March 4, 2008
A commonly neglected attack vector onto computers attached to a WLAN lies in the â€œPreferred Network Listâ€, which is used to save the SSIDs of successfully connected networks. At a later time the computer connects to this network automatically. This also happens for unencrypted networks like the ones used for public hotspots (e.g: T-Mobile_T-Com). Under Windows and Kubuntu this behavior is activated by default, and Windows even does not store the MAC address of the access point what Kubuntus KNetworksManager does.
How does this help an attacker to attack a notebook which is connected to a WPA protected access point? It is quite easy. The attacker sends a faked deauthentification packet with the identification of the access point. This is easy as the WLAN control packets run unencrypted over the network even with WPA and without cryptographic authentication. The notebook will now try to reconnected again and it will choose the access point with the best reception â€“ in our case the attacker with a tool like Karma sending the SSID of the real access point.
Often you here from so called experts to deactivate broadcasting of the SSID. This is a bad idea as you help an attacker even further, as in this case the notebook send actively probe requests if it doesn’t find an active SSID broadcast. This will tell the SSID of the networks you’re looking for to the attacker. Even Microsoft discourage from deactivating the SSID broadcast.
You want to see the attack live and you’re at the CeBIT? Then got to the Heise-Forum (HallÂ 5, booth E38) where Sebastian Schreiber from SySS will do a live hacking presentation on Tuesday, Thursday and Saturday at 13:00