Dailydave mailing list archives
Re: Wireless Disclosures
From: Mark Wuergler <mark () immunityinc com>
Date: Fri, 23 Mar 2012 12:24:28 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To be honest I'm not sure where everyone got the idea that iPhone or Apple products don't probe for known SSIDs. All the comments/emails/tweets that I have received about this particular topic and the ARP disclosure seem to have a few things in common which I hope to clear up today. Misconception #1: Apple products don't probe for known SSIDs. The truth is Apple products _do_ probe for known SSIDs (and no, there is no limit as to how many). Here is a screenshot of an iPhone probing for known SSIDs[1] Misconception #2: Apple products are immune to KARMA-like attacks. The truth is Apple products _are_ vulnerable to fake AP attacks. I refer you back to misconception #1 for a moment. An attacker gets to pick which network they want to become (that you are probing for) to have your device automatically connect to it. Once your device joins their network the attack surface against your device and your personal data increase exponentially. In fact you can watch SILICA do this very attack[2] against an iPhone. To be fair I will mention that devices will [obviously] take encryption/authentication into account. So unless you know the keys for some of the target's probed-for networks you will only be successful when impersonating open networks. But once you get them to connect to your open network then you can break into their phone/laptop and pull off their wireless keys in plaintext for all stored networks. Misconception #3: Apple keeps an internal list of MAC addresses of APs which I've connected to therefore I'm safe from all this stuff you are talking about. The truth is this would make the usage of WiFi unbearable for the impatient. This would be a trade for security over convenience. Consider the following scenario: You work for CompanyX that has a large corporate building with WiFi access points with the name "Corp-Wireless". Let's say there are 3 APs: AA:BB:CC:DD:EE:FF Corp-Wireless AA:BB:CC:11:22:33 Corp-Wireless AA:BB:CC:A1:B2:C3 Corp-Wireless The real world connects to Corp-Wireless once and never has to worry about when leaving the coverage area of AA:BB:CC:DD:EE:FF to automatically connect to AA:BB:CC:A1:B2:C3. If misconception #3 were true you would personally have to connect to each AP on your own _and_ you would also see in your list of detected wireless networks 3 MAC addresses with the name Corp-Wireless to choose from. Your mom doesn't know or care what hexadecimal is as she prefers the human readable string "homeAP" and "tmobile" :) This very convenience is also another reason why misconception #1 and #2 aren't true. Misconception #4: The ARP disclosure you revealed at INFILTRATE doesn't effect me or my enterprise. Penetration testers, stalkers, identity thieves, possibly law enforcement (and Google?) disagree with you. No matter what network you connect to (encrypted/unencrypted alike) you may be disclosing the last 3 APs that you have connected to in ARP traffic. This is a privacy issue. You may not care if everyone knows which local Holiday Inn you go to over the weekends but your CEO sure does. This becomes even more interesting when tracking a target over a period of time. Eventually you will reveal all access points that you have connected to. This looks very interesting plotted on a map. Also, don't miss a very interesting point. If you connect to a wireless network that is protected with WEP or WPA/TKIP and you disclose your IP address in the ARP traffic on another network that an attacker can sniff then you are giving the attacker some [known-]plaintext that can be used to revive _and_ speed up older attacks. For example, if I know your IP address on your disclosed WEP network then I can derive your WEP key even though we are nowhere near your WEP network (by attacking your laptop/phone directly). At INFILTRATE I also disclosed a creative/intrusive way to keep a phone from falling asleep long enough to brute force the IP to revive this attack. But of course this takes time but with the ARP disclosure no creativity is needed to crack the WEP key. Here is a screenshot of the ARP disclosure[3] Misconception #5: <something about SSID probing> and <something about ARP disclosures>. SSID probing and the ARP disclosure are not directly related. These are two separate issues. The best solution, in my opinion, to battle these misconceptions is give you all a chance to see this all for yourself. As a SILICA developer/wireless penetration tester this stuff is in my face all the time. I wrote STALKER to help demonstrate the impact that information disclosures can have (even, small seemingly insignificant disclosures). So to help you see this with your own eyes I'll show you how I do it in Linux using compat-wireless drivers on an Atheros chipset in monitor mode (this is one of many methods, of course): 1) iw dev 2) make note of the phy device name in step 1 3) sudo su (we need root for the next stuff) 4) iw phy <device from step 1> add monwifi type monitor 5) ifconfig monwifi up 6) iwconfig monwifi channel <channel you want to listen on> 7) open up wireshark[4] on the monwifi interface a) optionally use the filter wlan.fc.type_subtype == 0x04 to only see probe requests 8) watch your beloved Apple product contradict what you've heard about SSID probing 9) if you didn't see any Probe Requests from your iPhone then keep watching ... 10) send a retraction to @MarkWuergler :) Depending on your driver these commands won't work. So ask Google how to put your wireless card in monitor mode and then jump to step 7 and substitute your interface name. While you are in the this mode you can also watch the ARP disclosure happen. Connect your iPhone to a network that doesn't have DHCP enabled (this is a simple trigger but make sure you are on the right channel before you connect). Happy discovering, Mark Wuergler Immunity, Inc. [1] https://lists.immunityinc.com/pipermail/dailydave/attachments/20120322/f23b2715/attachment-0001.png [2] http://partners.immunityinc.com/movies/Access_point_impersonation.mp4 [3] http://t.co/YkGi1cjY [4] http://www.wireshark.org/download.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9so7IACgkQorg+tja2+6CkOwCfSsXrjpYz7J22nqhYMR4/NUt0 0WEAn3xjjbtPZjy/jYfhTXkUs1fXOmmw =CcTC -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Wireless Disclosures Christos Kalkanis (Mar 22)
- Re: Wireless Disclosures Robert Graham (Mar 23)
- Re: Wireless Disclosures Mark Wuergler (Mar 23)