Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "what are the new WiFi attacks?", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "what are the new WiFi attacks?"

Generally speaking, when users use public WiFi, attackers can accurately attack one or more users in a WiFi network through this defect, resulting in phishing when browsing the web, resulting in information disclosure or economic losses.

At the March 15 evening, CCTV exposed a typical case in which the WiFi probe box obtains the personal information of mobile phone users through mobile phone MAC address and big data matching. Among them, the exposed "Sound Tooth Technology Co., Ltd." claims to have the personal information of 600 million mobile phone users across the country, including mobile phone numbers. As long as the mobile phone MAC address obtained is matched with big data in the background of the company, the user's mobile phone number can be matched, with a matching rate of about 60%.

You think it's over? No, no, On March 22nd, Hou Ke, a senior security expert and senior security engineer at Ali Security Orion Lab, revealed the research results at the World Information Security Summit CanSecWest2019 held in Vancouver, Canada. So, what does this attack look like? What new "skills" does it have compared to the "WiFi probe box"? In order to find out the above problems, Benzhai and Ali safely found that the attack of the two researcher brothers chatted.

New WiFi attack

The WiFi problem disclosed by Ali Security this time is mainly based on some defects in the design of the mechanism to prevent replay attacks by WPA/WPA2. Generally speaking, when users use public WiFi, attackers can accurately attack one or more users in a WiFi network through this defect, resulting in phishing when browsing the web, resulting in information disclosure or economic losses. So, how exactly is the attack carried out? Hou Ke, a security researcher at Ali, told Lei Feng that the whole attack process is mainly divided into two stages:

1. MOTS (Man-On-The-Side) "Edge injection attack" stage

First of all, listen in on the communication between the user and the wireless access point. Through the attack device designed by ourselves, 802.11 MAC layer packets can be sent and received arbitrarily. Once a user is found to be doing some sensitive behavior in the same channel, such as sending a DNS request packet, the attacker immediately starts the attack tool to send a fake DNS packet when the user sends a specific DNS response request, thus allowing the client to receive the fake IP. After the user visits the fake IP, it achieves the effect of DNS hijacking. This process can eventually lead users to phishing sites or tampered non-https pages, and then achieve the purpose of stealing users' private data. It is worth noting that the attack cannot be detected by the forensics tool (details will be written later).

2. Side Relay "Edge Relay attack" stage

There is generally a mechanism to prevent replay attacks in encrypted networks. Unlike the sequence number of IP protocol in TCP, the sequence number of this mechanism is always increasing, and after each increment, it only accepts packets that are larger than the current sequence number. If the sequence number is smaller than the current packet, the packet will be discarded directly. Taking advantage of this, the packet of AP (Wireless access Point) can be grabbed and modified by legal means to make it a packet with a very large sequence number, and then released to the client, and the packet sent by AP will be discarded for a long time to follow. However, at this time, the attacker can modify the packet sent by AP so that its sequence number is larger than the sequence number expected by the user, and then re-send it to the user, so that the user can receive the modified packet normally, so that man-in-the-middle hijacking can be successfully implemented, and the traffic between AP and the user can be modified at will during the attack.

"Nuclear weapons" of Underground Industry

"it is no exaggeration to say that when the underground industry gets it, it is like a terrorist getting a nuclear weapon, which is terrifying."

Hou Ke said that once the attack is used, it is not aimed at specific WiFi chip manufacturers, its scope includes almost any electronic device with WiFi networking capabilities, and the underground industry can attack users at either end. Therefore, this attack is actually a flaw in the design of the WiFi protocol. In addition, before the advent of the verification tool 80211Killer (an attack verification tool designed by the guest team), this kind of attack was difficult to detect. As mentioned above, because the attack can be performed without connecting the hotspot, the attack process cannot be detected by the forensics tool. Hou explained: "our attack tool analyzes the traffic of all user connections in a listening state." Because the prerequisite for doing this is to know the password of the target WiFi network and the ESSID (name) of the target WiFi network. By using the four-way handshake to intercept the other party's connection to the AP, we can calculate the encryption key for temporary communication with the router, and then control the user's traffic. Different from the practice of falsifying some AP hotspots in most foreign WiFi studies, the former does not need to be connected to the target network, so it achieves a good effect of anti-forensics. " Hou Ke told Lei Feng net (official account: Lei Feng net) that in the enterprise network, once the underground industry gets the WiFi password, it can hijack all employees' network traffic. Depending on the purpose of the attacker, the disclosure of personal privacy information of enterprise employees may lead to the theft of business secrets, while for individuals, in public places such as restaurants, coffee shops, airports, hotels, etc., attackers can learn the password of the network through the channel of sharing WiFi, and can hijack single or multiple user traffic in the current WiFi environment, and use it to import it into phishing sites for property theft. No matter what the purpose of the attacker is, he can always escape the examination of the forensics tools, and the attack process will become "come and go without a trace." In addition, Hou Ke also said that when the attack tools are available, the cost of the attack is almost zero, but its success rate tends to 100%. Although the success rate of this kind of attack will be affected in the case of poor device performance and network environment, it is still incomparable to the traditional attack methods. There is no doubt that once such attacks are used by the underground industry, the process will cause great harm to individuals and enterprises.

How to avoid being attacked?

"strictly speaking, absolute WiFi security does not exist." Hou Ke said that the current WiFi uses an one-way authentication mechanism, which means that both sides of the network connection cannot be securely authenticated to each other, which is less secure than the cellular network. So, how to avoid such attacks? Houke told Lei Feng that users need to pay attention to the following points:

1. Keep a good habit of using wifi network, avoid using public wifi as far as possible, and 4G network will be more secure. 2. Try to use some end-to-end trusted authentication system. For example, visit some websites. There are also access methods based on trusted authorization, such as https, to ensure that they will not be hijacked even if the network environment is contaminated; 3, the industry chain vigorously promotes the popularization of WPA3 standards; in Hou's view, the popularization of WPA3 still takes a long time. He said that the WPA and WPA2 standards were first drafted in 2004 and have a history of 15 years now. Generally speaking, after the WiFi Alliance has drafted a standard, it will first be promoted by the major WiFi chip manufacturers, and then be loaded on a large scale by hardware manufacturers, which is far longer than expected. " There is no doubt that the WPA3 standard makes this attack more difficult-dividing the authentication and negotiation key into two steps, rather than generating a temporary key through PSK. Of course, in theory, the WPA3 standard still cannot completely avoid the above attacks, but it can be alleviated to a great extent, which is an unavoidable problem in WiFi design. " The above is about the content of this article on "what are the new WiFi attacks?" I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.