In our last entry in this ongoing series about the threat model against mobile devices, we explored the techniques for an attacker to get on an otherwise protected wireless network. This week, I wanted to dive into what can happen when an attacker gets on a shared network, regardless of whether it’s the open WiFi at the coffee shop, the shared WiFi network at a guest office, or a compromised wireless network at home.
In real life, when you go to a restaurant and have a conversation with the person sitting across the table from you, one assumes the discussion stays private, yet there’s nothing that really provides privacy other than the social graces of the strangers surrounding you. It is not polite to eavesdrop on your neighbor, but nothing really prevents them from doing so.
The same applies to the communication on a network. Everything said on the network could be overheard by others if they chose to listen. In the past, one didn’t worry much about these scenarios because most of the participants on the network shared a common background. The LAN at work consisted of employees that had to pass the security guard in the front of the building. The home network only had friends and family on it. One assumed that nobody was eavesdropping because one also assumed there were no hostile parties on it.
In wireless environments, these assumptions are no longer true, for anyone may also be on the same network, including those with ill intent. As we stated in the previous articles, the only safe assumption is that every wireless network should be untrusted. While it’s likely that an attacker is not on your home network, nothing precludes one from being present. In a coffee shop, every other person on the network is a stranger, and should not be trusted.
The tool employed by both administrators and attackers for observing packets is the network sniffer, which is quite capable of passively and promiscuously listening to other traffic on a particular network. By adding some intelligence to the packet sniffing, an attacker can go after very precise content rather than trying to grab every packet passing by. For instance, one of the easiest methods to steal credentials is just record the first few packets of applications that transmit plaintext credentials. Long in tooth applications such as telnet, ftp, pop3 etc still remain in use and send the passphrase in plaintext, even though there are more secure alternatives that are readily available.
For websites that require authentication, the attacker doesn’t always need the credential itself to gain unauthorized access. For a number of years, it was fairly common practice to use SSL only for the authentication, and revert back to standard http for all of subsequent interactions with the web application. This practice still exposes the bulk of content to unauthorized observers. While problematic in of itself, it can also expose the plaintext session cookie, making session hijacking a real possibility.
As you go about surfing the web, you might notice (and expect) that when returning to a site that you’ve previously visited, you do not need to re-authenticate. This is because the browser stores a session cookie that remembers the authentication event, allowing the user to continue accessing the application.
Since the attacker can see the plaintext traffic being shared with an authenticated user, the attacker can simply make a copy of the plaintext session key and place the value within their own browser. The session is hijacked by the attacker, thus providing access to the application without ever learning the user’s credential. An automated form of this attack was implemented in the tool known as Firesheep, which targeted Facebook users using a Mozilla plugin.
In the next edition of this series on mobile security, I’m going to dive into what can happen when the attacker impersonates an access point and implements a Man-In-The-Middle attack. Instead of just observing the traffic, the attacker can take steps to modify the content the user sees. We’ll break down man-in-the-middle in the next edition of this blog.