Wireless Man in the Middle

In our last installment on this ongoing series about mobile device security risks, we talked about what could happen once an attacker gains access to the same network that their target is using. This discussion focused on what happens when the attacker shares the same network as their target. Now let's discuss what happens when the attacker inserts themselves in between the user and the network services they are trying to reach. These techniques are part of a larger set of security issues known as “Man in the Middle”. In this particular scenario, it refers to what happens when the attacker controls the infrastructure the victim is using.

Perhaps the easiest way for an attacker to find some victims to exploit is to set up an access point that serves as a bridge to a real network. In an earlier blog, we noted that people are fairly indiscriminate about the wireless network they use. They’ll try to get Internet access by any means possible, regardless of the risk. In fact, it doesn't matter what the name of the access point is, because whether it’s called “Free Open Wi-Fi” or “Do Not Use”, there will be someone that comes along that will try to use it. The main problem with this approach is that it requires someone to stumble upon it and connect, so the attacker can't choose who the victim will be.

A slight variation on this approach is to use a more specific name that mimics a real access point normally found  at a particular location. For example, if your local airport provides a service called “Airport Wifi”, the attacker might want to create an access point with the very same name using an access point that has two radios. This is called the Evil Twin, because it is mimicking a real access point for nefarious purposes. The average user cannot easily discern when they’re connected to the real access point or the fake one, so this approach would catch a greater number of users than trying to pick up victims at random. Still, the user has to select the network, so there's a bit of luck involved trying to reach a particular target.

In both of the scenarios presented above, the attacker doesn't get to choose their victims. In a crowded location, they’ll be able to get a large number of people connecting, which is fine if the goal is to just grab a large collection of account names and passwords.  However, it's not a desirable approach if the goal is to go after specific employees at specific companies.

Let’s explore how to make this attack more effective. Think about what happens when you bring your wireless device back to a location that you’ve previous visited. For instance, when you bring your laptop home, you don’t have to choose which access point to use, because your device already memorized the details. The same goes for visiting the office or your favorite coffee shop. The way that the mobile device detects when it’s within the proximity of one of these access points is to send a beacon out to see if one of their preferred networks is within earshot.

Under a normal set of conditions, when the laptop sends a beacon asking “I normally connect to JoesHome, are you out there?”, the non-matching  access points would ignore it. The beacon goes unanswered, except for when it comes within the proximity of the legitimate one.

The Jasager attack takes a more proactive approach towards all of these requests. Jasager (German for “the Yes man”), will respond to the beacons by saying “Yes I’m here”, thus taking a very promiscuous approach towards who can connect. The user doesn't have to manually choose the attacker’s access point, but rather the attacker pretends to be whatever access point the user normally uses. Instead of trying to get victims to connect at random, now the attacker simply needs to be within proximity of their target.

Jasager runs on any number of devices, but perhaps one of the most effective ways to employ it is on the Pineapple access point. The Pineapple is simply an access point with modified firmware that embeds a number of tools for wireless pen testing. It also has a number of accessories, such as support for 3G USB cards to provide network connectivity when it is otherwise unavailable at the target location and battery packs to operate as a standalone unit. It also is easily concealed, because it could be disguised within any number of housings typically found plugged in at the office.

Now that the attacker has the victim connected to the malicious access point, the man in the middle is now in place. This opens a whole new world of attacks, for the attacker not only can observe traffic, but modify it as well. In the next entry of this blog we’ll cover these techniques in depth.