April 21, 2016
Using Spoofed Wi-Fi to Attack Mobile Devices
Does the screen above look familiar? It should. Millions of people around the world connect to public Wi-Fi networks on their mobile devices as they travel and seek their regularly scheduled Internet.
The problem is, not all networks are official. The image above is that of a fake, or spoofed, hotel Wi-Fi network; one created by Lookout for a demonstration on 60 Minutes.
Connecting to the network meant that the victim, in this case 60 Minutes’ reporter Sharyn Alfonsi, no longer had control over her data.
The attack is called a Man-in-the-Middle attack, as many in the security industry will recognize, and allows a person to intercept another person’s Internet connection and gather all of the information being transmitted across that network. This kind of attack has been around for years, impacting PC users, but today the mobile phone is just as susceptible.
Here’s how we did it:
At a high level
It all starts with a little social engineering, or tricking the victim into giving over information or performing an action that the attacker intends. Given the way our data plans work in today’s world, most people are on a constant hunt for a Wi-Fi connection that will relieve them of their data usage. Knowing this desire to connect exists, an attacker can play into this by providing that very thing: a captive portal that looks just like a safe Wi-Fi connection. An attacker establishes this trust by modeling the portal — what you’re seeing in picture above — after a familiar brand or a familiar experience.
In this case we built a captive portal that looked like the hotel Wi-Fi. It used the same name as the hotel, and lead a victim to a page that had connection instructions that you would see when connecting to any hotel or airport Wi-Fi. Travelers would know this user experience and find comfort and trust in its familiarity. Then, they would connect.
Setting up the network
Setting up the network was actually fairly easy. We plugged a wireless router with an Internet connection into a hotel ethernet port. Then we gave the network the same name as the official hotel Wi-Fi network. That was essentially it.
What happens when someone connects?
When Sharyn connected to our network, we were able to see any information being accessed or broadcasted by her device. This included emails, the apps on her phone, communications coming to and from those apps, other messages, web traffic, and more.
Most of the captive portals you see just want you to accept the company’s Terms and Conditions or enter in your hotel room number to confirm you’re staying there. However, attackers also leverage captive portals to try to phish information from a user (like their credit card information for paid Wi-Fi). In this case, we used our captive portal to trick Sharyn into trusting a certificate that allowed us to decrypt even her encrypted Internet traffic. This allows us to pretend to be any legitimate web service, such as Gmail, by signing the legitimate email communications with our own certificate. The phone trusts our certificate and therefore decrypts the traffic as though it was legitimately signed by Gmail. In a normal MitM attack, encrypted traffic would read as gibberish to an attacker, but because the phone trusted our certificate, we were able to see all of the traffic decrypted.
Did it work?
As we were setting it up for Sharyn to connect, we got a ping that someone else had connected to our network. Turns out, one of the producers had connected without prompting — without even knowing what our Wi-Fi network was called or what it looked like. The spoof worked.
The phone has to be jailbroken or rooted, though, right?
No, the phone doesn’t need to be in an altered state. It doesn’t matter whether it’s iOS or Android. It’s the connection that counts and the user’s decision to connect to that network. Unfortunately, a convincing spoof is usually very convincing.
When you connect to Wi-Fi, you should be wary of any action it asks you to take in order to access the Internet. A hotel asking for your room number and name is one thing, but if it’s asking you to set up networks and certificates or download anything, that’s when you can get into trouble.
Research is very important to us at Lookout. We are actively researching all types of mobile threats and are developing solutions to protect you and your business from them.