It is time to discuss hacking hotspots. Hotspots are locations that offer public Internet access. Most hotspots use Wi-Fi, but some also allow wired connections. Clients can connect to these open networks with any Wi-Fi-capable device, including laptops, PDAs, or VoIP phones. Hotspots are often found at hotels, restaurants, airports, malls, libraries, coffeeshops, bookstores, and other public places. Many universities, schools, and corporations have wireless networks on their campus. As business travelers know, wireless networks are truly everywhere.
Where to start? That is a difficult question to answer. Wireless hotspots have many different attack vectors. You can attack the hotspot. You can attack other clients attached to the hotspot. You can use the hotspot to attack other targets. You can sit at a distance and simply watch for unprotected information. Finally, you can set up your own malicious hotspot to accomplish any of the preceding activities.
Being a hotspot administrator is a tough job, for Ethernet networks were not designed to be open and secure. There has always been the assumption that the physical layer is secured from attackers in a locked building. Wi-Fi changes everything. As discussed in other parts of this book, Wi-Fi is an adaptation of Ethernet technology. There are some differences, such as the error-handling mechanism and, of course, the physical layer, but they suffer from many of the same well-known security problems. Ethernet was not designed to be used in a hostile environment.
Hotspots are set up for a variety of reasons. Many are free, but some hotspots only allow subscribers or clients to connect. Corporations also set up hotspots, which are commonly referred to as guest networks. These networks are designed to be used by employees, contractors, vendors, and visiting clients. Some local governments and Internet service providers set up hotspots that may span an entire city. Some of these services are offered for free, but many come with some hidden costs, including invasions of privacy such as a monitoring system that serves up advertisements based on your surfing habits. Many hotspots that charge for usage may offer a limited set of services free of charge-for example, some hotels offer a guide on local attractions or the ability to view your bill; some coffeeshops offer a free music channel to get you to buy music offered at the counter; or at a conference, the wireless network may contain a schedule of events or a registration form. Knowing what these services can be used for may help save your hard-earned money.
The name hotspot fits them well. These networks are truly hot zones of nefarious activity. Some hotspots are also set up for malicious purposes. They can be an effective way to capture passwords, credit card information, and install spyware or Trojans. Users of any type of hotspot need to beware. It may be difficult to figure out what kind of hotspot is being offered locally. Is the hotspot a commercial Internet connection, a corporate guest network, an open network from someone's house, or a malicious network? Does the owner of the network want you to connect?
The mechanisms available to verify a hotspot is set up by a trusted party are also poor. For example, if you go to a coffeeshop and see a hotspot with an SSID of t-mobile, you don't know if that hotspot was set up by a national mobile provider or by an attacker trying to steal passwords. Also, due to the nature of wireless, there may be many hotspots within your local connection range. Which one is going to offer the services that you need? Last week at an airport, I found three different wireless networks available for connection. Two of them wanted to take my credit card information. How can I verify who set up the hotspot? Only by truly knowing the idiosyncrasies of hotspots will you be able to make an informed decision.
This chapter will help hotspot administrators and hotspot users improve their security. All of these attacks are currently being exploited in the wild. Hotspot users beware! Figure 9-1 shows an example of hotspot architecture.