Wednesday, February 19, 2014

AirTight - Freaking Me Out By Spoofing All My SSIDs #WFD6

I've heard all about the different types of wireless attacks that can be launched against any wireless environment. Firesheep was one of the first wireless attacks I could see being launched on the wifi network of any restaurant, coffee shop or waiting room. Of course there are thousands of possible wireless attacks, but I'm dubious about the actual use of wireless attacks outside of a white/black hat conference, or attacks being launched at individuals instead of being launched at a corporation.

It seems to me that miscreants would be more likely to try out Wi-Fi attack tools at a University, coffee shops or an IT conference where their cracking attempts would most likely go unnoticed. The flip side to a newbie hacker trying out their tools is an individual/team working to obtain credit card information or other digital information that is of some financial value. These attacks would be in the same vein as that against T.J. Maxx back in 2005.

This all leads me to what I witnessed for the first time at AirTight when I sat down, opened my laptop and began to settle in for their WFD6 presentation. Coffee in hand, I looked around for the Wi-Fi PSK or credentials for their guest Wi-Fi. I noticed that my laptop showed it was already connected to a WLAN, but I thought it unlikely that the SSID from the last WFD was still in use, and that my credentials were still cached on my laptop. I clicked on the Wi-Fi connectivity icon and it showed that I was connected to the McCarran WiFi SSID. Say what? That's not even possible. That's the free Wi-Fi SSID from the airport in Las Vegas! As the list of available Wi-Fi networks available began to populate on my screen, there was no way that all these SSIDs were really available. I was seeing a list of every SSID I'd ever connected to and hadn't pruned from my list of known networks.

Turns out, what I was seeing was a Wi-Fi Pineapple running Karma. Basically what I was seeing was my laptop beaconing the request to connect to any of its known networks and the Pineapple responding back with "YES!"

I immediately began pruning my list of known networks on my laptop, but I don't have the option to remove known networks from my iPhone once that known network is out of range. I could always take the extreme measure of resetting all my Network Settings in my phone, but I wasn't ready to make that leap.

The Karma demonstration was a lead in for the "AirTight Magic Show" with Sean Blanton. The feature that AirTight has to combat a Pineapple/Karma attack is that the AirTight system can detect known enterprise user devices and make it so that once you connect to the secured corporate WLAN you’re actively blocked via de-auth packets from connecting to any other WLANs while you're in the workplace. With AirTight, it is possible to block the ability of known enterprise clients to join their own Mi-Fi devices or personal SSIDs.

I've not seen this type of functionality present in any other vendors' wireless capabilities. I was impressed not only by the Karma demo, but the ability of AirTight to keep enterprise devices associated to enterprise WLANs and prevent them from associating to 'unauthorized' WLANs.


  1. Nice write-up. I'd encourage anyone in the WLAN or security business to either pick up a Pineapple for $100 or master the equivalent treachery on a wireless Linux machine. Karma, SSLStrip, and other attacks are thought-provoking to experience and then have explained to you, but setting them up for yourself is equally eye-opening because you see how easy it is to do. Wild stuff, here.

  2. Zebra's ADSP will do this same thing. It watches all WIFI connections and can actively deauth any connection made from one of your clients to any AP not known as a authorized APs in ADSP no matter the SSID.