Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Evil Twin' Threat to Wireless Security

Posted by michael on from the lives-in-the-attic-and-eats-fish-heads dept.

BarryNorton writes "The BBC are currently reporting on research from Cranfield University on the ability of unscrupulous third parties to spoof wireless networking clients into believing they are connected to a 'valid base station' and compromising their passwords for Internet banking etc. Of course the rest of the connection through the Internet, even from a trusted router, is insecure in any case and such sites should be using end-to-end security like SSL. Is there, therefore, anything (other than the cute name 'evil twin') to this story?"

35 of 222 comments (clear)

  1. Yes by lachlan76 · · Score: 2, Insightful

    Is there, therefore, anything (other than the cute name 'evil twin') to this story?

    Yes. If they control the gateway they now have the capability to perform a man-in-the-middle attack.

    1. Re:Yes by keesh · · Score: 2, Informative

      ...which you can do if you own any popular router anyway, which is why SSL includes various things that make man in the middle ineffective.

    2. Re:Yes by lachlan76 · · Score: 4, Funny

      If you check carefully, you'll find out that your password has been sniffed, your box 0wn3d, and you have actually been connecting to 127.0.0.1 ;)

    3. Re:Yes by lachlan76 · · Score: 2

      Because no-one has ever managed to get legit certificates in the name of a major company? Right?!

    4. Re:Yes by Delirium+Tremens · · Score: 2, Insightful

      It is actually easy once you also spoof the DNS servers -- which is a piece of cake when you already own the gateway and the DHCP server.

    5. Re:Yes by squiggleslash · · Score: 5, Informative
      Regular HTTPS (the usual SSL) includes a system of signed keys as part of the passing on of session keys that apply to specific host names. The signatures for those keys are signed by a small number of authorities whose credentials are usually built into the browser you're using - IE, Firefox/Mozilla, Opera, et al, come with these authority keys pre-loaded.

      I don't know the exact technical details but I believe the process goes something like this:

      Client: I want to make an HTTPS connection to your server www.bankofslashdot.org. Get the ball rolling by sending me your public key.
      Server: Here it is. [String of several hundred binary digits follow]
      Client: (Examines key) Ok, it's signed by Verisign, and it applies to www.bankofslashdot.org, the site I'm trying to connect to. Sounds good to me. Can you give me a session key I can use to encrypt information I send you?
      Server: Here's the session key you're going to use, signed by my private key, which you can verify using the public key I just gave you
      Client: (Encrypted) looks good, here's the session key you can use to send me information.

      ....

      (In general RSA encryption is used. RSA is dual purpose, it can be used to sign information and to encrypt it. RSA keys have a public element and a private element. The public element can be used to encrypt information and verify signatures, but cannot be used to derive the private key. How does it work? Products of two very big prime numbers, don't ask me more than that 'cos I seriously don't know.)

      A "man in the middle" would have a little bit of difficulty, as there's no way they could sign the session key they send to the client because that session key can only be signed if you have access to the private key, which they don't have.

      If the key is invalid, or there isn't one signed by an authority to begin with (they're not compulsory), then browsers usually warn users.

      The best I can think of is that you try to redirect a user to the wrong site. For example, the "Log in" button on http://www.bankofslashdot.org could redirect to https://www.blankofslashdot.org, though doing so would potentially expose the attacker as you have to prove you're real and you're the owner of the domain to most authorities to get a certificate for your key.

      Anyone spotting obvious errors or wanting to fill in gaps in my explanation is most welcome to do so.

      --
      You are not alone. This is not normal. None of this is normal.
    6. Re:Yes by squiggleslash · · Score: 4, Informative
      No it isn't. DNS allows you to redirect the browser to look at a different IP address, but it doesn't give you access to a key you can use to tell a browser that "you really are connecting to "www.bankofslashdot.org" and Entrust/Verisign/etc have signed my key to say so."

      Keys and certificates have nothing to do with DNS, they're actually there to confirm that you really are connecting to a specific machine, not just a machine with the right IP address.

      --
      You are not alone. This is not normal. None of this is normal.
    7. Re:Yes by mjs · · Score: 2, Informative

      I don't think SSL uses RSA for encryption exactly: it uses RSA "encryption" to securely send a key from the server to the client; a symmetric key cipher (like Blowfish or AES) is then used to send the actual data back and forth. (Symmetric key ciphers are much faster than asymmetric ciphers.) i.e. public key cryptography is only used in the "negotiation" stage.

    8. Re:Yes by maxwell+demon · · Score: 3, Informative
      How does it work? Products of two very big prime numbers, don't ask me more than that 'cos I seriously don't know.

      Well, the idea is the following:

      The product of two primes has exactly the same information as the two primes themselves (there's exactly one way to factorize a number into primes). However while going from the two primes to the product is trivial (just multiply them), doing the reverse is actually hard.

      Now RSA relies on a reversible transformation, where for encryption, you just can use the product directly, but for decryption you need the two primes separately. So if you send someone the product, he can easily encrypt a message with that key, but he cannot decrypt even the message he just encrypted, because to do so he would need to factorize the product, which is hard.

      So essentially the public key in principle contains all the information to decrypt (otherwise it could not be used for encryption), but in a form where it is practically useless for decryption (because you just can't get at the necessary information in reasonable time).
      --
      The Tao of math: The numbers you can count are not the real numbers.
    9. Re:Yes by Allen+Zadr · · Score: 4, Insightful
      Not even necessary...

      Open web browser (usually defaults to google or MSN).
      418 Connection Refused; Your <link...>router is having an encryption problem. Click <link...>router for more information.
      User clicks on link, which installs Certificate Authority (with the requisite warnings). Seems simple to most users. There's an error about Wireless Encryption - and it wants to install a certificate. Since the user wasn't trying to hit a secure site at the time, it doesn't seem as immediately suspicious.

      No, the "one percent"ers around here know the diff between a Cert and a C.A. But the other 99% don't. Hopefully, by the time they hit their online banking - they will have forgotten about the previous "router issue".

      As usual, a small shaking of social engineering in a technical issue can turn a seemingly trivial security issue a very real security issue.

      --
      Kinetic stupidity has a new brand leader: Allen Zadr.
    10. Re:Yes by squiggleslash · · Score: 3, Informative

      No, read the explanation again. The MitM can pass on the certificate but they can't sign the session key with that certificate's private key 'cos they don't have it.

      --
      You are not alone. This is not normal. None of this is normal.
  2. Be careful by drivinghighway61 · · Score: 5, Insightful

    So, in other words, be careful when you connect to an unfamiliar access point? Shouldn't people already be doing this? This is about the same parallel as "Don't take candy from strangers."

    1. Re:Be careful by It+doesn't+come+easy · · Score: 3, Interesting
      Actually, ANY access point is risky unless you run it yourself (after all, it's a well known fact that all sys admins are voyeurs of the worse sort)

      Seriously, anytime there is a man-in-the-middle, you have the potential of a man-in-the-middle attack. Imagine if you will a surveillance of an individual suspected of being involved in some nefarious political scheme. The individual is known to frequent his local Starbucks in the morning to have a cup of coffee and check his email, stocks, personal chat rooms, etc. A wiretap could watch his every move and he would never know.

      Bottom line, never forget there is NO privacy on the unencrypted internet.

      --
      The NSA: The only part of the US government that actually listens.
    2. Re:Be careful by peter_gzowski · · Score: 2, Informative

      Shouldn't people already be doing this?

      Yes, but I think that Windows XP, when looking for a WAP, is pretty indiscriminant. I seem to remember setting up a linksys wireless router for a friend, changing all the defaults, using the encryption keys. Then one day when his laptop couldn't find the network, it just went to the next available network, an insecure WAP that was his neighbour's.

      --
      "Now gluttony and exploitation serves eight!" - TV's Frank
    3. Re:Be careful by CmdrGravy · · Score: 2, Interesting

      My Dad just bought a wireless kit for his Windows PC and laptop and a few days ago he noticed that even though he had turned off the base station a laptop he was repairing for someone was still somehow accessing the Internet.

      It turns out one of our neighbours is running a totally unsecured wireless system, we can access their wireless router setup page and because they haven't bothered changing the password can muck about with it as much as we like.

  3. Airjack by Megor1 · · Score: 4, Interesting

    http://sourceforge.net/projects/airjack/

    Alls you need

    --
    Everyone that disagrees with me is a paid shill
  4. Seems improbable in practice by wildBoar · · Score: 2, Interesting

    That was my first thought. To properly spoof all the sites so a user is fooled.

    But I suppose key sites you want to capture are all that are required and the rest can be passed through.

    So who wants to get one of these going :-)

  5. Expected? by Aurix · · Score: 3, Interesting

    You can never trust what you're connecting to... It's the age old problem, you're asking for anything you get without performing proper encryption between both links.

    Seriously, the only time this problem is going to be fixed is when it's EASY to perform encryption. Where's the easy support for GPG in email clients? SSL in web browsers was certainly a step in the right direction, but what about IM services, email, ftp? Most hosting companies (afaik) don't provide for secure ftp...

  6. Email interception by rednip · · Score: 4, Interesting

    I think that Email Interception is the real hole here, rather than depending on unsecure websites. If you can see at which sites a person does secure transactions, you can use the 'email password' functionality to send that user an unencrypted email containing the password or reset link. That email would be easily read by a packet sniffer. Of course the victim would have to have their email client get the email, but email is the first thing that most people check. Sure the victim would get the password reset email, but most would believe that it is just a glitch.

    --
    The force that blew the Big Bang continues to accelerate.
    1. Re:Email interception by EasyTarget · · Score: 2, Informative

      SSL POP
      If youur ISP does not provide it, get a better ISP.

      Mind you, explaining this to my parents would be a long and fruitless excercise.

      --
      "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  7. Details??? by CommanderData · · Score: 2, Interesting

    TFA has no info on how this is being done. Are the "Cybercriminals" using a regular computer with a wireless card and wired network bridged- forwarding packets and saving a copy for themselves, or are they using a WRT54G with rewritten firmware (OpenWRT?) and to capture packets? Why go through all the trouble when you can park your butt down in the coffee shop with your laptop and latte and sniff everyone directly.

    Also it would seem to me that the "evil twin" method would only work with unsecured access points, unless you know the WEP key for the secured access point you are trying to dupe. Anyone trying to connect to their favorite secured AP with their default WEP key would fail to connect to an "evil twin" unless it had the matching WEP key...

    --
    Urge to post... fading... fading... RISING!... fading... fading... gone.
    1. Re:Details??? by armypuke · · Score: 3, Informative

      Perhaps you should read WEP: Dead Again, Part 1. It compares various WEP cracking tools to see how fast they can crack WEP keys with varying amounts of packets. While the popular AirSnort usually needs over 10 million encrypted packets to crack a WEP key, aircrack usually needs around 500,000. That's the difference between being able to gather enough packets in a day versus a week or more.

      --
      Army of One!
  8. It's been said before by Baorc · · Score: 3, Interesting

    and I'll say it again, the average person (not average slashdot person) wants things fast and easy. So anything requiring the least effort is the best route for them. And for some people, that is doing banking on a wireless connection without proper encryption. Of course, this is just one of the many problems that exist with doing online banking without taking precautions or cleaning your cookies afterwards. As long as these settings are not done by default for such interactions, there will always be some people to steal from. Quite easily too might I add.

  9. Thist article misses the point.... by Ajmuller · · Score: 4, Insightful

    The security lapse isn't with bad software, it's with bad policy and hapless users. If you connect to a fraudlent base station, then you can intercept banking passwords even on with connections that use end-to-end encryption. Why, and why isn't this protected. Simple. If you connect to a website, even the most-secure site in the world using SSL. If there is something wrong with the SSL certificate you will be presented with a dialog asking you if you want to accept the certificate. 99% of people blindly click yes, because clicking no means that it "wont work" and clicking yes means it "will work". So to the average user there is no downside to clicking yes and a large downside to clicking no. Enough with the psychology though. Once you have clicked yes on this dialog the entire chain of communication is now suspect. You cannot be sure that there is not someone sniffing your connection. Even if you check the certificate and everything looks OK (Sane information in text fields) you still can't be sure that it's valid unless you compare the signature of the SSL certificate with a known-good one. So, the real danger here lies in unsigned SSL certificates and hapless users. This type of attack is just as easy to orchestrate (if not easier) by associating with any wireless access point and spoofing dns or even on a wired network.

  10. Virtual Private Network by CypherXero · · Score: 2, Interesting

    This is exactly the reason why VPN was created, for situtations like this. Just create a secure tunnel across the internet, and they can't sniff your data.

  11. Heard this on BBC World Update this morning by sczimme · · Score: 4, Informative


    The interviewee seemed to be doing his best to simplify the concepts involved, but it sounded as if he were focused on the problem of the initial authentication. For example, the User goes to a public place like a cafe that has a pay-as-you-go model, e.g. he pays a certain amount per minute; such places often require a credit card to initiate the session. (Some business centers in hotels work this way for Internet access.)

    If the user sits down at WiFi-R-Us to check his mail, he will have to enter a credit card number. However, there might be a 'rogue' WAP in the area configured to look legitimate, e.g. Wi-Fi-Are-Us, complete with ripped HTML, etc. to make the authentication page look legitimate. (See 'Phishing 101'). The user then enters his information on what he thinks is the proper authentication server.

    It's an interesting issue, and I was glad to see it getting some broad[er] exposure.

    --
    I want to drag this out as long as possible. Bring me my protractor.
    1. Re:Heard this on BBC World Update this morning by akadruid · · Score: 2, Interesting

      Not only that, but many places work on a large scale subscription model, so you deposit you CC details with BT or T-Mobile, and then log on at any one of dozens of places.

      So the phisher has a an account to wireless network and internet access, and you're paying for it. The phisher then has lots of bandwidth and information to do various other illegal things, with your money and your liability carrying the can for them.

      --
      "Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
  12. Routers by armypuke · · Score: 2, Informative
    Adding your own hardware to a network to hijack network connections is not new. BlackHat Briefings has a good presentation on fun things you can do with routers. Some of the more interesting techniques require that you have physical access so that you can add your own router to the network. Your router can then be used to hijack HSRP and other things. I almost came to the conclusion that a wireless AP is easier to hide, but it still needs to plug in to a network somewhere.

    The technique used in the article talks about jamming the legitimate AP to hijack the client connections. The real trick would be to figure out a way to forward the hijacked connections back to the real AP.

    --
    Army of One!
  13. Re:I'm teaching a computer class this year... by michaelggreer · · Score: 2, Interesting

    It is not unreasonable to base trust on a brand name. That is indeed the purpose of the brand: otherwise we would have to sort through bins of goods and analyze them carefully with each and every purchase. Which we do sometimes (with fruit), but not with everything. We just don't have time for that and in purchases over the internet, it is impossible. Collective opinion (including websites) is often the basis for this trust. The only thing you can ask of people is that they ask around sufficiently before forming trust.

    Your issue, I think, is actually that people think something is a brand because it has the logo on it. That is, they are too trusting of the logo itself not being counterfeit. I don't know what we should do about that. SSL can tell us that a website is who it says it is, but it can't verify the correctness of a logo or claimed corporate identity.

  14. Linux bad guys by streepje · · Score: 2, Funny

    I watched the piece on BBC TV news this morning.

    Guy sits down, opens his laptop, starts a Microsoft OS, opens IE and calls up his bank's homepage.

    Other guy comes in, sits down, opens his laptop. He's running Linux!
    Really, Linux on a BBC news piece, wow!

    But then he starts evin twinning the Microsoft guy's wifi link. He's the Linux bad guy. :-(

    Nice one BBC.

  15. Re:The real threat... by BrakesForElves · · Score: 2, Insightful

    Well of course you're dead on about slashdot readers. But what about the kid who makes one extra click to surf the new, secure https://disney.com in the morning, whose dad surfs his bank that evening? Hell, with 80% of the wireless routers in residences running default SSID's and no WEP or WAP, one could even launch this attack on a stationary target, where the likelihood of eventual compromise over a period of hours or days would approach certainty. Good luck associating that cause and effect!

    --
    About the word "if": If bullfrogs had wings, they wouldn't bounce around on their little green butts.
  16. Now hold the phone... by EvilTwinSkippy · · Score: 2, Funny
    I object to this being called an "Evil Twin" attack.

    I prefer the term "Imposter Gateway." (Cough)

    --
    "Learning is not compulsory... neither is survival."
    --Dr.W.Edwards Deming
  17. Re:Oh yes it is by squiggleslash · · Score: 2, Informative
    Can I suggest you reread the explanation I posted? I'm really not sure what you're trying to say except to say that what you're saying doesn't make any sense.

    You can't "fool" a certificate. The entire system is designed to check that the site claiming to be "www.bankofslashdot.org" really is "www.bankofslashdot.org". This is done not by checking IP addresses, but by ensuring that the site you're connecting to (a) has a signed certificate and (b) knows the private key part of that certificate.

    If an attacker merely redirects browsers to a different web site, they'd still need the private part of that certificate, which is something they will not have. Why is that important? Because without the private part of the certificate, the spoof site cannot sign anything which means the browser will realise the site is fake immediately.

    If an attacker tries to create a bogus certificate, for which they have the private part, they'll have problems getting it signed by any of the authorities whose keys are stored in every modern browser. (Want a list? Get Firefox [I don't have IE here so can't give the instructions for IE], check Preferences, Advanced, Certificates, Manage Certificates, Authorities.)

    Unless the certificate is signed by an authority known to the browser, the browser will issue a warning, and while the average user might click through for unsigned certificates for "pr0n.net" or "fredsdiscountshop.com", they're sure as damn it not going to for their online banking. Indeed, in the latter case, the browser itself may actively prevent them from connecting if they've been to the site before and it had a legitimate, signed, certificate at that point.

    There's no fooling the certificate. The certificate DOES NOT USE DNS. It associates a hostname with the certificate, but the entire point is to make sure that the machine that ultimately is connected to is the real thing, and the real thing could have any IP address.

    You're saying, essentially, that the certificate system would be fooled by the very thing it was designed to prevent. It isn't. One of the primary reasons of designing it this way was to prevent this kind of attack. Otherwise, why store all the certs in a browser? It'd involve a hell of a lot less administration if we could just download the certificates automatically as we need them.

    --
    You are not alone. This is not normal. None of this is normal.
  18. cat intercepted-passwords.txt by daveewart · · Score: 2, Funny
    When they showed this story, the 'attacker' was a BBC-stereotypical geek running some Linux-like OS. There was a close-up of him typing
    cat intercepted-passwords.txt
    in an xterm. "Ooh, *command-line*. That's evil!"
    --
    "If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
  19. Access Points with teeth by dongkiru · · Score: 2, Interesting

    There's a small SF Bay Area startup that makes specialized wireless access points. You setup a network of the access points. The access points know about all other access points that *should* be there. When it detects another access point that is acting like an "evil twin," the network of access points can not only locate the evil AP to within few meters, but also DOS it with bunch of bad packets to knock it off the network. The CS department in Berkeley uses it. It can also be configured to knock out any non-evil AP if you want to restrict wireless APs in your organization. I don't know the name of the startup as the presentation by CS IT department chose not to disclose the company.