulsory), then browsers usually warn users.
The best I can think of is that you try to redirect a user to the wrong site. For example, the "Log in" button on http://www.bankofslashdot.org could redirect to https://www.blankofslashdot.org, though doing so would potentially expose the attacker as you have to prove you're real and you're the owner of the domain to most authorities to get a certificate for your key.
Anyone spotting obvious errors or wanting to fill in gaps in my explanation is most welcome to do so.
You are not alone. This is not normal. None of this is normal.
Keys and certificates have nothing to do with DNS, they're actually there to confirm that you really are connecting to a specific machine, not just a machine with the right IP address.
You are not alone. This is not normal. None of this is normal.
Perhaps you should read WEP: Dead Again, Part 1. It compares various WEP cracking tools to see how fast they can crack WEP keys with varying amounts of packets. While the popular AirSnort usually needs over 10 million encrypted packets to crack a WEP key, aircrack usually needs around 500,000. That's the difference between being able to gather enough packets in a day versus a week or more.
Army of One!
The technique used in the article talks about jamming the legitimate AP to hijack the client connections. The real trick would be to figure out a way to forward the hijacked connections back to the real AP.
Army of One!
I don't think SSL uses RSA for encryption exactly: it uses RSA "encryption" to securely send a key from the server to the client; a symmetric key cipher (like Blowfish or AES) is then used to send the actual data back and forth. (Symmetric key ciphers are much faster than asymmetric ciphers.) i.e. public key cryptography is only used in the "negotiation" stage.
Well, the idea is the following:
The product of two primes has exactly the same information as the two primes themselves (there's exactly one way to factorize a number into primes). However while going from the two primes to the product is trivial (just multiply them), doing the reverse is actually hard.
Now RSA relies on a reversible transformation, where for encryption, you just can use the product directly, but for decryption you need the two primes separately. So if you send someone the product, he can easily encrypt a message with that key, but he cannot decrypt even the message he just encrypted, because to do so he would need to factorize the product, which is hard.
So essentially the public key in principle contains all the information to decrypt (otherwise it could not be used for encryption), but in a form where it is practically useless for decryption (because you just can't get at the necessary information in reasonable time).
The Tao of math: The numbers you can count are not the real numbers.
SSL POP
If youur ISP does not provide it, get a better ISP.
Mind you, explaining this to my parents would be a long and fruitless excercise.
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
No, read the explanation again. The MitM can pass on the certificate but they can't sign the session key with that certificate's private key 'cos they don't have it.
You are not alone. This is not normal. None of this is normal.
You can't "fool" a certificate. The entire system is designed to check that the site claiming to be "www.bankofslashdot.org" really is "www.bankofslashdot.org". This is done not by checking IP addresses, but by ensuring that the site you're connecting to (a) has a signed certificate and (b) knows the private key part of that certificate.
If an attacker merely redirects browsers to a different web site, they'd still need the private part of that certificate, which is something they will not have. Why is that important? Because without the private part of the certificate, the spoof site cannot sign anything which means the browser will realise the site is fake immediately.
If an attacker tries to create a bogus certificate, for which they have the private part, they'll have problems getting it signed by any of the authorities whose keys are stored in every modern browser. (Want a list? Get Firefox [I don't have IE here so can't give the instructions for IE], check Preferences, Advanced, Certificates, Manage Certificates, Authorities.)
Unless the certificate is signed by an authority known to the browser, the browser will issue a warning, and while the average user might click through for unsigned certificates for "pr0n.net" or "fredsdiscountshop.com", they're sure as damn it not going to for their online banking. Indeed, in the latter case, the browser itself may actively prevent them from connecting if they've been to the site before and it had a legitimate, signed, certificate at that point.
There's no fooling the certificate. The certificate DOES NOT USE DNS. It associates a hostname with the certificate, but the entire point is to make sure that the machine that ultimately is connected to is the real thing, and the real thing could have any IP address.
You're saying, essentially, that the certificate system would be fooled by the very thing it was designed to prevent. It isn't. One of the primary reasons of designing it this way was to prevent this kind of attack. Otherwise, why store all the certs in a browser? It'd involve a hell of a lot less administration if we could just download the certificates automatically as we need them.
You are not alone. This is not normal. None of this is normal.