Nowadays, we have access to a large cache of cyber weapons that can fit neatly concealed in our pockets. They’re capable of hitting hard across the radio airwaves, making wireless-based attacks more seamless, autonomous, and effective. This article explores a few devices and misuse scenarios.
Today is like any other day – business as usual, and nothing seems out of the ordinary. However, life has other plans, because suddenly the Wi-Fi goes down. This means that the Point of Sale (POS) systems are offline, so transactions have come to a halt. The sudden disruption in service causes the employees to panic, as the customers become agitated.
This also means that the security cameras are down, and they’re no longer recording footage. Your first thought isn’t that this could be a cyberattack. You don't even suspect it could be a customer, even as he brushes against you as he passes to make his way to the back where the restrooms are.
And the restricted employee areas.
You didn't notice the man leave the breakroom wearing an employee vest as he slipped into the access-controlled warehouse.
What’s interesting about this hypothetical scenario is that this localized attack can be easily carried out using a Flipper Zero with its accompanying Wi-Fi Marauder developers board. What’s even more interesting is that executing each phase of the attack is relatively autonomous and does not require any knowledge of the hardware or the attack itself beyond what it does when launched.
The above scenario is based on just two radio-based attacks, one for disrupting all connectivity across a wireless network, and two, for duplicating the RFID data on an employee badge to bypass a physical access control point.
This kind of hardware fascinates me because I used to be an insider threat myself.
Flipper Zero
The Flipper Zero can be thought of as a radio frequency (RF) Swiss army knife. It can be used to duplicate and replay RF signals, as well as an overall useful penetration testing tool that fits in your pocket.
It is capable of creating distractions across a virtually endless device landscape, disrupting service, and capturing sensitive information such as wireless handshake keys that you can crack offline using Hashcat. Moreover, you can launch a captive portal from your pocket and phish your targets.
When I was first experimenting with the Flipper Zero, which looks and feels like a Tamogatchi, I only had one garage door opener and one remote for the security gate. So, naturally, I copied the signals to both so I could give my roommate the remotes so I could simply use the Flipper Zero.
The job I had at the time could not function without the internet. If the internet went down, the barcode scanners we used for inventory control were rendered useless. If the network administrators couldn’t restore service to the network, we were sent home.
If network downtime had ever been the result of persistent de-authentication attacks, it would have cost our company (and us) lots of money, in addition to having our overall operations completely hamstrung by a bad actor.
Wi-Fi Pineapple
Imagine a threat actor is living in your apartment complex. He knows one of the tenants works for the Department of Homeland Security (DHS). After all, he watches the mailbox after 5 p.m. to see who collects their mail.
That’s when he noticed the tenant wearing a DHS uniform collecting their mail as they turned and went to their apartment unit. Using a wireless signal analyzer, the threat actor was able to approach the unit, identify the DHS employee’s wireless router, and then return home to work out the next phase of his attack, which involved gaining access to the wireless network.
The above scenario actually happened. However, if the attack was carried out today, the next phase of the wireless attack would likely have included a Wi-Fi Pineapple.
The Wi-Fi Pineapple by Hak5 is like a wireless superweapon capable of dominating the 802.11 airwaves and is another tool in my arsenal of wireless armaments. It’s relatively autonomous and surgically precise in auditing wireless network infrastructure, which is why it's a favorite tool among penetration testers and threat actors.
Some of its auditing abilities include automatically cracking handshake keys, intercepting network traffic by performing man-in-the-middle (MITM) attacks, redirecting network traffic, performing denial of service, and impersonating trusted networks in an attempt to trick users into connecting to them. It can even be used as a honeypot. In other words, it’s an efficient tool to spy on network devices and, by extension, the people who use them.
Tips to defend against Wi-Fi attacks
Wireless security “straight out of the box” does not necessarily provide an adequate defense against possible WiFi attacks. That is why it’s imperative to use strong encryption protocols, such as WPA2 and WPA3. This will make it harder for attackers to conduct packet spoofing attacks and ultimately find their way onto your network.
Additionally, MA address filtering and using hidden SSIDs can drastically reduce potential attack vectors and also minimize de-authentication packets from reaching devices connected to your network. Moreover, using a VPN to encrypt your data and conceal your IP address will provide another layer of security in the event that your network is being sniffed.
As an insight, it’s important to note that most de-authentication attacks derive from hacking tools that work against 2.4GHz networks. This means that most wireless attacks are limited in scope because they generally operate within a 2.4GHz frequency range unless the attacker has a wireless adapter that supports 5GHz.
If you own a 5GHz wireless router capable of deactivating the 2.4GHz capability, go ahead and disable the 2.4 GHz function so that only the 5GHz network is broadcasting. It isn’t hacker-proof, but it can mitigate possible security incidents that involve an attacker not having compatible gear or hardware to carry out successful de-authentication attacks.
Nefarious network nodes
Explaining the functionalities of a Raspberry Pi would amount to its own article, but what you should know is that it’s basically a compact, credit card-sized mini PC. It’s a great board for robotics and retro gaming and serves as an excellent alternative to a desktop PC, which can be expensive. With the right hardware add-ons, it can provide the computing power for a kit that transforms it into a tablet, laptop, and so on.
If we had Raspberry Pis back in 2009 when I was a black hat and insider threat, this would have been my weapon of choice due to its size, power, and portability. That’s because these can be used for misuse as clandestine network nodes, which are easy to conceal. From an intruder’s perspective, plugging in your own Raspberry Pi onto a physical network would give you remote access, opening up a whole new range of auditing capabilities for lateral movement across the network.
You can fit a Raspberry Pi onto a toy remote-controlled car or an aerial drone and use it for war driving for wireless networks, which is the act of scanning for Wi-Fi networks, usually for access points that require no password. As long as it’s connected to a network, you can issue commands to run scripts to perform wireless attacks on the go.
While this article only discussed a few interesting devices that can be easily misused, each device mentioned here can be used ethically for security auditing, convenience, and simply for the sake of learning new things. Just remember that if you’re using these devices for security auditing, always ask for permission in writing.
Happy hacking!
Your email address will not be published. Required fields are markedmarked