LISTING ACCESS POINT ON TOP OF THE LIST

Hacking access point users

ByUttam Gurung

WIRELESS NETWORK AND DEVICES

• Wireless devices are common in today’s world.

• Smartphones, tablets and ultra-books are connecting people to internet more than ever.

• Cheap and easier to use wireless routers has made it easy for user to connect to internet easily.

• Neighborhood is getting crowded by new access points added frequently.

• Wireless networks are secured and are password protected but there are other means to hack sensitive and private data, and access point passwords.

LISTING ACCESS POINT

• Operating Systems display list of available access points in different orders

• Windows 8 operating system lists available APs sorted by the strength of the wireless signal of access point

• IPad OS lists available APs sorted by the name of the APs.

• Windows Phone 8 OS displays the list of APs according to the strength of wireless signal.

• Can these listing behaviors be used by Hackers to their advantage to make users connect to the Honeypot AP and access private data?

• Can the same listing behavior be used to gain access to password of the legit access point?

ASSUMPTIONS OF THE RESEARCH

• Users can be fooled to connect to the access point, named similar to access point known to the user and listing it on top of the list.

• User will try to connect to the access point on top of the list even if they are unsecured, but has almost same name.

HARDWARE AND SOFTWARE

• Router: Linksys WRT54G Router

• Router Firmware: dd-wrt.v24-12548_NEWD_mini

• Proxy Server: Modified version of http proxy written by Fábio Domingues

• High gain 802.11 WIFI antenna: Vertical Omni-Directional 15 dB Omni Directional Antenna

• Operating System used for Experiment: The proxy server was ran on Raspberry Pi (Tiny ARM Computer) with Raspbian “wheezy” OS installed, which is an optimized version of Debian for Raspberry Pi.

CONTROLLED EXPERIMENT

• Experimented was performed in a household with three family members and two friends; age range from 19 to 28

• Each users were given different devices to connect to the internet, each devices were reset and were not connected to any network by default.

• Dot was added to the name of targeted access point to list it on top of access point list displayed by IPad. AP with name “.Upower” was created to target legit access point “Upower”.

• Three out of five IPad users connected to the honeypot AP, fooled by how the name looked exact same and listed on top of crowded list.

• The legit Access Points strength was decreased to list the honeypot access point on top of AP list displayed by Windows 8 and Windows Phone 8 OS.

CONTROLLED EXPERIMENT

• Three out of five user in Windows 8 Operating System connected to honeypot access point.

• It was hard to put access point on top of the list as windows 8 list them sorted by wireless signal strength.

• None of the Windows Phone 8 operating system.

CONTROLLED EXPERIMENT

• IPad listing of access point. “.Upower” is honeypot

• “Upower” is legit access point.

CONTROLLED EXPERIMENT

• Windows 8 listing of access point.

• Unsecure “Upower” and secure “UPower” are honeypot

• Secure “Upower” is legit access point.

CONTROLLED EXPERIMENT

• Windows 8 Phone list of Access Points

UNCONTROLLED EXPERIMENT

• One secured and another unsecured honeypot access points were created.

• Each honeypot access point were named similar to the targeted access point.

• Honeypot access point name was changed everyday to target different access points in neighborhood.

• Names were added dot on front to put it on top of the list of OS that sorted list by name.

• The high gain antenna were used to gain advantage over targeted access point to list the honeypot access point on top of the list for the OS that sorted the list by strength.

UNCONTROLLED EXPERIMENT

Legit AP in

Neighborh

ood

Unsecured honeypot

AP with DOT in

beginning of AP name

Secured

Honeypot AP

with exact same

name as legit AP

Unsecured

honeypot AP

with exact same

name as legit AP

Test1 60 12 7

Test2 30 10 13

Test3 48 9 19

Test4 63 12 4

Test5 25 5 7

Test6 10 2 0

CONCLUSION

• Normal users connect to the Access Point that has almost exact name as their own Access Point or the Access Point they are asked to connect to and appears on top of the list.

• Hackers can use the name of access point to plan coordinated attack to fool user on connecting to honeypot

• Same method can be used to fool legit user of secured access point to give password to hacker.

• Hacker’s access point can be programmed to log the login attempt and store the password as fooled user tried to login using real password.

REMEDIES

• Default behavior of access point broadcasting the SSID can be turned off

• The wireless devices can be manually configured to connect to an access point

• This step does not provide 100% security against the attack as hackers can detect SSID by detecting different messages in Wi-Fi protocol.

• Still, using techniques like SSID broadcast disable makes it more likely that would-be intruders will bypass the access point, seeking easier targets