You're at a conference outside the office when your smart phone receives a sensitive e-mail projecting your company's fiscal health for the next six months, with details of a top-secret project that will rock Wall Street. You know enough to not read the message, so you save it. But later, back at the office, your boss is outraged; a competitor has just announced the very same project and is now reaping the stock price rewards that come with being the first to announce it. You remember that a representative of this competitor was seated just across the conference table from you. No one in the room had a laptop, only their smart phones. Yet somehow the competitor was able to eavesdrop on your e-mail. In a sparsely attended talk at the end of the RSA Conference 2007 in San Francisco, Carl Banzhof, VP and chief technology evangelist for McAfee, outlined a scenario in which mobile phones--not laptops--could be used to sniff wireless packets, creating potentially awkward situations such as the one described above and opening up a whole new threat landscape when hackers start using smart phones for laptop attacks.
Evil twin attacks are a cause for concern
Banzhof started the talk by citing an early 2006 disclosure that Windows XP wireless-enabled laptops are susceptible to rogue ad hoc network connections if the ad hoc network broadcasts an SSID already known to the laptop. In many cases, people don't change their home router's information, so there are plenty of default Linksys and Netgear SSIDs in the world that any criminal can use to latch onto a wireless laptop with ease. Microsoft recently patched this ad hoc network flaw, but they turned off only the broadcast list portion part of it; a laptop will still connect to an ad hoc network if it agrees with the internal list kept by the laptop.
Mobile phones, not laptops, could be used to sniff wireless packets, creating potentially awkward situations and opening up a whole new threat landscape.
I've written previously of what's called an "evil twin" attack in a public Wi-Fi space. Basically, a criminal hacker need only to overpower the local Wi-Fi access point and have your laptop associate with the criminal network rather than the public one. You still see the Internet, except all your personal data is now flowing through the criminal's machine as a man-in-the-middle intermediary. To run a successful evil twin operation you need to control DNS and Internet traffic, as well as be able to sniff that traffic, and in the past that required another laptop. But Banzhof began to wonder if he could create a smaller device that might work as well.
Mobile phones vs laptops
The market for smart phones, some with the memory and capacity of a small laptop, continues to grow, with sales in the first part of 2006 increasing 50 percent over the same period in 2005. Banzhof cites that many mobile devices today currently or will soon support Bluetooth, infrared, GPRS/EDGE, and Wi-Fi 802.11 technology. The market is evenly split in operating systems between Blackberry OS, Palm OS, and Windows Mobile, with the latter capable of running Internet Information Server (IIS). It's the Windows Mobile OS that interested Banzhof most.
Banzhof also hinted that similar hacks could be carried out with the new iPhone from Apple, given that many of the tools he used already run on Unix and Linux.
The advantages of using a mobile device in an evil twin attack instead of a bulky laptop are many: mobile devices are easily camouflaged, portable, and can allow close proximity to the intended victim. Mobile devices are rapidly becoming transparent; everyone has one, so what's the big security concern?
Creating a mobile access point
To carry out this mobile evil twin attack, Banzhof chose the T Mobile MDA for his experiment. It runs Windows Mobile 5.0 as its operating system. It uses a TI OMAP 850 processor, so it has enough oomph, and it includes a 802.11 chipset, TI ACX100. Best of all, it has a robust developer community.
Banzhof faced a number of technical challenges--in part because most of the tools were written for Linux, not Windows Mobile. He looked around for other work done on WinCE and Windows Mobile 5 and found none. He considered converting the device to Linux but decided that violated the spirit of the project. He found some Linux projects that could be ported over, namely Hostapd and Karma. He started to use Visual Studio 2005 to compile the new code by hand, and instead found an open-source tool, CeGCC, to cross compile.
Devil in the details
By using Hostapd, Banzhof had many user-space 802.11 functions at his disposal, such as user authentication, encryption, initializing a network interface, beacon intervals to call out to susceptible laptops, and Extended Authoritization Protocol (EAP) keys. It also gave him an interface into the ACX100 driver (which handles the 802.11 protocol) so he could handle the management, transmission, and reception of wireless data packets. But again, there were problems. The open source app, CeGCC, doesn't always work right so he had to improvise, and wireless card selection for Hostapd was limited and didn't exist for the mobile device form factor.
The IIS for Windows Mobile server posed similar challenges. ISS for Windows Mobile supports Active Server Pages and ISAPI, with configurable options found in the system registry for allowing ports, creating virtual directors, and controlling bandwidth.
Testing it out
Banzhof reported to the RSA conference that he'd successfully ported Hostapd to Windows CE, he had his DHCP/DNA Server operational, and his Web server was online. He hopes in the future to route his sniffed Internet traffic to legitimate access points or via smart phone radio (EDGE) for further analysis.
Banzhof also hinted that similar hacks could be carried out with the new iPhone from Apple, given that many of the tools he used already run on Unix and Linux. Never mind that Apple promises that the iPhone will be a closed system. Banzhof noted that hasn't stopped anyone before.
How do you avoid having an evil twin attack commandeer your laptop in a public or private Wi-Fi space? On home networks, use encryption keys on your wireless network such as WEP, WPA, and WPA2. In public Wi-Fi spaces, such as airports and cafes, always use SSL to conduct transactions or VPN to tunnel into your corporate network. Even so, you are best not to check your bank balances or offer up your credit card too easily; attacks on wireless SSL and VPN connections are possible.
You can also lock down your laptop to only allow connections to known access point devices, such as your home or office network. Set the laptop to only allow connections upon user request. Finally, the most drastic measure would be to create a company policy than bans smart phones enabled with 802.11 from the premises. Evil twin attacks aren't that common. Do you think that using a mobile devices instead of a laptop will create more opportunities for attackers to steal sensitive data? Talk Back to me.