I recently attended a local chapter meeting of the Open Web Application Security Project (OWASP) where I saw something amazing. A white hat hacker was discussing methods to reverse hashing with common password dictionaries and as part of their demonstration they literally pulled a hashed password out of thin air.
The tool that the white hat hacker used to do this was a Wi-Fi Pineapple. For those who are unfamiliar, the Wi-Fi Pineapple is a commercially available wireless penetration testing tool that allows wireless recon, interception and man in the middle attacks. The Wi-Fi Pineapple includes a Wi-Fi injection card allowing it to sit inbetween clients (e.g., laptops, smartphones, etc.) and available wireless access points. For $100-$250, depending on the version of Wi-Fi Pineapple, anyone can perform wireless penetration testing.
The first step is to have the Wi-Fi Pineapple mimic an organization’s Access Point (i.e., SSID). This SSID can be manually typed or it can be pulled out of the air by checking for clients’ requested SSIDs. This latter method is useful if you want to just sit in a coffee shop and see whose phone is trying to connect to an important organization’s Wi-Fi network.
Once a hacker has the SSID the Wi-Fi Pineapple can either wait for a client to connect or issue a deauthentication command, effectively kicking a client off a network and forcing it to reconnect to the Wi-Fi Pineapple instead of the authentic SSID.
Now that the user is connected to the Wi-Fi Pineapple’s nefarious SSID, a hacker can see any packets, if it is an open network, or decrypt the packets if it has the Pre-Shared Key (PSK). In order to obtain the PSK a hacker can reverse the hash, using techniques like common password dictionaries, or just ask the cashier at the coffee shop for the “secure” Wi-Fi password.
Once the client is on your Wi-Fi Pineapple network, and the traffic is unencrypted, you can simply sniff the traffic to look for potential logins or, alternatively, you can use a Wi-Fi Pineapple plugin, like SSLStrip, which will display a HTTP unsecured representation of a HTTPS secured webpage. Now a user will accidentally input their credentials into www.organization.com instead of https://www.organization.com. Do you think your user will take the time to notice that the “https://” is missing? Note: this protocol downgrade attack can be prevented with HTTP Strict Transport Security (HSTS).
So how do we protect ourselves?
Firstly NEVER connect to an unsecure Wi-Fi network. Secondly, set up a Guest Network so that guests do not have the same PSK as your users. Thirdly, if possible, avoid PSKs altogether and instead use WPA2 Enterprise which relies on 802.1x and a RADIUS server. Finally, and most importantly, use Multi-Factor Authentication (MFA).
MFA consists of something you know (e.g., password, pin), something you have (e.g., smartcard, phone) and something you are (e.g., fingerprint). By providing 2 out of the 3 factors users are securely authenticated. With MFA a hacker will not be able to steal your login because they will not have the second factor or your password will include a time dependent pin (e.g., RSA SecurID). The Wi-Fi Pineapple is an amazing (and scary) device but deploying MFA is the best way to protect your organization from it.
Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.