Tuesday, May 17, 2011

attwifi Impersonation Experiment

I recently decided to conduct a little experiment in the name of science (or security, tech-geek curiosity, take your pick).  As many of you may already know, AT&T is behind many of the publicly available wifi hotspots located everywhere at places like Starbucks, McDonalds, etc.  For AT&T iPhone users, the first time that you connect to one of these hot spots, with an SSID of attwifi, your phone is then configured to automatically connect to these networks whenever they come in range so that you can get faster connectivity and avoid data usage charges on your 3G plans. Convenient, right?  Well, security and convenience have always butted heads together, causing headaches for all of those involved.  And that's where I come in.  I was wondering how many devices I could get to automatically connect to a wifi network that I was broadcasting from my backpack on my normal commuting route, which includes about a 3 mile drive, 25 minutes on the subway, and 3 blocks of walking...  roughly 45 minutes door-to-door.

I had previously purchased a portable wireless router, the Asus WL-330GE, and flashed a custom, linux-based firmware called DD-WRT onto it.  DD-WRT is a great alternative firmware for compatible routers as it enables features above and beyond those of the manufacturers' firmware, while providing rock solid stability.  I had another Asus router that was running for over 230 days with no issues until I accidentally, ahem, power cycled it.  Anyway, one of those features is to increase the power of the wifi radio, which came in handy for this experiment.  I gave the device an SSID of attwifi, turned off encryption, and enabled a pool of 50 IP addresses that could be given out automatically to any associated device that wanted one.  I hooked it up to a Griffin USB Reserve Power, and threw it into my backpack for the trip home from the office one day, slightly paranoid that the subway security personnel would come after me for carrying something with bright blue flashing LEDs onto the train.  The Griffin battery is able to provide a little under 2 hours of power to the router, perfect for my little project.  To give you an idea, the router itself is slightly smaller than a deck of cards.

I logged into the router from my own iPhone periodically during my commute to keep tabs on who, if anyone, was connecting.  And were there ever.  By the time I walked the four blocks from my office to the train station, the 50 IP addresses were already all spoken for!  Surprisingly, a majority of the devices that hooked into my router were blackberries, with iPhones coming in second, and Android devices and iPads trailing a distant 3rd and 4th.  For a second run of the experiment later on, I increased the number of available IP addresses to 253, and got 107 devices to connect to me over the course of the commute, one-way!

One of the other features of the DD-WRT firmware is the ability to see who is connected and their relative signal strengths as well.  Sitting on the train on the way home, I took a look at the list and at any point in time had half a dozen or so connected clients.  The amusing thing was, I was basically able to put a name to a face when iPhone users were connected.  The name of the client device is typically [name]'s-iPhone.  So when the signal strength says 98% for Marcia's-iPhone and there's only one woman in my immediate vicinity with an iPhone out, tapping away furiously, wondering why she can't get online, chances are, that's Marcia.

So what does this mean?  Well, from a security standpoint, it's no longer about making sure that your own devices/computers/etc. are fully patched, up-to-date, locked down, etc., to keep the bad guys out.  Now more than ever, with the emergence of mobile technologies, you need to be cognizant of the bad guys that you could potentially be connecting to either willingly or unknowingly.  At best, I could cause a denial-of-service attack, meaning these devices which all prefer wifi over 3G connectivity automatically, connect to my setup, which isn't connected to the Internet at all, and they get nowhere fast.  Marcia's case in point.  At worst, I could setup a system which would pass them through to the Internet just as they expected, but capturing everything that they do along the way beforehand, like passwords, credit card numbers, email and chat messages, etc.  EVERYTHING.  The same risks apply to things like free hotel wifi networks, Panera, Barnes & Noble, etc.

Moral of the story, make absolutely certain that the wireless networks that you're connecting to are the legitimate ones that you're expecting, and it's good practice to disable automatically connecting to wireless networks (unencrypted or otherwise) unless you absolutely need them.  This means turning off wifi functionality until you need it.  I'd be willing to bet that a good majority of my "victims" weren't even using their devices at the time, they were just auto-connecting from their holsters/purses/pockets and such.  As "Mad-Eye" Moody from Harry Potter always says, "Constant Vigilance!"

1 comment: