Wi-Fi

Study shows viral SSIDs could be creating a massive wireless botnet

A study of Wi-Fi networking at U.S. airports has revealed a viral SSID attack that is potentially infecting thousands of travelers and opening them up to data leakage on their laptops. The viral SSID attack could also be used by hackers to create a massive wireless botnet in the future.

A study of Wi-Fi networking at U.S. airports has revealed a viral SSID attack that is potentially infecting thousands of travelers and opening them up to data leakage on their laptops. The viral SSID attack could also be used by hackers to create a massive wireless botnet in the future.

The study, which was released this week at the Gartner Mobile and Wireless Summit in Chicago, was conducted between Jan. 30 and Feb. 8 by AirTight, a vendor of wireless intrusion prevention systems, at 11 U.S. airports and three airports in the Asia-Pacific using off-the-shelf Wi-Fi cards and standard packet tracing software.

AirTight researchers found that only 3% of users were using VPN to encrypt their connection. The rest were sending their usernames and passwords over the air in clear text that could be easily captured by an attacker and then used to compromise the user's data and online accounts, and even take over the machine.

Even more disturbing was the discovery of various ad-hoc (peer-to-peer) Wi-Fi networks that are propagating in a viral way to create an avenue of attack for hackers. The most common SSIDs used by these viral attacks are "Free Public Wi-Fi" and "Free Internet!" AirTight does an excellent job of explaining this attack, and how it propagates, in the following slides.

This attack is essentially exploiting the way Windows handles ad-hoc peer-to-peer wireless networking -- represented by the icon of the two laptops connecting to each other in the Choose A Wireless Network screen. Once a user clicks on the fake "Free Public Wi-Fi" SSID, Windows automatically adds that SSID to its preferred networks and begins broadcasting it to other users, who connect and are then "infected" as well.

There's no payload or tricky code involved in this attack, and it would be virtually impossible to track down users who started these fake SSIDs. However, this exploit has created an "open source" attack vector that has made it not only possible for the original perpetrators to use this exploit for attacks, but that's also open to any attacker who can figure out what's going on. And the worst case scenario is that an attacker or group of attackers could use this to create a massive wireless botnet (if they haven't already).

The AirTight study found that 10% of all the wireless users it scanned across all airports were broadcasting at least one of these viral SSIDs. In some airports, the percentage was much higher, as seen in the chart below.

Here's a full list of the viral SSIDs that AirTight identified:

  • Free public Wi-Fi
  • Free Internet!
  • US Airways Free WiFi
  • Thrifty
  • Verizon Wi-Fi
  • Megahoc.21
  • Megahoc.v22
  • Megahoc.v24
  • hpsetup
  • WIRELESS
  • ETWireless
  • ConnectionPoint
  • Jet Blue hot spot
  • Raisinet
  • Wireless
  • WIFI
  • Wireless Canes
  • Annies
  • Ramada
  • Default

Bottom line

This study has major implications for business travelers and the IT departments that support them.

"It is ironic that the traveler passes through a phalanx of physical security to only to be sitting at a gate and be vulnerable to cybercrime," said Sri Sundaralingam, senior director of product management at AirTight. "Both network administrators and business travelers recognize the benefits of mobility and anywhere, anytime computing but it is time for all of these constituencies to recognize the risks as well and implement best practices."

One way IT departments can handle this is by educating Windows users to never click on an ad-hoc network -- the icon with the two laptops -- when looking for a Wi-Fi hot spot. Another best practice is for users to connect to the corporate VPN after connecting to a public hot spot and before doing any corporate work.

The larger option for IT is to implement software to handle policy enforcement and/or a wireless intrusion prevention system (WIPS), such as the software offered by AirDefense and AirTight, the author of the study.

Those who have clicked on one of these viral SSIDs in the past need to go into their wireless networking properties in Windows and delete these fake SSIDs from their Preferred Networks to stop propagating this exploit and to avoid being attacked by someone who knows about the exploit.

UPDATED:  Learn how to configure your Windows systems to keep them from being susceptible to this viral SSID exploit by reading the following article from Michael Kassner in TechRepublic's Mobile & Wireless blog:

About

Jason Hiner is Editor in Chief of TechRepublic and Long Form Editor of ZDNet. He writes about the people, products, and ideas changing how we live and work in the 21st century. He's co-author of the upcoming book, Follow the Geeks (bit.ly/ftgeeks).

47 comments
wkiehl
wkiehl

This is mainly a Windows PC problem. My solution--use a Mac.

JCitizen
JCitizen

as well! Even if some aspects of the story are old, some of us who are being forced into accepting the utility of wireless and the attending security issues are a couple of years behind; and need to catch up fast!

paul
paul

Simply disable computer-computer wireless connections (enforce access-point only) - for exploit read "feature" - for "study" fead FUD

hubbert
hubbert

This was first reported by Brian Krebs of the Washington Post after Shmoocon 2006. Simple Nomad (the psudonym for Mark Lovelace) found this way back in 2005 and is easily fixable and avoidable. I love AirTight, Always dreaming up new ways to scare folks so they can make more money.

Michael Kassner
Michael Kassner

It really depends on an individual's definition of an infection, but I personally would not consider this to be one. It is just MS's way of making it easy for people to connect via wireless. Especially when controlling AP's or wireless infrastructure are not available. A poor attempt granted and one that MS is in the process of rectifying. All you really have to do to avoid connecting to Ad Hoc STA's when using WZC is to go to the Wireless tab/Advanced settings and select "Access point (infrastructure) networks only". Then WZC will not allow you to connect to any Ad Hoc STA's. If the notebook is a member of an MS AD network then the Systems Admin can make this change quite simply by using Group Policy. The AirTight viral SSID claim is not the worst pen attack that can happen to your notebook when the wireless network adapter is enabled and not associated with an managed infrastructure. There are several more aggressive attack venues that will take advantage of the wireless adapter being on and advertising that it is available to connect with via an Ad Hoc connection. More importantly these attacks DO NOT require any user intervention. To add a bit of history, this attack venue is officially called "Microsoft Windows Silent Adhoc Network Advertisement" and has been known about since 2006. If interested I linked the initial discovery paper. http://www.nmrc.org/pub/advise/20060114.txt The paper mentions the same fix that I did along with a few other options. One obvious solution that is also annoying is to shut the wireless adapter off when you are not using it. MS is also working on updates to eliminate the vulnerability, I am not positive but I think the fix will be in WinXP SP3. I also might suggest, if possible, to use a different wireless client application as most alternative clients are more granular in their control of unannounced access.

jstephen1
jstephen1

I have seen one called Oasis Internet - Free as well...

jasonhiner
jasonhiner

Are you smart enough to not be tricked into clicking on Ad-Hoc (peer-to-peer) wireless network as a free hot spot? Apparently this is tricking a lot of users and creating the potential for hackers to take over a lot of laptops.

Neon Samurai
Neon Samurai

Most notebooks now have a physical switch to turn on/off the onboard wifi radio. Simply put, if you have such a switch and your not connecting to a network; turn it off. No more auto-connecting to unknown networks. After that, one just needs to watch what network SSID they are connecting too.

Dumphrey
Dumphrey

Mac airport cards are.... And Macs are of course bullet proof. Safari has no holes... But this exploit would effect a mac that was configured "incorrectly". All it takes is for the computer user to connect to a broadcast SSID. The Mac could also be used as a "repeater" to push the "infected" SSID out further. This is OS agnostic. And the Mac OS contains samba, so shared folders would be visible on a network. Less likely to be an issue on a MAc, but it could still effect a Mac (data theft being significantly more likely then exploit code insertion).

Neon Samurai
Neon Samurai

thing was wide open.. and I'm the one not working in IT. Think maybe I'll send off an email to the IS folks and see how it comes back.

vivek.securitywizard
vivek.securitywizard

Security companies like AirTight and AirDefense regularly do scans and studies in order to educate the market which seems to become complacent about or is ignorant about the challenges that wireless represents. If Hubbert is scared by knowledge then he is more dangerous than any security researcher

jasonhiner
jasonhiner

I think AirTight did a pretty nice job of helping to quantify how much of an issue this is and of identifying a list of rogue SSIDs.

Michael Kassner
Michael Kassner

If you are interested I linked that paper in my first post.

tazbrat26
tazbrat26

I just wanted to thank you for your advice. I had an ad-hoc, perhaps a few that weren't recognized by me as well. I removed the one I recognized, and then changed the settings and another disappeared. The rest of the family machines will be reset as they come home. :-) Thank you, Natalie

jasonhiner
jasonhiner

1.) Thanks for the link 2.) The "exploit" isn't new, but the fact that AirTight did a study to quantify it, makes it relevant. 3.) While it sounds easy to tell people not to connect to Ad-Hoc networks and to turn off Wi-Fi when they're not using it, the average user won't typically do those things. 4.) The group policy control from Active Directory is exactly the kind of user-based security that I was talking about at the end.

callupchuck
callupchuck

Yes, we recently moved to the boon-docks and when first we fired up the laptop at our new home, the Oasis network was out there somewhere. I'm thinking that it may well have been on one of the neighbors machines, but after about a week it disappeared.

birgir
birgir

I have to say that whenever lately I have taken my Laptop out here I have seen a SSID which is one of the ones I saw in the original article "Free public Wi-Fi " and also I have seen the "Jet Blue hot spot " I might go to a few places tomorrow and see if I can spot some thing!

ypteg
ypteg

Aren't my laptop's shared folders always open to users of the wireless network I am connected to? I worried about this problem for a long time, but (I think) I solved it by installing ZoneAlarm's free firewall app. Doesn't this prevent unauthorised access of the shared folders on my laptop?

jmgarvin
jmgarvin

I just looked at the laundry list of hotspots that I have from traveling and it's down right scary. I've just removed a TON from the list, but I realized I have to keep a few....jeez!

JCitizen
JCitizen

my laptop, as I noticed when I switched to wireless the Windows firewall locks appeared on the network icons. I just haven't worried about it as much as I should because I'm encrypted to my router. I don't have any known hackers living close enough to bust in to my laptop; but I still worry because I'm just security paranoid enough. I'm looking for a disc I can order shipped to me with some of the net testing software you recommended. I don't like downloading that kind of stuff because the checksum test never passes. Plus my DSL isn't that fast anyway. It may have been Comodo that made that switch but I would have thought theirs would be WIFI capable.

bamyclouse
bamyclouse

I am new to using wireless (just never bothered because I didn't need it or have opportunity to use it before). I have a wifi enabled PDA. Any directions from anyone on where to get more info on how this affects PDA users and the best VPN/overall firewalling you can get for a PDA? Thanks in advance.

hubbert
hubbert

The Security industry is made up of companies that look for vulnerabilities and then make solutions to chase after them. This is good. However, when business is down they drum up ways to scare people into action. Scared folks buy more security hardware, services and software than folks that are not. Just look at how Americans voted when they got scared. I do not care that AirTight does this. I expect it. Just be honest about it.

Neon Samurai
Neon Samurai

As I'm seeing by other posts, we all seem to agree that the average user will continue to be as security concious as they have historically been. At least the notebooks coming out with physical wifi nic switches are a help. My T60's wifi remains physically off unless I'm at home or need to connect to a known AP. In those cases, it's rare for me to be booting the work installed OS rather than running off a LiveCD seporate from the hard drives. If only such habbits could be adopted by those who barely have enough interest to understand what button checks there email.

djmorrissey
djmorrissey

The biggest problem I see with the "solution" other then using policies is the requirement to have users take actions. A VAST number of users have no idea how to turn there wireless on and off or even have a clue how they connect to wireless access points. They in general don't want to know and unless the C level management at a company will hold themselves accountable for knowing - the sales / field force will not be held accountable. I don't like this, but it is a very common reality. What is needed is a switch on the notebook that is clearly labled and located in plain view for turning wireless on and off. Then the software has to be set that you must take steps to be able to connect to an AD-Hoc network. I think a couple of warning pop-ups that you have to agree to each time unless a AD policy allows it. At the same time -warning saturation has to be balanced, or the users will just click through like with most software installs.

davsopat
davsopat

Zone alarm does stop the ports that share folders. Unless you clicked yes once or twice ;( However, the best bet is to disable shares and disable NetBIOS over TCP/IP. If you want to share folders back home just enable shares but there is no need to enable NetBIOS over TCP/IP. (Unless you are running computers that are older the Windows 2000)

JCitizen
JCitizen

a CD in the book. I was shopping on Amazon and they had many good publications but I couldn't get a description that admitted including a CD or CD set with the publication. Oh, and Michael linked me with an open source checker that may do the ticket when I can get to it.

Neon Samurai
Neon Samurai

I can't live without my highspeed ISP these days but I remember the "joy" of 2+ hour downloads for larger files back in the day. It's actually what lead to my habit of doing a minimal initial install (ftp installs at the time) then filling it out too my preferred full install part by part after. If you've a spare machine, you may find ftp install from floppy or small ISO "network install" boot CD help. I also hear good things about PCLinuxOS though so hopefully it treats you right. Once you have the base installed and network repositories configured, you can get most of your other lego pieces as small package installs. If I run across a build of md5 for Windows, I'll make mention of it.

JCitizen
JCitizen

take through the mail but they all require downloading and I just can't tie my network up that long. Not enough bandwidth. I also refuse to accept anything that doesn't hash; but with MS's cheap checker that may be the problem. I really like the PClinuxOS disc I got the other day. I might as well install it and see how it handles WIFI.

Neon Samurai
Neon Samurai

I'd pull a download of nmap and just use that to see what ports your firewall is blocking and confirm that ping packets are being ignored. You could also use it for more robust testing also but that would initially tell you how your firewall is looking. You could also order a major Linux distribution set of disks. I can't remember the last time I saw a Linux or BSD distribution that did not include nmap along with other tools. Some of the liveCD may also have it included by default so an Ubuntu may even do it for you. Downloading the win32 build of nmap shouldn't give you grief either as it's small and has many valid uses. I can see how failing check sums would cause you concern though unless your comparing different hashing algorithms too what the file was hashed with.

Michael Kassner
Michael Kassner

It might be best if you mention what PDA you are using so the members can talk about what is available for your specific device. If you are inclined to using a VPN than we will also need to know about the perimeter device of the network you are trying to connect to.

Neon Samurai
Neon Samurai

I expect other's can add much more but from using my old PalmOS with the wifi SDIO: If WEP is all the device supports then you need to think about hwo badly you want it connected and be concious of where because WEB is barely a speedbump these days. The PalmOS devices have only the encription provided by the wifi link though you can experiement with a VNC client possibly. Checking email and browsing worked fine on the device (T5). My IM program was probably the most compelling reason to have it on the network since I could carry it about the house and stay in contact. I think WinCE has support for some vpn into Windows networks. I know the SDIO network card for winCE supported WPA and I suspect the built in wifi radios in the newer devices support WPA2. My current PDA is the previously mentioned N800 so between designed intended use and the Linux based OS, networks are it's natural environment.I've not yet had reason to explore VPN clients available for it since I've been able to simply use properly encrypted protocols (ssh, https, tsl/ssl). Rdesktop and VNC get me into shared desktops on either side of the OS fence. What is the PDA your working with? I or other's can probabably taylor tips more specifically for you.

MGP2
MGP2

[i]It's very difficult to accomplish that, though, because it then becomes difficult and frustrating for users. The best security is both strong and transparent to users.[/i] Ya know, I've seen people put more effort into researching the purchase of a coffee maker than they do into protecting their digital assets & identity. While yes, in a perfect world, everything works right out of the box, home users need to learn that some things require more than plugging a device into a wall outlet. They really need to learn that security is not just a nicety, it's a necessity.

JCitizen
JCitizen

A valuable member indeed!

Neon Samurai
Neon Samurai

If it takes more than two clicks or remembering/selecting a uname/passwd then she's not interested so making her osX work seamlessly with my mixed network is a fun puzzle. I can then extend whatever I learn too client networks. I believe that a very high level of security can be achieved while remaining seamless too the user.. now to figure out how even when working on systems without security considerations designed in from initial development.

Michael Kassner
Michael Kassner

Certainly, you can consider it done. I also am trying to find out if Windows XP SP3 does indeed have a solution set for this.

jasonhiner
jasonhiner

It's very difficult to accomplish that, though, because it then becomes difficult and frustrating for users. The best security is both strong and transparent to users. Unfortunately, right now there is almost always a trade-off between security and ease-and-use.

jasonhiner
jasonhiner

"Our job does not end at the user's PC; our job ends at the user." Well said! I'm going to have to write something about that (I'll quote you). Thanks Timbo.

jasonhiner
jasonhiner

Thanks Michael. Could you do a blog post in the Wireless blog that fully explains the steps of how to do this and shows some screen shots? Then I'll update this article to link to that post. Sound good? For everyone else - If you didn't know it, Michael is one of TechRepublic's regular bloggers in the Mobile & Wireless blog: http://blogs.techrepublic.com.com/wireless/

patrick
patrick

I try and educate all my users on best practices and security, but like someone said earlier in this thread, most users don't care. I second I mention Adhoc half of the users out there are going glaze over and start thinking about what they are going to do this weekend. Never Trust User Intelligence. Just take the option away, then the users can go about doing what they do, without complicating their lives with what we do.

Neon Samurai
Neon Samurai

It seems too be a hold-over from when the wise aproach to security was thought to be "what is allowed, is not denied" and everyone locked there system down as reasons presented themselves. I think the last time this came up was a discussion on WIFI routers shipping wide open for "convenience" with the expectation that the home or business owner would make all adjustments to lock it down. Perhaps the question is how do we now promote the "what is denied, is not allowed" aproach where everything is locked by default and must be opened minimally as needed. In the case of routers, this means not shipping with WEP or wide open for anything with a nic to connect too when the same router provides the much safer wpa encryption levels. The same goes for any hardware or software vendor selling to the general public; deliver your product securily locked down and provide instructions on how open the minimal amount of setting needed. Convenience is not convenient when it's at the expense of safety be it with computers or in any other activity in life.

Timbo Zimbabwe
Timbo Zimbabwe

"The biggest problem I see with the "solution" other then using policies is the requirement to have users take actions." If you are an IT professional and you are not educating your client base, then yes, you should not expect them to take action. Keep in mind that our job does not end at the user's PC; our job ends at the user. This is one reason why I like Jason'posts: they aim to educate.

drmicrocw
drmicrocw

I could not have put it better myself. It is simple and effective. It can't be left to the normal user as most are still trying to find the power switch. We disable ADHoc on all of our client Laptops to prevent this very issue.

Michael Kassner
Michael Kassner

I suspect that I may not have made my point very clearly. I apologize for that. There is a configuration change that is only required once. After that change the wireless computer will not attach to any Ad Hoc network. The change can be handled with Group Policies, but if no AD network is available, the IT team can do it as well individually. That configuration is in the advanced section under the wireless networks tab of WZC. You just only allow that particular device to attach to AP or infrastructure networks. As you, I am aware of users not wanting to mess with any configurations or have to worry about what SSID's can be selected. That is why I configure my client's computers to just use infrastructure mode.

jasonhiner
jasonhiner

That leaves too much to chance, and never works for security on a large scale.

ypteg
ypteg

Wow, what a simple solution! I'd never thought of that. Just disable File Sharing in the properties of your connection when you are connecting to a strange network! And here was I, sharing and unsharing folders back-and-forth, almost on a daily basis... Doh! Thanks for the tip - much appreciated.

Editor's Picks