SensePost is SecureData’s independent elite consulting arm, renowned for its expertise, 19 year track record and innovation on the frontlines of cybersecurity.

With team members that include some of the world’s most preeminent cybersecurity experts, SensePost has helped governments and blue-chip companies both review and protect their information security and stay ahead of evolving threats.

SensePost is also a prolific publisher of leading research articles and tools on cybersecurity which are widely recognised and used throughout the industry and feature regularly at industry conferences including BlackHat and DefCon.

Mana from heaven: Improving the state of wireless rogue AP attacks

Las Vegas, USA

Wifi (802.11/abgn...etc) networks are increasingly the primary interface for the majority of computing devices. These devices are usually portable, following the user, and are used to connect to a plethora of both business and personal services. These services are often converged under a handful of "single sign on" accounts such as a domain user, Google, Facebook and Twitter accounts.

We will give live demonstrations and release tools that show significant improvement on the current state of attacks against client devices.

The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks [01], authentication to wireless networks can either be cracked or intercepted [02][03], and our ability to capture credentials at a network level has long been established[04][05]. Often, the most significant protection users have are hitting the right button on an error message they rarely understand [06]. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link.

This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this. Karma attacks don't work as well as they used to, and the roll out of anti-interception technologies such as HSTS and certificate pinning are making it harder to get useful credentials. This talk is an attempt to remedy this, in the hopes that making these attacks more effective will help motivate seeing the underlying vulnerabilities fixed as well as enhancing wireless and network attack toolkits.

The talk will cover two high level areas of our work: improving rogue AP attacks and improving network man-in-the-middle attacks. More specifically, this will include:
Improvements in the current KARMA [07][08] capability to improve the number of successful connections. The current implementations no longer work on most Android devices for example.
The extension of KARMA to handle pre-shared WEP and WPA2 key networks, specifically, attempting to crack the keys and present a network the victim can join.
The integration of RADIUS MITM [03] techniques into this toolset, and improvements in their effectiveness [09].
A network MITM toolset for more effectively capturing single-sign-on credentials such as; domain, Google, Facebook and Twitter credentials, with a focus on mobile devices. Prior, simple work in this area was published [10].

The talk will result in the release of new or updated point tools for each of the techniques discussed, as well as the integration of the attacks into SensePost's open source Snoopy framework [11]. The point tools will allow a much wider application of some of the techniques, for example, the network MITM tools can be used in places where layer-2 MITM is possible and is not tied to wireless networks.