Presenter:
Transcript:
Well, thanks for having me. Thanks for, the sponsors. It's always great if I've run or help with some of these user groups, so I know how important it is to, have sponsors. I will be showing some devices and, one to assure especially neutrality data centers, if they are not powered in any way.
So, you don't have to worry about the data center upstairs. I am here today to talk about Wi-Fi security. And I want to do this in a very technical way. But also in an easy to understand way, because you could I could probably, if you would let me talk all night about Wi-Fi security. But I want to do something that in, like, 20, 25 minutes is something that you can actually take with you.
And, that is something that you can understand even if you only know about Wi-Fi from. That's the thing that I connect to. And then there's internet coming out of it. Right. Which is completely fine. So I want to keep it on, on a, on a fairly high level, the background why I'm talking about this is, that, like Jarvis said, I've, started a new company a while ago.
That has Wi-Fi security, has a big part in its product. I want to make very sure that I am, however, not here today to talk about that product because I'm not a sponsor. And I want to give you a technical talk. So if you see anything about this product that's just as a background could be a screenshot.
Be aware that there's other products that do the same thing. I in fact do not have anything to sell. So, I want to make sure everyone knows that. And we're going to go just a super quick introduction. And then another topic that's very important for me, which is who needs Wi-Fi security, because that is one of these fields where people go out and scare people.
This is something where you'll hear these stories about, oh my God, you're you're using the free Wi-Fi at Starbucks, right? You're going to get hacked. You're not you're going to be fine. This is nothing. This is something that you could press on people if you had a product that tries to solve this. You could go and scare people with, like, the public Wi-Fi, and you're using, online banking about it, and that's, over it.
And that's so, so, so dangerous. I also want to make sure to understand, make sure that you understand that there's a good chance you don't need any of that. But it's still a very interesting, I think, technical topic. And then we're going to just as a little bit of background, we're going to look at some Wi-Fi frame types.
I'll keep it high level, which will be important when we look at the actual threats that are out there and some defenses of what you can do against it. So as a background, I was in fact, I don't know if you hear my accent. Some people hear the accent very strongly, some don't, and some only after a year or two.
My. In fact, my German tax accountant is convinced that I now have a Texas accent in my German, which I was not prepared for at all. I live in Houston now. About ten years ago, in fact, Steven over there was there when I moved here. It we feel very well. It's been ten years now, which is crazy.
My background is actually software development. I only somehow accidentally ended up, in a cybersecurity or security adjacent field, because a product that I would previously, and a company that I started and exited, was used for a lot of cybersecurity use cases. And so my background is still very much software development. But I have, over the years, I think, gained some, some experience, when it comes to security.
The company's called nzyme. I've been working on it since 2023. Full time. What it does, and I'm still struggling with explaining that that also because I literally have nothing to sell. That's actually something I can I can work on a little bit here. I call it close access denial. Does anybody know when I say the words close access?
Does anybody have an idea of what that could mean? And you don't have to explain it. Just if you think one. Exactly. Perfect. So close access is. I also don't have marketing people. It's awesome. Close access. It's basically, if you are a target that is valuable enough to someone that after more traditional methods of trying to get to the data they're trying to steal or the systems are trying to shut down or disrupt, if you're so important that after traditional methods like phishing, certain exploitation, drive by attacks, all of these things when those fail to work, if you're important enough that they show up in person, that would be a close access operation.
We're going to talk about that a little more in a little bit. Close access denial. Obviously trying to keep people from doing that, creating denied environments in which you cannot do that. Currently in Alpha, it's open source. And so you can go and download it and play around with it. If you want to follow me, I have left most of social media over the last few months.
You can find me actually on LinkedIn, which is incredible to say. You can go to the website and send me an email. We also have a discord server you can join. There's plenty of ways to reach me. I'll also be hanging around here, later for sure. So who need to watch for security? I think it's really important to say that not everyone needs Wi-Fi security.
Beyond what your router at home already offers. I can tell you that the default stat of AT&T or any other router today ships with. If that's the Wi-Fi that you're using, you're probably fine. In fact, I am not concerned about my parent's Wi-Fi. They run it with the defaults. You're probably okay. It is very unlikely for most individuals to be attacked successfully on, on most Wi-Fi.
Including coffee shop, public Wi-Fi. If you implement some simple security measures, it's actually not very hard. It's about keeping your router access point updated to make sure there's no, known vulnerabilities in that. Using, the, the default security mechanisms on it, like Wpa2 and not WPA one or WEP. You even know about that because like I said, most of the routers have that as a standard nowadays.
However, it's more about who is trying to attack you, right? If you are concerned about a random other person at Starbucks or any other coffee shop trying to get onto your laptop somehow for Wi-Fi, they are probably not going to deploy nation state level technology to try to do that. Right. The probably not my favorite thing is if you go to Vegas next week for Defcon or Black Hat, people go out of their way to bring a different phone and a different laptop.
And these burner devices, you're probably fine. I bring my normal devices there. You're probably fine. However, if you are actively targeted by an individual who has the means and who might even have a zero day exploit that they're willing to burn on you, then you might need Wi-Fi security. This goes back to thinking about your own threat model and your own threat level.
Do you have something that's so important that literally nation states or really high level criminals might come in person to get that from you? That's what you got to think about. I don't want you, not knowing. It's not, it is also fun to learn. So there's a lot of people who don't need it but like to play around with it.
Right? There's a lot of especially right now in this early community. There's a lot of people who know that they probably don't need that. But it's a great way to learn about Wi-Fi. It's a great way to play around with antennas and hotwire and do all these things. So there's nothing wrong with that. As far as sports. There are a bunch of documented cases where I look at one, documented cases of very high level organizations or individuals being successfully.
And that's important part here. Attack by Wi-Fi. And in kind of the intelligence world, the the the the word close access operation is actually very common. That is something that is a toolkit that they can deploy and use on targets. If they deem that necessary or worth it. Especially, Russia and the GRU. There's your use to Russian military intelligence.
They have there's a very nicely documented case, because they have been indicted by the US. By the US. Who was it? I think it was the Justice Ministry. I want to say, they, have a very, very long, detailed indictment about their activities and how they tried to get into the OPCW, which is the organization for the Prevention of Chemical Weapons in Europe, as well as, the Olympic Anti-Doping Committee and certain other anti-doping, organizations.
That was because, the Russians were banned from the Olympic Games because of doping, which they said they didn't. So they went and tried and successfully hacked into those systems to find out what they knew about the doping they didn't do officially. Right. That actually happened in hotels. They went to these, to the cities for these meetings, for help, and detect them through hotel Wi-Fi.
That was, in fact one of these cases, but again, only that not every guest to fill their Facebook account, but those very, very targeted individuals. And I think overall, I am going to just assume that none of you are running any sort of specialized or dedicated Wi-Fi security system in your environments, at home, in the office.
Anywhere where you're where you might want to protect data. And I think that's probably fine. I don't know, there's certainly some, some, some industrial critical infrastructure environments where this might be different, but I think overall, the risk of a Wi-Fi breach is being perceived as low. So the risk of this happening is perceived as low, which I agree with.
Especially when you compare that to the cost and effort of defending against them. There are some companies out there that do this. They will charge a lot of money and deploy a lot of weird equipment, to try to protect you from that. And so of course, we all, if we have any sort of budget authority. Right.
We're making this decision. Am I going to spend that much money against a threat that I perceive is unlikely? My view is we should probably, we should probably dump the or, reduce the cost on that and make that make that, make that equation work out. So that is a closed access operation in progress. These screenshots are from a presentation from the Dutch Ministry of Defense.
That is a close access team, from the Russian GRU. They are on their way to rent a car and a hotel room that is adjacent to the OPCW, which is the organization for the Prevention of Chemical Weapons. Similar to the stop in case of they denied. They also denied being involved in chemical weapons use in Syria.
So because they were not involved there were very interested in what that, international organization knew about their use of chemical weapons in Syria. So they tried to break into the wifi of that organization. They rented a hotel room that was facing the building, and then they also rented a, a car, and they put a bunch of equipment into the trunk of that car and just backed it up against the wall of that building.
And tried to use this remotely. They got busted in the act. By the Dutch military intelligence, which is very interesting. It's unclear if they have been followed from the beginning of this was something that was actively monitored in that environment. But the Dutch are very, very good in this. Okay. So just a little bit of background of like how this is happening in the world.
Okay. We have Wi-Fi management frame types. It can be a little intimidating, but I'll keep it very high level. So frames and Wi-Fi are similar to I would say packets in Ethernet. Okay. The information that is being exchanged between your phone, your laptop, anything on Wi-Fi with an access point somewhere in the ceiling broken down into frames because these frames can be interchanged and conflicted and all of that good stuff.
So it's broken down pieces of information. There are a few higher classes of these frames. One of them is a management frame type. There's three more I want to say that are not relevant to us data and control frame types. Those are the actual data you're exchanging and then control to make sure that there's no collisions in there.
The management frame types are the ones that, are the most important from a security perspective. So let's say you're looking at your phone and you go to the Wi-Fi menu and it shows you all the networks and range. Is anyone ever thought about how does it know which networks on range right. Does it go out and scan this somehow?
Is it listening for something? It is in fact listening for the beacon management frame type. So I am going to guess that there is an access point somewhere in the ceiling. This access point right now is multiple times a second sending out a beacon frame, which means I am an access point. I'm serving the following networks with the following security settings.
And this is the name of it. And that's just being recorded by your phone. And now your phone knows there is an access point that's a software address. And that's the network it serves. So I'm going to assume it is the reality guest okay. It also picks up the other access point, the other rooms across the street from a car, maybe a mobile hotspot.
That's how it builds this list. There is I'm going to skip the ones that are not highlighted because that's going to be a little too long. There's also the probe request and the probe response frame. Your phone can be actively looking for networks that it knows. Let's say you've connected to your work network in the past.
You've connected to a Starbucks network. In the past, the Hilton, the Marriott, the United Lounge, the Delta Lounge. Okay. And your home network. Your phone will periodically check if these networks are on range. It will actively ask. It will say hello. Is the United Club Wi-Fi anywhere around here? Access point picks this up. Says no, I'm not you nightclub the to guest so it ignores it.
If you were close to a United club, it would respond and say I'm here. These are my settings. And then it's very similar to a beacon concerned more of an active probing. The reason for this is related to that the standard isn't very good. And also that, it might be a hidden network, right? It might be something that's not broadcasted actively.
So you have to ask for it. This is of course, a privacy concern because your phones are telling me what you usually connect to. Kind of an issue. And then there's also the disassociation and the authentication frames. Those are let's say I'm walking down that hallway and I'm starting to lose a good signal from this access point here in the ceiling.
I'm starting to get a better signal from an exit point somewhere over there. Now, the access point can actively authenticate or disassociate me and say, hey, you're leaving. I'm just going to let you go. By the way, you're disconnected now, or my phone can see I'm getting closer to another one that's serving the same network. Tells this one, hey, I'm leaving.
I'm connecting to that one. It's like roaming almost. The problem with all of these frames is that they're entirely unauthenticated and unencrypted. Because they have to be. Right. Because how would you read encrypted data from an access point? You've never known before without pre exchanging some, some sort of a certificate or private key, public key, anything.
So these things are unauthenticated. So you can just read these. That is the case for all of these management frames in I'm going to say 99% of the environments out there, there is a way to encrypt them, but most hardware doesn't support it. And it's kind of a pain to do also. So what this also means is that you can spoof these, right?
Nothing keeps me from recording the beacon frame from that, access point and using a device like this one, for example, spiky thing that will record that and perfectly duplicated. Okay, so that is the Wi-Fi. Pineapple costs about $120. You get it online. You'll have it before you go to Vegas. So it's purpose built for this. This will now perfectly emulate that access point.
If this one happens to have a stronger signal strength. And that one, I can almost guarantee you that a bunch of your devices are going to start to connect to this one. So now I'm sitting in the middle of all your communication. Okay. For prop requests, appropriate constraints. For the probe requests, I can build a fingerprint of you.
I can go and I can take a network that looks like it's your home network. I can take that name, and I can enter it into a website called wiggle Dot net, which has a lot of these, or almost all of these networks recorded with a geolocation. So I can now enter that, and I can see where your home network is on a map.
I can see where your work network is. I can see that you are a Hilton Honors member and not a marriott member, so maybe that's a possible attack vector somewhere. Okay. And because it's almost guaranteed to be a very unique combination, I can start to fingerprint you as well. I can say you've been here and maybe in in a month when we come back here, I can automatically tell if you came back or not or where else you go.
If you have enough sensors that are picking this up. Right. For the disassociation, the authentication frames, the standard, the Wi-Fi standard, if you want to get the little Wi-Fi logo on your device and say that you are supporting Wi-Fi, you need to react to these frames. If somebody sends you the authentication frame, if this access point says, please disconnect after disconnect.
If you don't do that, you don't get certified, you don't have Wi-Fi, okay. So your phone's going to that laptop is going to do that. Virtually everything's going to do that, which is unencrypted. So I can spoof it. I could tell from here with either this device or if I find it, this device that is a called a flipper, or if I want to go extremely stealthy, it's so small I might not find it, which is kind of a problem.
Here with the black part in the center, which is a, embedded Wi-Fi chip. All this stuff around is just to make it easy to use if you don't want to solder yourself. So with that little black part here in the middle, I can do that as well. And I could just go and I could just authenticate all of you.
And now no one has Wi-Fi. There's nothing you can do against it. Okay, not a problem. Not great.
That is the classic if you ever see these anywhere. So sketch you. There's. I want to say there's literally no reason anymore to have these for legitimate use case. That is a USB Wi-Fi adapter that supports what's called monitor mode and frame injection, which means that all of these attack tools, if you want to do it from your laptop, where you might have a little more control than from from these little things, they will let you inject any sort of data into the into the frames, basically.
And they also have a pretty wide range. Usually they're very sensitive. You can put a directional antenna on it like a Yagi antenna pointed at your target across the street a bunch of stuff that you can do. You used to problem. You see this like $80? And you can get them for cheaper. You can get them for $15 and put a bunch of these on your on your computer.
So we'll go through a few of these threats. I've touched on a few of these already. I think, if anyone has ever looked at Wi-Fi security, this is probably the first that comes up. I would usually say it's questionable how much you can do with that anymore. Man in the middle. I use the Wi-Fi pineapple.
There's going to be USB connected to my laptop. It will make your phones connect to this one with spoof frames, and then make the internet accessible through my laptop. So I'm sitting in the middle of all of your communications, right? That is something that someone could very easily execute in a Starbucks hotel lobby right here if they want it.
Right. I will say that this is not on top of my list of worries, because you have to assume someone sits in the middle of your communication anyways, which they do. Your eyes piece sitting in the middle of your communication. There's probably Cloudflare sitting in the middle of your communication for a lot of things. So you have to secure and you have to encrypt your communication anyways.
That's why I'm not concerned about anyone using online banking at Starbucks. I do that all the time because that's already TLS encrypted. If you somehow get this going through your laptop, I don't care. It's encrypted, right? So that is something you have to solve against anyways with what I would consider very basic IT hygiene. If you are unsure of what is actually running on your laptop and if there's anything that might not be encrypted, that is one of the very few use cases for a VPN for security, I think, because that will just tunnel everything and encrypt everything.
So that is that is probably the one that a lot of people do and they get excited about. Oh my God, I got like 20 phones connected to my rogue access point. I'm a hacker. And then but now. Right, you maybe do some DNS stuff. But even that, if you look at how how iPhones, for example, are tunneling everything already by default less and less critical, I would say, but so something to be aware of.
There is of course also social engineering involved in this. So I could go, let's say your I'm going to take the trial as an example. I'm not saying they have an issue with this. Let's say there is neutrality. Guest. And there is Neutrality Corp, right? Everyone in sales and marketing is connected to Neutrality Corp. You go take this thing, disconnect them all from that network.
The internet doesn't work anymore. They don't know what to do. You use this one and spin up a fake network that you call Neutrality Corp new, right? And they will. Just because things to get work done, they will probably just connect to that one. There's a lot of because you don't physically plug a cable into a wall, it's kind of you don't actually know what you're connecting to is right.
There's ways to solve this with modern Wi-Fi and using Radius and authentication to actually authenticate to a network properly. A whole different story. I'm not going to touch on that tonight. That's a screenshot from enzyme. That's just network monitoring. I think that's very hard to read with this. With this resolution, it's basically confirming that, none of these devices around either through fingerprinting, knowing what frames from this device look like, telling you there's one in the vicinity.
And then also constantly confirming that the network configuration that you see is the one that you should expect. And it's also looking at some you know, it's looking at some, physical signal characteristics. Because one thing that will be almost impossible to spoof properly is this thing sitting in my backpack. And that's the legitimate access point, even if you're perfectly spoof.
And that's also hard to do, perfectly spoof that access point. The signal characteristics at my sensor are going to be different, right? They're going to come from a different direction. They're going to have, a different frequency, as in as in how often the frames are coming. And they're also going to, they're going to have a very different signal strength.
There's also going to be different reflections. This one is going to reflect most likely off the floor and bounces this way. This was going to be all over the place. So there's ways how you can also physically detect and locate where these devices are. The second one, that one. I'm also not super concerned about, eavesdropping. If you, if you sit in the middle of a, often network, you can read what the people are doing.
You don't even need to maliciously redirect anything. Maybe you pick up, I don't know, maybe someone forgot to encrypt their email smtp, imap. I think that's almost impossible today, to be honest. Pick up something that might be interesting, maybe pick up some DNS queries. Not super concerned about. Again, goes back to encrypting all traffic on an encrypted on an application layer.
That's what you're going to do anyways. So also not a crazy thread in my eyes. This one is something that's often overlooked. That's now it's getting a little more concerning. And I also think that that is what close access teams are usually after, pivoting to another network. But again, I'm getting into neutrality guest. Somehow. Okay.
In this way because the passwords on the one which I got fine, for that's what the guest network is for, right? I am also trusting that neutrality, knowing what they're doing, they most likely have probably segmented this. So this will most likely only let your device go straight to the internet and not even see other devices on the Wi-Fi.
Not going to see anything else on the, on the network. And then if you keep the devices up to date and patched that they used to connect out. So your gateway most likely, and your router, then you're probably fine. But I've seen guest networks that were just in a giant flat network, so you. Not me.
But if somebody had run a scan, you would probably see hundreds of devices across the entire network because they didn't segment at all. Right. So is there a way to pivot? Is there a vulnerability in a router or a gateway switch to use this to, use the guest network, use an open network to break into other parts of networks that are more critical and then establish some sort of persistence there.
That is something you always have to consider. And for that, people just need to be close enough, right? It could be someone in the parking lot across the street, they'll have all the time in the world. And most likely a guest network is not that one mind. Try something to think about. This one is the one that I am scared off.
And that I, in my day to day use of wireless systems. I keep that in mind all the time. Captive portals, a captive portal. Let's say you come from the airport. You get yourself, getting ready for your dinner. You want to connect to the Wi-Fi real quick, right? Set up your setup your phone, set up your computer.
Make sure you got the wife I figured out. So you go to your Marriott, Hilton, Hyatt, whatever. Guest network. When you click on it, on your phone or on those computers, it will open a browser, right? Enter your room number and your last name. Enter your Marriott Bonvoy, whatever. Login. That is coming from the access point that is being served by the Wi-Fi infrastructure.
It's coming from somewhere else, but it's coming out of the Wi-Fi infrastructure. It will also most likely not launch a full browser. You notice that this doesn't launch your Safari or your edge, or your Firefox on your phone. This launches this view that's kind of in it. That is, I think, behind the scenes, probably some sort of a web guide or Safari doesn't have the doesn't have the address bar on top.
You certainly didn't click or entered marriott.com yourself against just an example. This this is this applies to all captive portals. So. What if this thing served that. What if that website you're looking at and it doesn't have to be marriott.com. So I don't care about any TLS certificates. That can just be some IP address. Right. Often those don't have any certificate.
So that thing is not going to warn you about an unencrypted connection either. There's no authentication. There's just a website that says it's Marriott and it says enter your. We changed the way that this works and it takes away this works. You no longer need your your room number and your last name. We need your phone number and we need your oh no, we actually just need your Bonvoy number and your password to login.
And you and I would enter that. Right. You enter that, you just go like oh yeah this is my like 119 blah blah blah blah blah. Here's my password. Read it from your password manager. That's clearly your website. And that just goes that just goes here. That never went to. And then it gives you internet. So now you have your username, your password.
What if it is at an airport which has famously great Wi-Fi, right. And you connect to the free Wi-Fi and it's just slow or it's like, I think Heathrow does this horrible thing where you got to watch, like two minutes of ads or some horrible thing, you know, like, I'm not going to do that. So maybe someone spins up a new Wi-Fi.
It's just called free Wi-Fi. And you just really just want Wi-Fi connect to that one. But it says it's free Wi-Fi, but only if you log in with your Facebook account or your Google account, or your office 365 account. And it won't autofill. But you can still you just want your you're tired, you want your Wi-Fi, right? That's just a form that goes to my server, that I'm scared of.
And then there are also, it's here on the right Wi-Fi fissure is a tool that comes out of the box and you literally spin it up and you're going to get that login page. Okay. You can put your own little HTML, your own CSS, your own template in there, do whatever you want. Maybe this asks if this is targeted.
Maybe this asks for your employee ID or something. Maybe this asks a question that only you can know, but that also an attacker might be very interested in. Maybe they want you to enter the A lock combination, because only you can know this, right? To get into some door somewhere, to some side door. And maybe you know that there's so many things that you can do, and then you just give them internet so they have no suspicion.
They're like, oh, that go great. That worked right. This one here. So this one I hate this so much. This one is looking at your user agent to find out if you connect it with an iPhone, Android, windows or an Apple device and OSX and then it will it will show you this, which looks like the system dialog of the Wi-Fi connection didn't work.
That's HTML and JavaScript. That's coming from the website you're looking at. So it spins up a web, it spins up a network, calls it again, making this up, the trial to connect to it. And then it shows the browser error page. That's for your browser because they see it in the user agent and shows there's no internet connection.
You're like, damn, the Wi-Fi doesn't work. And then it shows the dialog that looks like your computer's trying to reconnect, which it often does if there's an issue with Wi-Fi, except that's an HTML form that now sends me the legitimate password to your Wi-Fi, and now I can pivot from there. And that might be your Wi-Fi. That's not the guest network where you need the access to the printers, right?
Yeah. Captive portals. Mark. Right. Yeah. But what you can do against is close them. On the iPhone it will say, do you want to keep trying because you're not going to get internet until you went through it. Right. And then open a browser yourself and then go to google.com or a like well known address. So they will intercept and then show their actual, their actual captive portal.
Often nowadays that will actually come from something like marriott.com, hilton.com, whatever. They left connections to that domain in that IP range through. So you can now confirm that that is a valid certificate that comes with you're actually entering into marriott.com. So you go back to like some crypto essentials to make sure that you're entering this where you think you're entering this.
And then and that's the last one, jamming. Like I said, let's say I have something against this user group. I didn't want it to happen. Right? I could just literally disconnect all of your phones all the time. I don't want can use Wi-Fi. This is becoming an issue at some, security conferences, because there are these devices you can bind for five bucks, and they just you press a button and you just do that.
You always have someone who thinks it's funny, and then it's cause nightmare for the for the organizers because they have to get people it for demos, right. To set up properly. I have heard recently when I talked to a user that, that is becoming an issue more and more in schools, where maybe someone doesn't want to test an exam that they, you know, doesn't want to take that that day.
So how about no one gets any internet to the, and they're really hard to find because they're this tiny. It could be anywhere. And there's until you find it, there's not going to be any internet. I know Wi-Fi.
That's my very high level overview. Like I said, I could talk about this for hours. This can go deeper and deeper and deeper and deeper. I just wanted to kind of give you a brief overview of Wi-Fi security and what to think about. I think especially keep the captive portals in mind. Keep in mind how small these things are.
And, the jamming. Definitely something you should know about. And then, of course, the network segmentation. A lot of this goes back to very simple cyber hygiene that I hope you're already doing, but maybe this can give you a few more hints about, how Wi-Fi, applies to this. I do much, much more than Wi-Fi.
I'm working actually on a detection of GPS jamming right now. Figuring out if something new is plugged into. It's on that some more on a whole level of what if somebody shows up in person, right? There's physical trip sensors. There's all sorts of stuff. But this was my little introduction into WiFi. I just wanted to show you, that is a early test model of an outdoor sensor that looks for these attack patterns and these, things that you should know about.
This just came back from an outdoor test. It's a little grimy. But there's also these here. I just want to show you what they look like. So you get an idea. That would be a, an indoor sensor. That would actually go against the Raspberry Pi with USB. And you run the enzyme software on it or any other software.
And that will, that will monitor large parts of a building or an environment, to, to make sure that nothing bad is going on. And I think that's it. I'll be around. I'll be sticking around a little bit.
