Rogue AP and The Evil Twin: When WiFi Trolling Turns Dangerous

-

 In my last post, I wrote about the Filler Zero's WiFi Dev Board add-on and what it could do. Since this is a direct continuation of that post, i recommend you read it first if you haven's already. Now, to business.

I've discussed how a Flipper user can take down a WiFi network, and that's extremely powerful, but that's only half on what the Flipper's WiFi module can do. Another function is the Rogue Access Point. Basically, any WiFi network is an access point to the internet. A rogue access point looks and can behave the same as a standard access point, but it's run by a third party. Network service providers can freely read much of your network traffic (barring external security, such as a VPN) so having a potentially malicious third party serving as a middle-man for your network traffic is a big problem. 

Now, as I'll likely write more about later, the Flipper has a bunch of interesting functions and modules, but they're essentially toy versions of the real thing and come with limited usability. This comes up with the WiFi module more than most. When it comes to Rogue AP's, something like a WiFi Pineapple is "real" device and the ESP32-2S is the "toy" version. That means that, unlike a real Rogue AP, the Flipper cannot actually provide access to the internet, so no network snooping for you!

That doesn't mean that there isn't a lot that can be done with the Flipper's Rogue AP. Coming standard with the Xtreme firmware package is a sample login page for your Rogue AP. Do you recall signing into a WiFi network at a place of work or a school, when you had to log in with company credentials to get access? How about at a hotel where you're similarly redirected to a web page on connecting so that you can log in using a personal account? The flipper does something like that.

When a Flipper starts a Rogue AP, it shows up as a network option to anyone looking for a network to connect to. When a target connects, they're redirected to a web page (using the Flipper as the server) and prompted to login. The default page announces what it is and advertises Xtreme firmware, but any HTML file can be used in its place. Let's say, for instance, that the Flipper's user names their fake network "Walmart Free WiFi" or something of that sort and sets the login page as a Walmart login page. A victim, looking for a WiFi network to connect to sees your fake network and connects. It wants my Walmart login? That seems reasonable enough; it is Walmart after all. They put in their credentials and... nothing happens. Oh, well, weak network. Meanwhile, the user now has the victims login credentials.

Now, there are a couple of problems with this. First of all, there's not much you can do with someone's Walmart account, and second, there's probably already a real network up, so your fake network is competing with a real one for traffic. The first problem is easy to solve -- you simply pick a better target. As for the second problem, well, we solved that one in my last post. You can deauth the real network and create a fake that looks exactly the same. That's called an Evil Twin Attack.

So, lets put together a new hypothetical setting. I have a Flipper with a WiFi board and I want to gain access to an insurance company's system and get them to authorize my claim. For some reason (presumably because I'm broke, hence the goal), I don't just put a few hundred bucks into a WiFi Pineapple to do this the right way. The first step is research and planning. I go near the office building and try to login to the employee network, where it redirects me to a webpage to sign in with my company credentials. Then, I code a near exact replica of the login page using HTML and load the file onto my Flipper (it's not easy but it can be done). I then enter the lobby the insurance office building wearing a baggy hoody, sweatpants, and Walmart shoes, all of which will be thrown in a dumpster after I'm done. I head straight for the bathrooms, enter and empty stall, and take out the Flipper Zero. First, I scan for the network used by employees, remember its name, and start sending deauth packets. Immediately, every computer worker in the building is kicked off the network, wondering what happened. The next part has to be quick, before IT starts freaking out. I start the Evil Twin. Dozens of employees open their network settings to find out what happened and they see your exact replica, then they connect to it. It leads them to what looks just like the network login page (they think so, anyway; they haven't needed to use it since getting new laptops) and they enter their login credentials. Within minutes, usernames and passwords start cascading down the screen of the Flipper. I log the data, turn of the Evil Twin, stop sending deauth packets, and leave the building. 

Later, I go to the insurance company's website and try to login using the credentials I got from employees. However, they all use two-factor authentication, so it's all been for nothing. I cower in a corner, regretting my life choices until the police come to pick me up, since they saw me on a security camera in the parking lot and got my IP address when I tried to log in from a new computer. I go to jail for a very long time.

Okay, so hacking isn't as easy as a lot of people think, even with such amazing tools. There are other problems with my little story. Office buildings often use wired computers, meaning the deauth packets will do nothing. And the Flipper can't actually deauth and run a Rogue AP at the same time. Also, the Flipper is too weak to get a building full of people to connect to it. I haven't done distance testing myself, but I would be surprised if a device more than 30 fee away could connect, especially through walls. As one last point, there is network security that can prevent a deauth attack, but it isn't used very often, even in otherwise secure locations.

Yes, the Flipper is a toy, but that doesn't mean it can't be used for something real. It's made to be a pen-tester's playground, so next time I'll look at all of its tools in the context of a pen-test. 

Comments

Post a Comment

Popular posts from this blog

Introduction: The Flipper Zero

-
In august of 2020, an odd little device was put on the market. It was cute, white and orange, and would be more influential than anyone expected. This unassuming little handheld toy was marketed as a pen-tester's playground. For many of the real tools used by cyber security professionals, the flipper zero came equipped with a downsized (and powered) but fully functional version.  Within a few months, rumors about his device spread like wildfire all over the internet. Videos popped up showing it doing everything from opening charging ports of Teslas to cracking electronic locks with the push of a button. People would change the channels on restaurant televisions, turn their menu screens to news channels, and much more. Its sale was banned on Amazon after rumors arose that it had credit card skimming capabilities and its sale was banned entirely in Canada after videos showed it getting into locked cars.  So, what is this device really? What can it do and what can't it do? Which ...
Read more

RFID and NFC: The Key Issue

-
 Some of the more popular demonstrations of the Flipper Zero's capabilities are of the RFID and NFC functions. Viral videos showed the Flipper instantly bypassing electronic locks on hotel rooms, homes, businesses, and even cars. Others showed it copying and emulating credit card information. These videos earned the Flipper Zero a nation-wide sales ban in Canada as well as a sales ban on Amazon.  But is there any truth to videos? It's a bit complicated. The Flipper comes with built in RFID and NFC readers, writers, and emulators. Using this function, something like a business key card can be scanned, cloned, and emulated. To the lock, there is no difference between the emulated code from the Flipper and the actual key card. It's a neat little function, but without having physical access to a card, there's not much you can do. In most of the door unlocking videos, that's all that's happening -- they've cloned a card and are emulating its signature. I said mos...
Read more

Sub 1-GHz: The Key Fob

-
 Some of the first viral videos to include the Flipper Zero were of people driving by Teslas and opening the charging port. Once the Flipper had gained a bit of momentum online, more videos came out, this time unlocking doors on various cars, or even starting the car, all with the push of a few orange buttons. In response to the potential for car theft, Canada banned the sale of the Flipper outright. So, is this fact or more fiction? Well, here's where things get interesting. As usual, it's a bit of both. The videos of people popping open the charging ports of Teslas are, for the most part, completely real. Some videos of doing things like unlocking car doors are also real... sort of. You see, cars have used radio signals to remotely perform operations for some time. Your car's key fob is simply a little radio made to serve only the purpose of making your car easier to use and interact with. When you push the unlock button on your key fob, it sends out a radio signal. Your ...
Read more