We did it again! If you recall last year at the RSA Conference, our team set up a fake Wi-Fi Access Point (AP) and used an old Wi-Fi attack for a simulated hacking attempt to see how many clients we could trick in to connecting to it. This year we repeated the same experiment and our Director of Strategic Alliances Ryan Orsi wrote an article about the results for Help Net Security. But don’t worry, just like last year, we did not carry out the hack or interfere in anyone’s Wi-Fi connection.
We were interested in evaluating attendee behavior – has the security community gotten better about Wi-Fi security since last year? Unfortunately, according to our little research project, no, they have not.
So, how did we run the test? Once again, we set up a rogue AP in our booth at RSA and had it broadcast eight globally common SSID names. And, we had a Pineapple Tetra configured to perform an old-school Karma attack. The Tetra listened for SSID beacon requests in the air from nearby smart and wearable devices. A full Karma attack would then broadcast these SSIDs and trick those nearby devices into connecting. This set-up allowed us to simulate a very nice man-in-the-middle attack. For security reasons, we did not broadcast the sniffed SSIDs or allow any client device to associate with the Tetra.
Here’s an excerpt from the article discussing the results:
Anecdotally, we tricked 2,043 more clients into connecting to our rogue AP than last year. Our WIPS sensor showed us that 8,206 unique Wi-Fi clients dwelled around our booth for at least a minute or two. The Tetra saw and captured beacon requests from these visitors resulting in 8,653 unique SSIDs captured. Lastly, using the same eight common SSIDs as last year, we managed to trick 4,499 Wi-Fi clients into connecting to our rogue AP, which harmlessly served them speedy Internet while their owners enjoyed live demos.