How anyone can get your WiFi password

[nayr]

I am going to try to keep this sweet and simple.. im not going into great detail, but as complicated as I make it sound here know there are apps out there that do all this with just a few clicks that any moron could use.

Its called Man in the Middle attack, or The Evil Twin Access Point

Simply works like this, every one of your wifi clients right now have saved there password and are configured to connect to: YourWiFiNet

Now this password can be a billion characters long and the crypto is unbreakable, but I can still get by all that by doing this:

I operate an "Evil Twin" and run a WiFi network also called: "YourWiFiNet", its that fucking simple.. now none of your devices know whom is the evil twin and both networks look like there the same.
Sooner or later they will connect to my access point and I will say a password is required yet accept any password given to me, and then I will connect to the real "YourWiFiNet" and use the login you just gave me and bridge the connection.. now I am on your network and the device that just gave me the password is also on your network.. however I can see all the traffic for the devices connected to me so any video streams are a matter of simply decoding for my pleasure.

Now for the kicker, I dont really have to wait at all.. WiFi DEAUTH packets instruct the device to disconnect and then they will attempt to reconnect instantly.. All wireless devices in range are seen in a simple wifi scanner and these packets are not encrypted even if you have encryption enabled and it is trivial to pretend to be your access point asking you to DEAUTH.. so what I do is just send a never ending stream of DEAUTH packets to a device on your network and you will have no choice but to connect to my evil twin.. if I was lazy I could just flood these packets out and knock all your wifi devices off until I stopped, if I didn't actually care about getting into your network.. no sophisticated jamming devices, just an app that can run on most phones is capable of this.

This whole attack can be entirely automated, allowing anyone with the right tools to compromise your wifi in less than a min..

There is only one way to stop this attack, and that is to use enterprise authentication with an external authentication server and certificate authority (WPA-EAP-TLS), its far too complicated for most all of you to deploy and if you do most of your WiFi devices wont be able to use it.

Cheers,
-R

 

[nayr]

its been a problem since the beginning of WiFi, but I dont think its common knowledge.. it dont seem to be well known here and IP cameras require at least a basic networking understanding..

also knowledge and understanding are two different things, most people know wifi security is weak but they dont understand it is so weak its basically ineffective.. Few understand that using a wireless camera is broadcasting video to everyone within range.. but click a few buttons and show them there camera feed right infront of them and there understanding suddenly evolves.

Internet connected cameras are a huge privacy concern to most, and many of those that are unconcerned with privacy are more than likely just blissfully unaware how the world works.. Criminals are tech savvy, as evidenced by all the crime on the internet.. atm skimmers, car alarm/garage door hacking devices, and many such tools have been in use for a long time and there kit is just going to continue to grow as more and more insecure tech becomes more and more commonplace.

 

[Git]

That's why I use a VPN - Private Internet Access
https://www.privateinternetaccess.com/

 

[MartyO]

Thanks for the post nayr

 

[nayr]

An external VPN Provider wont be much use to get to the other devices on your network, its great for untrusted wireless connections like public hotspots as it provides your own layer of encryption nobody can snoop on..

If you put your WiFi on a separate network without access to your LAN, and then VPN'd into your LAN (automatically, without letting any other traffic out if there is no VPN) you would get a level of security that is not susceptible to this attack.. but then any devices without a compatible VPN client available would be unable to access the LAN via WiFi

 

[ruppmeister]

This was great information @nayr, but how do we go about protecting our devices that don't have a hard wire option such as phones, tablets, chromecast (I know they can hardwire now but...), etc?

 

[nayr]

I personally run two wifi networks side by side, the primary one requires the WPA-EAP-TLS certificate authentication.. All my laptops, phones and tablets are able to connect to this network and they get full network access without restrictions... WPA-EAP-TLS can detect an Evil Twin because I signed a certificate that is presented upon login, nobody else can forge this cert and my clients will not attempt to login if they encounter a certificate is not signed by me.

Then I run a legacy and guest wifi network together, this is on a different subnet and has to go through a firewall to reach my primary LAN.. the firewall by default provides basic internet access and then blocks everything else, then I have poked a few holes through it for guests.. like access to my plex server, network printers, etc... but everything else is blocked so nobody on this network has any access to cameras or the security system at all.

My old Roku's and Chromecasts and other devices that needed basically just internet access but no LAN (except to plex server) just got tossed into the guest network because they couldn't handle the certificate authentication.

However a few weeks ago Nexus Players went on sale, so I replaced all my Chromecasts and Roku's with Nexus Players and gave them USB ethernet connections.. now I dont have any more devices on the WiFi that are not using certificates for access and the guest network is really just for guests once again.

 

[chupakbra]

I'm assuming the Evil Twin clones the MAC address as well.
What if I turn broadcast SSID off?!?

 

[harleyfart]

This is one of the reasons why I went with hard-wired, co-axial cams.

 

[Daffy]

Mac Table?

 

[MartyO]

I'm assuming the Evil Twin clones the MAC address as well.
What if I turn broadcast SSID off?!?

A simple free app on a droid will tell you all the ssid in the air.

 

[LittleBrother]

I'm assuming the Evil Twin clones the MAC address as well.
What if I turn broadcast SSID off?!?

I used to turn off SSID broadcast until I downloaded a very popular and free app that is regularly used by people to diagnose network issues (nothing at all secretive or naughty about it) and it shows them all, irrespective of whether they are hidden. So, complete waste of time. IMO hiding the SSID is nothing more than annoying to people who genuinely want to use it. All of mine are now exposed.

As far as nayr's post, I don't know much about network security, but it did occur to me that I could probably copy a neighbor's SSID and frustrate them (I never would, but just as an idle thought) because they'd see this network they could never get onto Same idea he has here.

 

[bp2008]

You could also, given appropriately powerful WiFi antennas, hijack your neighbor's wifi and feed it back to them, meanwhile sniffing all their traffic continuously. Of course if they ever caught on then it would not be hard to figure out who was responsible.

 

[bp2008]

Mac Table?

MAC addresses are easy to spoof, although you'd have to sniff one off the air to use it, and I am not sure how. Nayr would surely know.

 

[nayr]

hidden SSID and MAC Addy Whitelists are completely worthless and wont secure you one bit..

unless you are on an iPhone changing your mac address is a pice of cake..

 

[whoslooking]

Using your mac address, stops this sort of basic hacking
This has been around for years there are even linux programmes and management tools for sniffing the passwords in data packets.
what do you think government agencies do to invade your privacy ask?

 

[ruppmeister]

What hardware are you using @nayr for the secure portion of the wifi? Expensive corporate gear I would guess?

 

[nayr]

Using your mac address, stops this sort of basic hacking

uh not sure what your trying to say but MAC address provide zero security, there discoverable by anything it can communicate with so its not really a secret... the best you'd do is throw a wrench into some script kiddies automated tools, but it'd be trivial to get back on thee feet and continue on.

I use Ubiquiti UniFi at home, and Cisco at work.. UniFi is pretty affordable and you can run multiple Wireless SSID's on separate VLANs on each access point..
Features are comparable to Cisco Wireless but the price is a fraction of it.

 

[ruppmeister]

So running the Ubiquiti UniFi allows for the use of WPA-EAP-TLS certificate authentication? What are you using for generating the certs then?

 

[nayr]

You still have to run a RADIUS server on the network, I have FreeRadius running on my Ubiquiti EdgeRouter.. I give each device its own login, so if a device gets stolen or disappears I can simply disable that login and the device is no longer capable of getting onto my secure network... You will generate a certificate and sign it for the Radius service, all the clients will verify that certificate is valid and trusted before handing over any login information.

For my Certificate Authority I use XCA, http://sourceforge.net/projects/xca/

I create a Cert/Key pair for each device that needs to authenticate and export the CA Cert, User Cert/Key into a .p12 file and securely copy that to my device and import it.

for iPhones and iPads you have to download a OSX tool called: iPhone Configuration Utility, this will let you pre-configure the network, attach the certificate files and other things.. when done you export the config and securely copy it to your Apple Mobile.

Attached is a screenshot of all there is to the Unifi config