Open WiFi Credential Harvesting - IoT Edition

Free internet — open wifi connections, sounds tempting but is it actually free? May be you are paying the cost with your identity!

Imagine you are waiting in an airport, 5 hr transit for your next flight, Bored and nothing to do. You pick up your smart phone to pass time, but soon realize it’s not so smart without a internet connection. Which reminds you to check if there are any wifi connections around. And boom, there are many free wifi connections hosted from near by shops and airport itself. without thinking twice you connect to a wifi after filling unremarkable form it throws at you with your passport number, name, flight details etc. Or may be with your email or Facebook credentials. Congratulations!! you just gambled your identity for few mega bytes worth of internet.

Open wifi connections were considered security nightmare from the beginning. But since there are no easy alternatives, open wifi connections still remain widely used in all most all public locations such as coffee shops, airports etc.

Traditional open wifi hacking involves bit of manual work. Hacker needs to perform MITM attack usually with ARP Poisoning. since websites nowadays are channel encrypted this involves more work such as “SSL striping” to get most out of it. This is doable, but not practical to do credential harvesting with this approach.

With development of IoT there are disturbingly easy ways for credential harvesting from public wifi’s. In this article i’m going to explain a simple POC which proves this in summary.

Device used for the POC: ESP8266

ESP8266 12E NodeMCU module

With latest trend in IoT there’s huge demand for low power/ low cost SoC (system on chip) with build-in connectivity features. esp8266 was manufactured by “Espressif Systems” to cater this gap in 2013. It soon got popular among IoT enthusiasts and related businesses.

esp8266 supports TCP/IP stack apart from it’s microcontroller capabilities. Main advantage of this tiny/cheap chip is that it supports wifi connectivity, with full TCP/IP stack and IEEE 802.11 b/g/n WLAN protocol. Which opens up endless possibilities in IoT domain (as well as in hacking domain).

ESP8266 Feature Highlights :MCU: Tensilica Xtensa L106 - 80MHz(default mode) or 160MHzExternal flash memory: 512 KB to 4 MB typically included in commercial variants. (supported upto 16MB)Connectivity: WiFi (IEEE 802.11 b/g/n)RAM: 32 KB instruction RAM, 32 KB instruction cache RAM, 80 KB user data RAM

Quick search on shodan.io will show number of esp8266 devices exposed through internet. Numbers are increasing as it’s gaining huge popularity among IoT communities. There are various development boards released with this chip as well. Further, this chip is commonly available to buy starting from 2 USDs from ebay.

In this article i’m going to explain how two esp8266 devices can be used for open wifi credential harvesting attacks.

Step 1 : De-authenticate connected clients from target Access Point(s)

First, the attacker needs to de-authenticate client devices connected (and connecting) to free wifi access points. (Even though this step is not mandatory it will increase success rate of the attack)

In order achieve this, attacker can exploit a major flaw in IEEE 802.11 WLAN protocol prior to IEEE 802.11w-2009 amendment. In early IEEE 802.11 specifications(prior to 2009), management frames (which are responsible to authenticate, maintain and discontinue the communication) are not protected from underlying encryption mechanism. This enables anyone whom within the range of the target station to de-authenticate from access point by sending de-auth frames to the target station.

If you are curious about these frames you can use following search filter in wireshark to filter de-authenticate frames. First you need to put your wifi adapter in ‘monitor mode’ on a selected channel. (There are tons of tutorials out there how to monitor wifi packets using wireshark)

(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 12)

(wlan.fc.type==0): Filter 802.11 management frames (wlan.fc.type_subtype==12): Filter ‘de-authenticate’ frames (subtype 12)

If you open up the ‘monitor mode’ for all the channels and in a congested area with lots of wireless devices, you’ll soon capture deauth frames through wireshark.

802.11 deauth frame

If an attacker can replay these deauth frames continuously to a router or client station, it will fail to establish successful authentication. This vulnerability has already been fixed in IEEE 802.11 protocol for protected access points since 2009. But as wifi access points need to be backward compatible with old IEEE 802.11 specifications this vulnerability still remains intact in all most all commercial routers. Further, in this scenario wifi traffic won’t get encrypted as wifi connections are open. Therefore, management frames will remain unprotected in open wifi connections despite IEEE 802.11 2009 amendment.

ESP8266 based WiFi Deauthenticator

I’m not going to do a step by step walk-through how to create a ESP based deauthenticator. As there’s a well documented open source project and many online tutorials how to use esp8266 as a wifi deauthenticator based on above mentioned vulnerability.

spacehuhn/esp8266_deauther

Unlike a wifi jammer which adds noise to wifi communication frequencies (which disable all wifi communication within range), with this approach attacker can disable given target access points (eg: target open wifi access points) as required.

Step 2 : Pretend to be the public wifi captive portal

When a user can’t make successful connection to a legit open wifi access point, will eventually attempt for other available open wifi options. Now attacker just needs to host an open wifi access point with spoofing captive portal to harvest credentials from target audience.

ESP8266 based Captive Portal Server

esp8266 can act as a fully capable REST compliant server. For a single chip system this is pretty amazing. For just little as 2USD now you can get device powerful enough to host several web services. With some fiddling I was able to develop POC captive portal server which support following features :

• Captive portal which supports multiple platforms (windows, ubuntu, android)
• DNS server to spoof any inbound traffic
• Handle http rest requests and mechanism to stream resources to client
• Use builtin SPIFFS memory to store web pages(with js,css support)
• Write inputs from client to SPIFFS (on REST post request from client)
• Access and manage SPIFFS memory remotely.

Quick Demo

1. Captive portal initial login page when connects to wifi access point

Captive portal popups upon connect

2. SSO(single sign-on) style credential spoofing

This can be used to spoof credentials from any identity provider. it’s just a matter of adding convincing UI

This is just a POC and facebook login is nothing like the actual facebook login UI. Adding a convincing UI with proper java script validations are really easy as all those are done from client device. esp8266 just need to stream html, css and java script resources when requested by client.

Additionally credentials can validated by actual sso implementation with identity provider as well. If provided credentials are invalid login failure flow can be implemented.

3. Settings page for maintenance

Hidden settings page for maintenance and collect credentials

Hacker can do all maintenance and credential collections remotely by connecting just as another client. Since esp8266 have limited memory(4MB) data needs to be collected and clear before data file grow beyond memory limits.This can be further improved by adding simple monitor to data file size and upload the file if size exceeds certain limit. With this, hacker won’t have any direct involvement with the device as well.

Another major advantage of esp8266 is that it can act as a dns server. Therefore, it can mimic any hostname(ex: www.facebook.poc.com). For the sake this POC all requests were routed to “192.168.1.1” regardless of the hostname.

I’m not going to walk-through the code base and implementation as it will make this article unnecessarily lengthy. Project files can be found in my git repository for reference. https://github.com/pumudu88/esp8266

Scariest part is that hacker don’t have to click a single button to perform this type of attack. Hacker just need to prepare both esp8266 devices (step1:deauthenticator and step2:captive portal server) and place them securely near target audience. Thanks to esp8266 low power consumption, it will last weeks or may be months without need of a battery replacement as well.

Epilogue

ESP8266 certainly not the the only SoC device which capable of this type of attack. But it’s the easiest do such attack with minimum cost and effort. Further, manufacturers are developing new advanced SoCs with much higher capabilities. For example esp32 which got released in 2016. It’s the successor of esp8266 which contains Bluetooth, in addition to wifi connectivity.

With advancements of IoT devices, there are silent security threats which can emerge out of nowhere. Users no longer have privilege to shutoff from security aspects, thinking no one will ever be interested in their identity. Unless they want some random hacker selling their identity along with thousands of other harvested credentials in dark web to some unknown party.

DISCLAIMER : THIS ARTICLE IS FOR EDUCATIONAL PURPOSES ONLY. IF WIFI AND INTERNET USERS UNDERSTAND HOW ONE MAY CIRCUMVENT THEIR SECURITY THEN THEY HAVE THE CHANCE TO PROTECT AGAINST SUCH SECURITY BREACHES. I TAKE NO RESPONSIBILITY FOR RECKLESS USE OF KNOWLEDGE IN THIS ARTICLE.

Open WiFi Credential Harvesting - IoT Edition was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.