What protects a wireless network against fake ones with the same name?
I know some specifics of how WPA2 and other wireless encryption protocols work, but what protects these protocols against hijacker networks with the same SSID? Here's the scenario I'm proposing:
1) Go to a place with lots of portable hotspots, eg an airport or coffee shop. 2) Choose one of these hotspots and make a 'fake' one with the same SSID and encryption mechanism (choose any password). 3) Wait for people to connect to (or automatically connect to) your network instead, and log password attempts. If you want, create a man-in-the-middle or simply turn off your network. 4) Tada! You have the wifi password attempts of all users who were connecting to that network.
It seems like there should be some protection against SSID conflicts. Doing a small test on my home network my devices (scarily) auto-connect to networks of the same SSID, even if they are broadcast by a different device. It seems to be random which network it connects to when there are multiple devices with the same SSID (although it seems to favour the one that was set up most recently).
Is this possible? Am I missing something that makes this impossible? How can we prevent against this?
Thanks!
What protects a wireless network against fake ones with the same name?
Nothing. Its a popular trick with iPhones since they are hard wired to camp with APs named attwifi (more correctly an SSID of attwifi). See, for example, On iPhone, beware of that AT&T Wi-Fi hot spot (2010), attwifi Impersonation Experiment (2011), attwifi SSID and the iPhone's Secret Relationship (2012), iPhones can auto-connect to rogue Wi-Fi networks, researchers warn (2013), and others. Its kind of funny to watch it make its rounds with journalists ;)
In the case of the iDevices, you can't disable or remove the behavior. All you can do is have the phone prompt you for every wifi connection. And then you manually reject the ones like attwifi. How's that for Apple Data Security!
You have the wifi password attempts of all users who were connecting to that network...
WEP and WPA don't put the shared password on the wire like is done with HTTP/HTTPS and basic_auth
schemes. In WEP and WPA, the attacker never sees the plain text password. (The password is obviously used during key exchange, its just not transported in plain text. Instead, nonces are sent in the plain text. And WEP has its own set of problems).
Luckily, there's no wifi key exchange protocols that does the dumb basic_auth
thing, so the bad guy can't force a downgrade to make a user reveal his/her passwords. See, for example, Four-way Handshake in WPA-Personal (WPA-PSK) on the Security Stack Exchange.
You have a similar problem with the 3G/4G (et al) radios. What stops your phone from camping to the wrong base station or an attackers base station? Nothing - the phone camps where the signal strength is strongest, even if its controlled by the attacker and he/she forces your encryption algorithm to A0 (meaning no encryption).
Chris Paget did a lot of neat stuff in this area with Gnu Radio. See, for example, Chris Paget GNURadio Blackhat. Specifically, look at his/her IMSI Catcher.
Wifi and the 3G/4G networks are insecure infrastructure. Treat them as such - don't allow anything to leave the phone without privacy and integrity protections.
链接地址: http://www.djcxy.com/p/70126.html上一篇: 获取WiFi路由器的唯一标识符
下一篇: 什么保护一个无线网络与同名的虚假网络?