DEFCON to Demo New Wi-Fi Hacks

For 14 summers, hackers have gathered in Las Vegas to describe, demonstrate, and debate a slew of security vulnerabilities and attacks methods. DEFCON 15, to be held August 4th through 6th, 2007, will offer a bevy of hacker activities and contests, from lock picking to ‘bot shootouts. Those keen on wireless can hone their skills in war-driving mini-contests, from WEP and WPA cracking to hunting for hidden APs and RFID tags.

Hacking wireless

Beyond such fun and games, dozens of DEFCON speakers are scheduled to officially present new hacker tools and exploits.  Many of those sessions focus on wireless vulnerabilities and the damage they can do.  For example:


·        The Church of Wi-Fi, which will host the DEFCON 15 Wireless Village, promises to show bigger, better, badder rainbow tables that further speed WPA cracking.


·        David Hulton will demonstrate BTCrack, a Bluetooth PIN cracker that can guess up to 8-digit Bluetooth PINs in real-time by analyzing pairing captures.


·        Midnight Research Labs will hand out liveCDs containing Wicrawl, a tool that probes discovered APs to separate the wheat from the chaf so that pen-testers can focus on the most “accessible, interesting, or relevant” targets.


·        In a pair of sessions, WarDrivingWorld plans to delve into EV-DO card hacking and also demonstrate “simple techniques” for extending Wi-Fi range “beyond the standard 15-30 meters to 3-5 kilometers or more using home brew components.”


·        Ricky Hill of Tenacity Solutions will demonstrate “Wireless GeoCaching,” the art of  more precisely locating 802.11 APs using war-driving hardware and software.


·        Researchers from AirTight Networks will demonstrate the fallibility of WEP Cloaking and a challenging version of AP spoofing (AKA Evil Twin or Honeypot APs) which they have dubbed the “Multipot.”

Snaring more Wi-Fi victims

According to CTO Pravin Bhagwat, AirTight stumbled upon the Multipot threat during its own internal testing.  “The way that most WIPS vendors are dealing with [Evil Twin or Honeypot APs] is to send Deauth[enticate] packets to break client connections,” explained Bhagwat.


“That works fine up to a point, but if the attacker sets up two APs–especially on 2 different channels–then as soon as the WIPS blocks one AP, the client quickly hops to a second AP.  Once this cat and mouse game starts, it all happens so fast that the user won’t even notice this is happening.”


AirTight has observed this phenomenon at its own offices in Mountainview.  “We have GoogleWiFi all around us.  From any office, we can usually see at least 5 different APs,” said Bhagwat. “When we wanted to enforce a policy that prevented our clients from connecting to GoogleWiFi, we found that we actually could not.”  In other words, Multipots can occur naturally in locations where multiple external APs with the same SSID are reachable–for example, crowded metropolitan areas where private neighbors and public hotspots contend for airspace with any company’s WLAN.


So why have AirTight senior wireless security researcher K. N. (Gopi) Gopinath demonstrate Multipots at DEFCON?  Bhagwhat believes the problem has not been paid enough attention.  “We realized that nobody can protect against this right now, so we wanted to raise awareness of the problem and help avoid a false sense of security.”


After much research, AirTight concluded that Deauthenticate-based approaches simply cannot scale.  “Stacking up more sensors is not going to win this cat and mouse game, because the attacker can always add more APs,” argues Bhagwhat.


Not surprisingly, AirTight expects to deliver a different type of wireless blocking that it believes will be more effective against Multipots in its upcoming SpectraGuard Enterprise 5.5 release.  One might expect to see other WIPS vendors announce their own Multipot antidotes in the months following this DEFCON 15 demonstration.

News Around the Web