Last month I had the privilege of speaking at Spiceworld 2017 (https://www.spiceworks.com/spiceworld/), an annual tech conference in Austin, Texas that targets the average IT pro in the SMB space. This was my fifth time as an attendee and second as a speaker. Last year I presented a session on basic network security and walked the audience through the many of the layers to consider when deploying their network security defenses. This year I decided narrow the focus of my talk to wireless networks. Over the next couple of posts, I plan to go into greater detail about some of the aspects covered in the second talk.
In this first post, I will cover beacon/probe request and responses. They are fundamental to how wireless networks operate, yet most IT pros (including myself until a few years ago) do not know that they exist or the role that they play in establishing a connection to known networks. Many pros are unaware of the security risks that probe requests represent.
I’m sure that you have noticed the little checkbox that says, “connect automatically” often ticked by default every time that you connect to a new wireless network. This is a huge convenience feature that we all use; however, like most mechanisms designed to make technology easier, it is also easily exploited. Wireless devices need to know when the network is available to make this automated connection. And that is where the probe request comes into play. You see, for the automatic connections to happen, the client device needs to know when its known networks are in range and the way that it does this is by sending out a beacon. Your devices are constantly sending out beacons looking for any known networks for connection. To simplify what happens in this process, picture your device yelling out as loud as it can the name of every network that you have ever connected to, hoping that one will hear it and allow it to connect. All that the attacker needs to do is configure his or her device, whether it be a WiFi Pineapple, Laptop, Raspberry Pi, or whatever to reply with, “Hey! I’m that network that you are looking for! Connect so we can play!”
The process of pretending to be the client’s legitimate network and replying to these probes is commonly referred to as the Karma attack. When the probe request is responded to, a connection is established between the attacker and the victim’s device. This connection makes the attacker the “man in the middle” which gives them full control of the traffic. They can redirect legitimate web requests to nefarious sites such as bogus captive portals used to harvest credentials and financial information or those containing malware. The attacker can also alter traffic coming and going from the client device, and ultimately store a copy of the transmitted data.
Depending on your device (such as some smartphones), you could be connected to an attacker without even taking your phone out of your pocket. For some devices, all they need to establish a connection is a reply to the probe, while others might need the actual SSID to be broadcasting as well. The best course of action to protect yourself from these probes/beacon requests from being exploited is to either go into your wireless network manager and un-tick the auto-connect box or simply turn off your wireless card when you are not using it.