In order to steal your data trough a rogue access point attack, a hacker needs only to overpower the local Wi-Fi access point and have your laptop associate with his evil network rather than the public one. You will still be connected to the Internet, except all your personal data will pass through the hacker’s computer which acts as a man-in-the-middle.
To run a successful rogue access point attack you need to control DNS and Internet traffic, as well as be able to sniff that traffic, and in the past that required another laptop. But Cnet’s reporter, Robert Vamosi presents a mobile phone scenario outlined by Carl Banzhof, VP and chief technology evangelist for McAfee during the RSA Conference 2007 in San Francisco.
Mobile phones vs laptops
The market for smart phones, some with the memory and capacity of a small laptop, continues to grow everyday.
Banzhof cites that many mobile devices today currently or will soon support Bluetooth, infrared, GPRS/EDGE, and Wi-Fi 802.11 technology. The market is evenly split in operating systems between Blackberry OS, Palm OS, and Windows Mobile, with the latter capable of running Internet Information Server (IIS). It's the Windows Mobile OS that interested Banzhof most.
The advantages of using a mobile device in an evil twin attack instead of a bulky laptop are many: mobile devices are easily camouflaged, portable, and can allow close proximity to the intended victim. Mobile devices are rapidly becoming transparent; everyone has one, so what's the big security concern?
Creating a mobile access point
To carry out this mobile evil twin attack, Banzhof chose the T Mobile MDA for his experiment. It runs Windows Mobile 5.0 as its operating system. It uses a TI OMAP 850 processor, so it has enough oomph, and it includes an 802.11 chipset, TI ACX100. Best of all, it has a robust developer community.
Banzhof faced a number of technical challenges--in part because most of the tools were written for Linux, not Windows Mobile. He looked around for other work done on WinCE and Windows Mobile 5 and found none. He considered converting the device to Linux but decided that violated the spirit of the project. He found some Linux projects that could be ported over, namely Hostapd and Karma. He started to use Visual Studio 2005 to compile the new code by hand, and instead found an open-source tool, CeGCC, to cross compile.
Devil in the details
By using Hostapd, Banzhof had many user-space 802.11 functions at his disposal, such as user authentication, encryption, initializing a network interface, beacon intervals to call out to susceptible laptops, and Extended Authoritization Protocol (EAP) keys. It also gave him an interface into the ACX100 driver (which handles the 802.11 protocol) so he could handle the management, transmission, and reception of wireless data packets. But again, there were problems. The open source app, CeGCC, doesn't always work right so he had to improvise, and wireless card selection for Hostapd was limited and didn't exist for the mobile device form factor.
The IIS for Windows Mobile server posed similar challenges. ISS for Windows Mobile supports Active Server Pages and ISAPI, with configurable options found in the system registry for allowing ports, creating virtual directors, and controlling bandwidth.
Testing it out
Banzhof reported to the RSA conference that he'd successfully ported Hostapd to Windows CE, he had his DHCP/DNA Server operational, and his Web server was online. He hopes in the future to route his sniffed Internet traffic to legitimate access points or via smart phone radio (EDGE) for further analysis.
Banzhof also hinted that similar hacks could be carried out with the new iPhone from Apple, given that many of the tools he used already run on Unix and Linux. Never mind that Apple promises that the iPhone will be a closed system. Banzhof noted that hasn't stopped anyone before. |
