Recently, I was invited to speak on Wi-Fi security at Wireless LAN Professionals Conference Europe in Maastricht, Netherlands. Excited about my first trip to the Netherlands, I quickly said yes and off I went. After meeting up with my co-worker, we arrived the evening before the conference to relax and check in. As a vendor neutral conference, the only Wi-Fi available was offered by the hotel (free!). On night one, we enjoyed some conversation with a few of our peers, and retired early to catch up on email (and sleep).
Normally the conferences I attend are full of hackers wearing black t-shirts and carrying MacBook Pros covered in stickers, however, this convention was full of Wireless LAN Professionals wearing black polo shirts and carrying Macbook Pros not covered in stickers...a truly different kind of convention. As people showed up, I resorted to one of my favorite past times, people watching. I spent a lot of time quietly monitoring all of the conversations, and even having a few great exchanges of my own. The more conversations I observed, or was a part of, the more I realized that these Wireless LAN Professionals seemed to share a lot with my usual hacker crowd, especially the sense of humor. I overheard a number of delegates having chats about how easy it would be to put up an AP to spoof the hotel wireless, and even a few boasted about their Wi-Fi pineapples. As the day wound down, I went back to my room to finish up some work, respond to some emails, and possibly work on my presentation for the next day.
Like many others, my time in the evening was dedicated to catching up on the work I had been ignoring all day, and the email from my customers in the US was building at an alarming rate. I sat down to get some work done, and found the hotel splash page wasn't loading. Great, everyone at the hotel had the same plan... but wait, we were all clumped together all day and things worked fine, why would the hotel network fail after we spread out? Immediately my thoughts returned to all the conversations I overheard that morning, of people talking about evil twins and Wi-Fi pineapples and other things that would look exactly like what I was experiencing, and all at once I felt like I was finally at home.
Immediately the game began. I opened up my wireless sniffer and took a survey of the Access Points in the area, for the hotel SSID, I saw many from the same manufacturer, and one from a different manufacturer. The one mis-matched AP also happened to be the one I was currently connected to, and the one which didn't appear to be getting me to the Internet. I then started looking at data. All over the airspace, you could see clients talking to AP’s, Internet traffic, all working as it should. When any client roamed from an AP to the mis-matched AP, all of a sudden, their Wi-Fi packets seemed to never go past the AP to the wired side of the network; no DHCP, no DNS, and certainly no gateway or Internet. Armed with the fact that nothing was making it through the AP, it seemed obvious what was going on, someone was spoofing the hotel Wi-Fi, not providing Internet, and being generally obnoxious.
Obnoxious is a game I am very familiar with due to my experiences at hacker conventions, so I figured I would play to win. I dug around in my bag, and took my AirTight WIPS Sensor. I positioned it near the window, where I would have maximum visibility of the hotel airspace, and then settled myself back on the desk. Once the WIPS system was up and running, it was again obvious, all the AP’s with the hotel's SSID were made by the same manufacturer except one, and that one was clearly not actually passing traffic to the internet. I clicked the quarantine button, and with just that one click, I knocked every client off the evil twin, and suddenly, everyone at the hotel had working internet again. I laughed to myself, and made a quick tweet:
— Rick Farina (@RicklikesWIPS) October 14, 2014
After finishing some work and email, I couldn't help but check back on my new friend, the quarantined Evil Twin. I noticed the device was still on and functional, even as the hour grew late, and I couldn't help but notice my battery was full. So off to fox hunt I went. I took a look out my window, made a few guesses of where the target could be, and I started walking around. I put my cell phone in my pocket with “Wi-fi Analyzer” tracking the evil twin, then I put my bluetooth headset on to listen to the Geiger counter like sounds as I got closer and farther from the AP. Fully armed with my Wi-Fi tracker I left my room, and began to walk the hotel. I walked my floor, some of the common areas, and found myself on the first floor. I wandered around the restaurant as it was closing, the business center, and various other places. One thing was certain, the device was powerful, and I couldn't seem to get close to it. I wandered through the bar and found our happy host Keith, as well as a few other conference go-ers, and discussed my activities.
One of them was certain he knew who was behind the evil twin, so the whole group of us got up to go hunting. We went to the front desk to ask what room the potential evil doer was in, and they were happy to provide the information, so off to the 4th floor we went. The large group of us stormed out into the hallway, certain we would find our target, but alas, we searched the whole floor, and not a blip, not a beep, no sign of the AP we were looking for. Discouraged by failure and the late hour, my newly acquired entourage said goodnight as I headed back to the first floor to continue the hunt. I reached the lobby, and one of my helpers had decided to ignore the call for sleep, in exchange for joining the hunt.
@KeithRParsons unable to locate it exactly but I narrowed it down extremely. wish I brought my real gear bag with me.
— Rick Farina (@RicklikesWIPS) October 14, 2014
We searched all over the lobby looking for strong signals. We ended in the business center, searching around under desks and behind hidden doors for anywhere an AP could have been hidden. We came up short, but not without attracting some attention from the hotel staff. Leaving the business center we were greeted by the front desk clerk, who was very curious what we were doing. I explained that we were playing a game called a “fox hunt” and trying to find an AP which was placed by one of our people. She laughed and thought it was very interesting, so I asked her if she would like to play as well, and escort us into some of the more secure areas of the hotel to search. She happily agreed, and unlocked the restaurant for us.
We searched high and low, searched through the kitchen, searched the dining room, and just when we were ready to give up, the Wi-Fi analyzer started to go crazy. We were in the middle of the dining room, nothing in sight, but the signal was climbing rapidly. We looked around, checked every nearby power outlet, every hidden corner, nothing to be found. The hunting party, now three strong, went out onto the patio which was closed for the night, and continued the search. We searched high and low, under benches, in the boxes that contained yard toys (I was shocked to see how many frisbees the hotel had), but again, completely foiled. We looked everywhere we could with the flashlights on our cell phones to guide us, but it looked like failure.
After an exhaustive search of the entire hotel, we managed to get right on top of the evil AP, but couldn't pinpoint it. We went back to the lobby and my cohort and I discussed our search. After a short while, we only had one conclusion, maybe it wasn't an evil AP at all, maybe one of the hotel's legitimate AP’s was stuffed up in the ceiling where we couldn't see it, and that AP was malfunctioning in some way. We asked the front desk when their network technician normally shows up to work, and then we went to bed. In the morning there was much discussion over breakfast about my tweet and my search the night before, but everyone was disappointed to hear that I was unable to pinpoint the problem. After breakfast, the technician was scheduled to arrive, so I went by the front desk to ask to speak with the tech.
A very nice gentleman greeted me, and said he heard a little bit about all the fun we had the night before, and asked me what I thought was going on. I took him back to the spot where I had the strongest signal, and told him all about the problems which led me up to my hunt, and how we had given up unable to find the device. The tech was very excited to hear the story, he mentioned that they had been having problems with the Wi-Fi in half the hotel for weeks, and no one had been able to trace it down. I told him I traced it to a single AP, I had a map of its coverage, I knew who made it, but for the life of me I just couldn't find the darn thing. He laughed, and walked me 12 ft. from where my strongest signal was and pointed up.
There, in the glory of the morning light, was the AP in question. Just barely visible, crammed up against the doors to the courtyard was an AP, the right manufacturer, the right location, with a madly blinking Wi-Fi light, and an unlit LAN light. We found the problem. For the last several weeks, everyone near this side of the hotel had been having Wi-Fi issues as they tried to connect to this AP because the LAN cable was damaged and no longer passing data.
And the moral of the story is, never assume malice when the problem can be adequately explained by hardware failure. In a conference filled with nearly 100 WLAN professionals, it took one determined security guy to track down the network issues. Next time you see a convention which offers games like Wireless Capture the Flag or Fox and Hound, join in.
Not only is the game fun to play, but you can gain valuable experience to track down not only attackers, but problems in a hotel's wiring. On the enterprise security front, this also shows how manual effort intensive it can be to chase security alerts. And if they are false alerts, it means next time nobody will even chase real alerts. As a result, my colleagues and I at AirTight have always preached approach to wireless intrusion prevention that does not rely on chasing alerts and maintaining signatures. Find out more about it here. [Tweet "The Hunt for Rogue October | by @RicklikesWIPS via @AirTight blog #WLPC_EU"]
- Follow Keith R. Parsons on Twitter
- Follow Rick Farina on Twitter
- Wi-Fi Hacking 101 – Ethical of Course via AirTight blog
- Rick Farina at Wireless Field Day 6
- Rick Farina on Wi Fi Security 101 – Hacking Demo via YouTube
- Wireless LAN Professional Conference web home
- WLAN Pros Summit 2014 Videos
- Rules for Successful Hotel Wi-Fi by Keith R. Parsons
— Keith R. Parsons (@KeithRParsons) October 20, 2014