The Wireless Universe Is Expanding too Rapidly

The Internet of Things is coming. On top of continued growth in wireless laptops, cell phones and tablets, there will be new devices such as in-dash mobile data systems, Google Glass, and fully connected homes that will increase in number as well.

 Wikipedia has a nice article about the Internet of Things.  It mentions that there could be as many as 30 billion devices connected to the internet by 2020.
The chart below maps out where this technology has come from, and where it’s going. It looks like it’s going to be a wild ride!

History of Internet of Things

Image courtesy Wikipedia Commons

Massive man-in-the-middle attack targeted U.S.

Earlier this year, a massive amount of internet traffic, much of it intended for U.S. government agencies, was redirected towards Iceland and Belarus, before it was sent to it’s final destination in the U.S, according to an article in Wired Magazine.
Analysts at network monitoring firm Rensys announced that someone used a vulnerability in the Border Gateway Protocol (BGP) to conduct a man-in-the-middle exploit, which allowed the attackers to trick routers into directing network traffic towards a system that the attackers controlled. The hijacked network traffic passed through the attackers system, where it could be copied, and then routed back to it’s original destination. This type of attack is very difficult to detect.
Once the traffic has been copied, the attackers can then analyze any unencrypted data and extract massive amounts of information, including passwords or credit card numbers.
This data hijacking occurred 21 times during February 2013. In one case, traffic that was supposed to go from New York to Los Angeles was first routed to Belarus and Moscow, then sent back to New York and finally on to Los Angeles.
In another case, traffic was supposed to go from Denver CO, to Denver, CO. However, it originated in Denver, went to Chicago, then Virginia, New York, London, and ended up in Reykjavic Iceland. Then it was directed back to Denver through Montreal, Chicago, New York, Dallas, Kansas City, and finally, Denver.
Image from Wired Magazine
In another case, traffic that was supposed to go from Chicago, through Germany, to Iran ended up going through Canada, London, Amsterdam, Moscow, Belarus, Poland, Germany, Great Britain, New York, and finally Iran.
Attacks occurred again in May and July.
Renesys discovered these attacks because it analyzes global internet traffic, and sends about 250 million traceroutes a day around the world to monitor the health of the global internet.
According to Renesys, credit-card processing companies and ISP’s should monitor the routing of their adveristed IP addresses to make sure someone isn’t hijacking their traffic.

Types of Rogue Access Points

According to this article on tenable.com, there are several kinds of rogue access points that you should be aware of:
  • Attacker plugs a wireless router into trusted, internal side of the LAN. The attacker’s access point is connected to the trusted side of the internal network. Typically, the attacker enables a DHCP server, and all management ports and services are configured, i.e. HTTP and SNMP.
  • Attacker plugs a a wireless router into the external, firewalled side of the LAN. Normally, there aren’t many services available this way, which makes it more difficult to detect across the network.
  • Attacker plugs a Wireless card into an existing device inside the trusted LAN. This attack requires physical access. However, the attacker could plug a wireless card into a system within the LAN. The system could be configured as an access point.
RogueAP-UPS.png
Rogue Access Point hidden in Desktop APC UPS 
Photo from Tenable.com
  • Attacker enables a device that was already inside the trusted LAN. This is similar to the instance above, except the attacker uses a device that already had the necessary hardware and drivers.
The article suggested using a Nessus plugin called Wireless Access Point Detection.

Using Jasager for fun and profit

Using off the shelf software and hardware, it is relatively easy to connect to a wireless network using network probes.
We’ll start with Karma, a set of software tools that can be used to sniff wireless network probe requests originating from wireless clients.
Jasager is an implementation of Karma that runs on an OpenWrt environment, and can be installed on a Fon wireless router. Jasager means “Yes-Man” in German. Jasager can run on other devices such as the Fon, if they use the Atheros chipset.

Screenshot courtesy of http://www.digininja.org
OpenWRT is an embedded operating system, based on the Linux kernel, designed to be used on devices such as wireless routers. OpenWrt has been optimized to have a small footprint so that it can easily run on these embedded devices.
When everything is configured correctly, Jasager listens for any computers trying to connect to a wireless network using network probes.
We were told that if a computer is near several wireless routers, it will attempt to connect to the one with the strongest signal first.
Once a victim was connected, Jasager could be used in several different ways:
Packet Filtering: An attacker could setup a Fon running Jasager, configure it as an open wireless network, and wait for someone to inadvertently connect. The victim may not even realize they are connected to the attacker’s wireless router as long as they can access the internet. Meanwhile, the attacker could act as a man-in-the middle and parse the victim’s packets.
Traffic Redirection: If the attacker gets a victim to connect to the Jasager Wireless Router, it is possible to redirect the user from a specific website, such as http://wellsfargo.com, to a fake site, such as http://fake.wellsfargo.com. They can then fool the victim into signing in and doing fake transactions on the fake site.
Launch Deauthentication Attacks: This attack uses disassociate packets to force a victim off a legitimate access point. The attacker can recover hidden ESSID, capture WPA/WPA2 handshakes by forcing clients to reauthenticate, or generate ARP requests.

Amazon.com Sees Delivery Drones as Future

There is a potential threat for the kinds of drones Amazon is exploring.
At it’s heart, most civilian drones use a civilian GPS unit. These civilian GPS units rely on civilian GPS signals.Civilian GPS signals are completely open and unauthenticated.
To hack a drone, all you would need to do is create a signal indistinguishable from a civilian GPS signal and raise the power of signal sufficiently so that you overpower the civilian signal.
Free books or pizza, anyone?

Malware could jump air gaps using sound

Arstechnica.com has an article about German scientists who were able to jump the “air gap” between two unconnected computers by using internal microphones and speakers to  communicate using high-frequency sound transmissions.

Image courtesy of Arstechnica.com
Researchers demonstrated this capability by using two Lenovo T400 Laptops using only their built in speakers and microphones. Maximum transmission was about 20 bits per second, so you wouldn’t transmit video using this method. However, you could transmit keystrokes and passwords.
Potential counter measures would include disabling internal speakers and microphones, or employing audio filtering. It should be noted that technical hurdles to this type of attack are steep.