‘Attacking Automatic Wireless Network Selection’


‘Wireless 802.11 networking is becoming so prevalent that many users have become accustomed to having available wireless networks in their workplace, home, and many public places such as airports and coffee shops. Modern client operating systems implement automatic wireless network discovery and known network identification to facilitate wireless networking for the end-user.

In order to implement known network discovery, client operating systems remember past wireless networks that have been joined and automatically look for these networks (referred to as Preferred or Trusted Networks) whenever the wireless network adapter is enabled. By examining these implementations in detail, we have discovered previously undisclosed vulnerabilities in the implementation of these algorithms under the two most prevalent client operating systems, Windows XP and MacOS X.

With custom base station software, an attacker may cause clients within wireless radio range to associate to the attacker’s wireless network without user interaction or notification. This will occur even if the user has never connected to a wireless network before or they have an empty Preferred/Trusted Networks List. We describe these vulnerabilities as well as their implementation and impact.’


‘The information has been provided by Dino A. Dai Zovi.
The original article can be found at: http://www.theta44.org/karma/aawns.pdf
The Karma tool can be found at: https://securiteam.com/tools/5CP0I0KG0W.html


‘IEEE 802.11 wireless networking has demonstrated explosive growth and popularity, especially in dense urban areas. This has resulted in commercial offerings of public access wireless networks (hotspots) in many airports, hotels, coffee shops, and even some parks. Large hotspot providers include T-Mobile and Verizon. There are even community-based projects to provide free hotspots in community areas like Manhattan parks.

The prevalence of these hotspots has had an unanticipated effect on the mechanisms in client operating systems for selecting wireless networks. It has been a known problem that an attacker can provide a rogue access point with a common name (such as the default SSID of a popular home-office access point, such as linksys). If a nearby wireless client has associated to a similarly-named access point in the past, they may mistake the rogue access point for their trusted access point. The prescribed solution to this is to ensure that all networks connected to are encrypted.

While this is possible when the only networks connected to are at the home or workplace, the use of hotspots (which must be unencrypted to provide public access) means that users are more likely to have connected to unencrypted networks in the past.

To read more: http://www.theta44.org/karma/aawns.pdf

Categories: Reviews