Beware of the Pineapple

Wi-Fi Pineapple/Karma attack

There is a twist on standard rogue access points. Now an attacker can just answer yes to these probe requests and any devices nearby will automatically connect if there is no encryption. So if you leave open Wi-Fi networks saved on your device you are susceptible to this attack.

WPA2-Personal problems

Pre shared keys are fine for home use if only you know the password, however the security of the network depends on the privacy of that password so should be considered unencrypted if it is widely known.

The hash of the key can be recovered from every authentication to the network, and taken away for offline attack. This can be achieved using brute force with a password list. Your average gaming PC can try over 100 thousand combinations per second.

Rainbow tables are large lists of hashes which can be generated and used by an attacker to make password cracking faster. But the hashes are salted, which is the process of adding extra information to the password so that once cracked that hash isn’t known on all systems.

In this case the extra information is theService Set Identifier (SSID) so you’ll need one table for each network name. There are sets which are freely downloadable for the most popular ones, so leaving your Wi-Fi name as the manufacturer’s name probably isn’t the best idea.

But then if you make your network name unique then an attacker can find out the location if it’s in a database. So something rare but not unique might be best.

WPA2-Enterprise problems

As well as the ‘man in the middle’ attacks there’s an attack that is specific to enterprise Wi-Fi. The attacker can pretend to be the legitimate access point and authentication server. If the user or device doesn’t check the certificate properly then the user’s credentials can be stolen.

When an organisation is implementing a WPA2-Enterprise Wi-Fi network it can be tempting to use their existing credential store such as active directory. This can be a real problem as an attacker could use those stolen credentials to get into any services that use that same credential store. External services such as webmail and VPN are especially vulnerable or those credentials could be used as part of a more sophisticated attack.

Although it is only the hash that is stolen there are cloud services that will break any hash in less than 24 hours for a small fee.

Privileged network access using credentials should be avoided where possible as if they get stolen the attacker has an easy way to connect to the inside network.