We've all done it, connected to the free WIFI so you can smash down some downloads, or save some mobile broadband data from your mobile phone plan. But what assurances do you have that the provider is not caching your data, and what happens when the WIFI network comes to visit you?
I am one of those people who have epihanies and wild ideas when they are on long road trips, which makes things rather hard to write down when you are driving. During one of my stops between Melbourne and Adelaide, Australia I had a scary thought regarding the McDonalds public wifi system, and to be honest it may already have been used as an attack platform.
How could a McDonalds WIFI attack me?
Let's look at how you connect to a Maccas WIFI. First you need to be within a reasonably close distance to a restaurant, and then you point your mobile WIFI connection to the McDonalds SSID. Once you are initially connected your device will be given an IP address and you will need to submit to an agreement to continue browsing.
Without agreeing to the conditions your connection will be trapped within the agreement mechanism before being able to connect to the internet.
After agreeing to the terms, the device will be alloted a 50Mb data allowance which can be used within 24 hours.
How can this be exploited by an attacker?
A public WIFI configured incorrectly can be used to intercept a great deal of data being transmitted. An attacker could join the network and attempt interference through poisoning Address Resolution Protocol records. Or an attacker could mimic the McDonalds WIFI in an attempt to force users on their own SSID through manipulating RSSI qualification scores.
Or, an attacker could sit outside of the network, not join the public WIFI and record all of the packet data being transmitted over-the-air between the customers and the legitimate network access point. This method is called packet sniffing, and when used against an Open WIFI network can be extremely successful.
Address Resolution Protocol spoofing
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.
When a device requests the hardware address of a networked device it performs an ARP request. Which is, it needs to query the IP address over the network, and the addressed machine replies with it's hardware address. This hardware address is written into an ARP table for future reference for a limited timeframe.
An example of how an ARP spoof can be used to perform Man In The Middle attacks is below:
An attacker could also setup a WIFI network mimicing the SSID of a legitimate network, the attacker would then only need to position the network transmitter in an area where it's signal strength overrides the RSSI selection rules. This would result in client devices jumping into the attackers network instead of the legitmate network.
Given most access points are installed within concealed areas within roof spaces, it would not be a difficult task for an attacker to miniaturise an Access Point and run their fradulent network from a RaspberryPi or other such device.
By far the most basic of intrusions, this exploit involves the sniffing of packets from an Open WIFI network for recording and processing at a later stage. Since the WIFI networks in question do not have Wireless security configured, this means that all data being transmitted is being done so in the clear, and could be picked up by an attacker.
But you said this could affect me outside of the restaurant
Oh yes, that's right. Once you leave the restaurant you will presumably also leave the WIFI connection.
You'll also likely never think to disassociate the network from your device, and then head home none the wiser.
What stops an attacker from running a Rogue WIFI for a well known SSID while driving slowly through residential neighbourhoods? Would your phone connect to one of these rogue networks without your permission?
I don't know about you, but I think I will stick with the mobile broadband connection from here on in.