Monday, January 22, 2007

The Ad-Hoc WiFi Virus

I doubt that I'm the first to notice this, but I've noticed that the "ad hoc" mode of 802.11 acts like a virus. I've been traveling internationally lately, and notice that every VIP airline lounge I go to has the same set of ad hoc networks being advertised, with SSIDs such as "Free Internet Access" or "Free Public WiFi". None of these networks worked.

The reason is that when you connect to an ad hoc wifi net, you start sending out beacons yourself. Thus, if you connect to a "Free Public WiFi" ad hoc network at the airport, then turn on your notebook on the plane, you'll start advertising that you supply a "Free Public WiFi". Other flyers greedily hope there is WiFi in the air, and will connect to your ad hoc network. When they land at the next airport and turn on their laptops, they will in turn advertise a "Free Public Wifi" that yet more people will connect to. Thus, ad hoc SSIDs that advertise free internet services will quickly spread around the world by airline passengers.

This is a benign virus, of course, but it's "viral" nonetheless.

4 comments:

dre said...

Yes, but is it a vulnerability?

Hello, 169.254.0.0/16.

This is like a year old, there was an advisory awhile ago. I don't think Microsoft fixed it yet; please somebody correct me on that.
http://www.nmrc.org/pub/advise/20060114.txt

I also found one interesting link in there - KARMA
http://www.theta44.org/karma/
which has an AP written for madwifi that will say hello to any SSID.

This is obviously dangerous when combined with WiFi fingerprinting to get the make/model of the card and attack the driver directly with a kernel exploit (there were a few) or lorcon.
http://www.802.11mercenary.net/lorcon/

Of course, you could always MITM and get on their machine very quickly through a browser exploit.

David Maynor said...

We are looking at it from a slightly diffrent point of view.

http://www.blackhat.com/html/bh-dc-07/bh-dc-07-speakers.html#Maynor

You have a good cahnce of telling where a person has been with their laptop with this method.

dre said...

That totally reminds me of this great quote from this great movie.

"A few words here about following people. People know they're being followed when they turn around and see someone following them. They can't tell they're being followed if you get there first" -Darryl Zero, Zero Effect

Isn't WiFi stalking probably the #2 best way to do penetration-testing? The number 1 method has still got to be throwing backdoored USB keys around the parking lot. Except that now a lot of people know about these.

Jon said...

i frequently perform wireless assessments for work, and no matter what office you goto you will always find "Free Public Wifi" I have even go so far to bring a compact access point with me, and configure it to broadcast with that ssid to capture people. I think this is something Microsoft should address soon... you can see people sending beacons for what networks they wish to be on, all it takes is creating that network in an office building and you now have a dual homed box to attack.