Wi-Fi is one of the most common access points to corporate networks. For hackers looking to break in, Wi-Fi provides a soft target – and worse, an easy way to dupe employees.
As a result, every Wi-Fi router and access point needs to be protected to ensure your business is kept safe. One way of doing this is by keeping up to date with the latest software to mitigate against backdoor attacks. Your security stance can also be improved by upholding strong WPA2 passwords, unique SSIDs, the latest firmware updates, and even MAC address filtering. In the long run, this will lighten the job of networking and cybersecurity teams and will make sure that all resources are protected.
However, will this actually mean that your network is truly protected?
The answer is sadly, no. There are various social engineering techniques that can target your employees’ data , leading to a whole magnitude of risks. Many of them can be incredibly easy to launch, and if users aren’t aware of them and don’t know the strategies to avoid them, the chances are that your network will be breached sooner or later.
The tools that attackers need have become incredibly simple. With merely an inexpensive computer, a Wi-Fi adapter with monitor mode enabled, and a 3G modem for remote control, an attacker can penetrate your Wi-Fi network within minutes. There are a variety of social engineering attacks that can be used in this scenario, but here are the top five most common types currently giving businesses a security headache.
Effortless and easy: the evil twin AP
This is one of the easiest attacks to conduct against a target network, and is becoming incredibly widespread as a result. Attackers only need to set up an open AP (Access Point) with an identical or similar name to the target Wi-Fi and wait for someone to connect. When they do, the hacker gains access to their device – and so the wider corporate network. It is increasingly difficult to prevent users from connecting to these new access points as it has become such a normalised task.
A great trick that hackers are using is placing their AP far away from the target AP where that particular signal is low. Once this is done, it’s only a matter of time until an employee connects, especially when it comes to large organisations. However, if this method doesn't succeed, there are many other that attackers will use.
Current Wi-Fi protocols suggest that whenever a wireless station wants to leave the network, it only has to send a deauthentication or disassociation frame to the AP. These particular frames are unencrypted and are not authenticated by the AP, which means they can be easily spoofed.
This technique makes it very easy to sniff the WPA 4-way handshake needed for a Brute Force attack, since a single deauthentication packet is enough to force a client to reconnect.
Even more importantly, attackers can spoof these messages repeatedly and thus disable the communication between Wi-Fi clients and the target AP, which increases the chance your users will connect to the attacker’s twin AP. Combining these two techniques works very well, but still depends on the user connecting to the fake AP.
The karma attack
Each time a user device’s Wi-Fi is turned on but not connected to a network, it openly broadcasts the SSIDs of previously-associated networks in an attempt to connect to one of them. These small packets, called probe requests, are publicly viewable by anyone in the area.
The information gathered from probe requests can be combined with geo-tagged wireless network databases such as Wigle.net to map the physical location of these networks.
If one of the probe requests contains an open Wi-Fi network SSID, then generating the same AP for which the user device is sending probes will cause the user’s laptop, phone or other device to connect to an attacker’s fake AP automatically.
This is a particularly random technique which allows attackers to broadcast dozens of beacon frames of common SSIDs that nearby wireless users have likely connected to in the past (like AndroidAP, Linksys, iPhone). Similar to the other techniques, users will automatically authenticate and connect to these networks due to the “Auto-Connect” feature that most devices have.
Bypassing MAC address filtering
As mentioned, your networks may use MAC Filtering, which means only predefined devices can connect to your network and having the password is not enough. How much does that help?
All MAC addresses are hard-coded into a network card and can never be changed. However, attackers can change the MAC address in their operating system and pretend to be one of the allowed devices.
Attackers can easily get the MAC address of one of your network’s allowed devices, since every packet sent to and from your employee’s device includes its MAC address unencrypted. Of course, attackers have to force your employee’s device to disconnect (using deauthentication packets) before connecting to your network using the hacked MAC address.
An attacker’s next steps
Any of the attack types listed above could cause a user’s device to be compromised. Immediately after attackers have gained access to individual users, there is a multitude of attacks that they can now carry out. This includes being able to see the victim’s traffic, steal their login credentials and exploit the device itself. However, the most important data that the attacker will aim for is the target’s AP password. Often, this will be carried out through a victim-customised web phishing attack.
Since the victim is now using the hacker’s machine as a router, there are many ways for the hacker to manipulate the phishing page to look convincing. One of them is a captive portal. For example, by DNS hijacking, they can forward all web requests to their local web server, so that their page appears no matter where the victim tries to access it from. Even worse, most operating systems will identify his page as a legitimate captive portal and open it automatically.
How can your business mitigate these risks?
Preparation and knowledge are key to mitigating the risks of Wi-Fi attacks. For example, the detection of an Evil Twin AP in your area can be done with ease by simply scanning and comparing configurations of nearby access points. Despite this, as with any social engineering attack, the most important way to stop future attacks is by training your users.
It is imperative that network users understand the risks of connecting to open access points and are well aware of the techniques discussed here. Only then will your business be secure.
Ultimately, a range of techniques will come and go but social engineering will always remain a popular strategy for attackers. The only way to get around this is by constantly being alert to possible risks and having the knowledge to mitigate them.
Tal Shabi, Software Engineer, Imperva