Attack of WLAN users through rogue services, or why PSK is not the best choice for a hotel

In this post I want to share the story of one brilliantly simple attack that I observed last year, and discuss the consequences. There will be no "meat" for hackers, but there will be:
  • Plus one instructive tale in the collection "for conversations with users" to administrators and security guards.
  • Why in wireless networks you need to protect not only the LAN from the WLAN, and why the so-called Wireless Firewall.
  • Recommendations on how to build a public Wi-Fi network to avoid such problems.
  • Why in hotels and other public networks even an unencrypted Captive Portal might be preferable to encryption with PSK.

In principle, everything is relevant for corporate networks, but for them I already wrote . And then a neighboring post made me look at the problem from a slightly different angle.

First of all, I do not impose or urge to urgently run and buy cool Wi-Fi with WIPS and RTLS. Each situation will have its own nuances and priorities: someone will hide behind the user agreement, someone just does not care about users, in some countries there is no liability, somewhere there are enough partial measures, someone else has some nuances. I describe - everyone chooses for himself.

Background


The story happened with my colleague in the hotel where we stayed. I did not fall under the distribution just because by this time I had not yet connected to the hotel WLAN. The hotel provides Wi-Fi for free to all its guests. The network is password protected, PSK is issued on a piece of paper and changes every few months.

History


A colleague connects the laptop to the network, opens Firefox, writes the address of some well-known site. Instead of the site, a beautiful page appears with the title of the hotel’s site and a message like “Your browser is not compatible with the site you are trying to open. Install the patch from here . " A colleague is impressed, launches Chrome - the same page. Connecting to the Android network and iPod Touch is the same. In this case, the “patch” is always the same :) Download the “patch” - the antivirus swears quite expectedly (we found 3 different types of malware).

In general, the plot is obvious - the Albanian virus , spread by phishing and a small hack on the network. The virus itself is not of interest - it is of interest to understand how all this works in order to still get access to the Internet without a “patch”.

Sorted out


Through some simple research (at the ipconfig / ping level), it was found out that sites can be accessed by IP. So the problem is in the DNS. Having registered DNS 8.8.8.8, we got a fully functioning Internet. Now you can figure out how the attack works.

The following was found out:
  • There was another DHCP server (rogue DHCP) in the WLAN, which issued the correct IP / mask / GW, but gave out its own DNS server instead of the correct provider.
  • On the same host, the same DNS server was raised, which resolved all the names to the same IP (which, "for an incredible combination of circumstances" coincided with the IP of the DNS server).
  • On the same IP, a web server was raised, which, in fact, showed the page and gave the file.

As you see, everything is very simple and does not require special skills for implementation. Question: how many “ordinary people” will be led to this?
Also, it is strange that the attacker limited himself to a “patch” and did not draw the main pages of GMail / Bing / Facebook, etc. - It would be possible to collect accounts, even with HTTPS: how many people pay attention to crooked certificates or that they have just been redirected from HTTPS to HTTP? Although, if there are three trojans on the machine, they already collect everything themselves ...

Conclusions and solutions


When building any access network, it is important not only to protect this network and wired infrastructure from the "excessive interest" of users, but also to protect some users from other, less decent. This is true for corporate (private) networks, and for public networks (hotspots, hotels, cafe-bars-restaurants, etc.). It is worth remembering that “wireless security” is not only encryption: identification, authentication, traffic separation and much more should also be present. The attack described above is not the only purely wireless attack that no Firewall or IPS in the wired segment can detect. What to do to prevent such a problem?

The simplest solution is to prohibit communication between users. Usually, this is done by turning on / off a single checkmark in the WLAN settings ("Disable MU-to-MU communication", Cisco PSPF and analogues). However, this is not always liked by users of hotspots and may contradict the goals of using the network (gaming parties, VoWLAN in corporate networks, etc.). Although - if it does not contradict - as has already been said, the easiest way is to do just that, and write this item in the "terms of use".

The best way is to prohibit DHCP, DNS, and (per company) and ARP responses on the wireless network. To do this, you need to have a firewall directly on the access point, capable of filtering WLAN-to-WLAN traffic (periodically it is called Wireless Firewall to emphasize the difference from traditional FW). For me, at one time it was a big surprise that some eminent vendors do not know how (to this day).
DNS and DHCP responses are only allowed from wired hosts. ARP responses from clients are not needed at all - the point still knows all the MAC addresses of the clients (during association) and will be able to respond to requests through Proxy ARP, so that the amount of spurious traffic on the network decreases as well.
In this way, we get rid of DHCP / DNS / ARP-spoofing, rogue DHCP / DNS, APR poisoning, MiTM attacks associated with them (and, probably, a lot more - supplement in the comments).

Now, let's pay attention to another aspect. So I discovered a fake server on the network. I can block it by MAC. But if the attacker is not a fool and periodically checks the activity of his mousetrap, he will notice this, change the MAC, and everything will continue. In addition, knowing the PSK, an attacker can send packets to the network to users even without being connected to access points, and even with WPA2. To do this, try pretty hard, because in WPA / WPA2, key distribution is more complicated than in WEP, but it is possible . The only way to get rid of the adversary is to change the PSK. And then change it for all customers! Yes, and this, although it repels the attack, will not allow you to find and punish the attacker (if you do not use positioning systems). And what can we say about open hotspots?
Thus, in public networks, even if they are protected by PSK, like the network of our hotel, an attacker remains unpunished almost always.

Another thing is to use the Captive Portal (only wisely use it) or 802.1x (at the same time it solves the problem of traffic injection, but it’s a bit complicated to use 802.1x in public networks). Each user receives an individual name and password, to which a MAC address is associated with the login, the account works for a limited time (in hotel systems, automation is built to be linked to the check-in / out statement). Thus, we can always figure out who is playing with it, or at least through whom the leak of identification data has occurred.

Both of these nuances are extremely important in such a dangerous and exciting game as shifting responsibility. If your user agreement does not contain a disclaimer (and you can’t always do this, plus, you need to make sure that the user can’t access the network and disagree with the rules for using the resource), if hacks, porn, propaganda of racism / violence and so on, and if you can not find the extreme - the extreme will appoint you. That is why, as a result of rampant phishing on hotspots in Europe, they introduced the mandatory identification of each user at the legislative level (most often, you need to enter the mobile number to which SMS comes with an individual access code). It’s clear that one can also hide from this, but in this way the hotspot provider transfers responsibility to the SIM card provider. Even without the use of authentication, the Captive Portal can, before giving access to show a splash screen with “rules for using the resource” and forcing the user to click on the “I accept the terms” checkbox, which in many cases is already enough from the legal point of view (and the user will not be denied that did not see the agreement). So, sometimes an open network with Captive Portal can be safer than a closed network with PSK - for its owners :)

As an alternative, some vendors (Aerohive, Ruckus) implement the non-standard technology of “individual PSKs”, where each client is given a unique key. In this way, the problems of user identification and mass change of PSK in case of leakage are also solved. However, their availability in the CIS countries is very limited, and sometimes compatibility problems are observed.

Conclusion


In wireless networks, protecting wireless users from completely wireless attacks is just as important as protecting a wired segment. Using fairly simple technical means, you can set up phishing on an industrial scale and other attacks - and not a single wired Firewall / IPS will help.

There are technical measures to limit the access of wireless users to other wireless users:
  • Disallow communication between them at all (supported by almost all manufacturers, but not always acceptable on the network)
  • Prevent wireless users from sending answers to important network services: DHCP, DNS, ARP (much better, but not supported by all and may not save from more complex attacks)
  • Using Captive Portal / 802.1x / PPSK allows you to identify sources of attack or leakage of user data
  • Specialized Wireless IPS helps hide behind other attacks
  • Positioning System (RTLS) allows you to determine the approximate physical location of the source

All of the above is relevant for any networks (no one has canceled insider hacks), but it is especially important for public networks (hotspots, hotels, KaBaRe, etc.) from the point of view
  • Attractions for the clientele: “they hacked me / friend there - I won’t go there anymore”, etc.
  • Organizational issues: you can quickly resolve the problem and find the culprit; perhaps one of his employees decided to “earn extra money”, etc.
  • Legal questions: you can shift the responsibility if pressed.

I hope it was interesting.