All Entries Tagged With: "ssl"
Man-in-the-middle attacks demoed on 4 smartphones
Security researchers from SMobile Systems have released a paper detailing successful man-in-the-middle attacks against several smartphones.
The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere. Here’s the scenario they used, and possible mitigation approaches:
“The attacker visits the same cafe that offers a free Wi-Fi hotspot and decides to employ basic host, network identification and enumeration tools from the laptop to enumerate all the active devices connected to the Wi‐Fi hotspot. From the results, the attacker notices a MAC address referring to a Nokia smartphone. The attacker know that there is little to no detection capabilities present on an overwhelming majority of smartphone’s in use today, so the owner would likely never find out about a successful man-in-the-middle- attack (MITM).
The well-informed attacker creates a successful MITM attack. In the meantime, the smartphone owner accesses the online bank website and enters the login credentials required to gain access to the banking information. In this scenario, all of the communication between the smartphone and the online bank site is routed through the attacker’s machine and the attacker can see the login details in plain text, as well as can capture all the sites accessed by the victim.”
The awareness-raising test aims to educate users on approaching convenient and free, public Wi-Fi networks with caution, emphasizing on how their mobile service provider’s 3G connection, or the one offered by a trusted Wi-Fi network should always be considered as their first choice.
Anyway, just how insecure or susceptible to compromise are the majority of Wi-Fi networks found on high-trafficked locations such as airports or international cities? The answer is sadly, self-evident with data backing it up available publicly.
- Go through related posts: GPU-Accelerated Wi-Fi password cracking goes mainstream; D-Link router’s CAPTCHA flawed, WPA passphrase retrieved; Survey: 88% of Mumbai’s wireless networks easy to compromise
Last year, AirTight Networks conducted a major wireless network security study by visiting 14 airports (11 in the U.S and 3 in the Asia-Pacific) and found out that a huge percentage of the 478 Wi-Fi Access Points analyzed are either open, or using outdated encryption protocols. Even more interesting was the fact that users were falling victims to “viral” Wi-Fi networks using descriptive and lucrative names seeking to establish legitimacy.
The prevalence of such “handy”, but easy to compromise Wi-Fi networks internationally, is virtually the same. For instance, similar wardriving tests conducted in Paris; Santiago, Chile; China; Monterrey — Mexico, Sao Paulo – Brazil, Caracas (Venezuela), Warsaw, and London offer similar insights into the “security” of such public networks.
Possible mitigation practices? According to Marlinspike, the author of the tool:
Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
How often do you face the trade-off of using a public, and possible insecure Wi-Fi hotspot, for the sake of convenience instead of sticking to your 3G data plan, even when traveling abroad?
Have you ever avoided using your mobile device and instead used your laptop at an airport, due to your host-based firewall’s better ARP filtering features — if any — enabling the detecting of changed MAC address for a (trusted) gateway network adapter in order to detect possible MItM attempts?
How EV SSL-aware is your E-banking provider, especially if you’re E-banking over a mobile device? Or do you simply “VPN-and-forget” over a public Wi-Fi network?
SSL under attack (again) #BlackHat
short wrap up by Sean Michael Kerner – from the ‘be careful who you certify’ files:
LAS VEGAS. Earlier this year security researcher Moxie Marlinspike turned the world of SSL security on its head with a presentation at Black Hat DC. Here in Vegas, he’s expanding his tool SSLstip with a series of improvement that will make the tool even more powerful.
“On the web SSL is not usually encountered directly,” Marlinspike said. “It’s usually a redirect where someone types in bankofamerica.com (or any other site) and then they get forwarded to an SSL page.”
What the original SSLstip tool did was to take advantage of that fact to trick browser into thinking an HTTP connection was actually an SSL connection. Marlinspike noted that its an automated process to get a regular SSL certificate. The way the process works by first getting a whois lookup to admin contact.
“They only look for the root of the domain.the don’t give a shit about subdomains,” Marlinspike said.
As such a person could get a certificate for a null domain like *0\.attackersite.bankname.com that would validate. He commented that such a wildcard gives SSLstrip great power, providing what looks like a real certificate. To make matters worse he’s now also built in a technique to prevent the wildcard certificate from being revoked by the certificate authority as well.
“In short, we’ve got your passwords, your communications and control over the software that runs on your computer,” Marlinspike said.
There is however a solution. In response to a question from the audience Marlinspike noted that all the SSL vendors would have to do is validate the whole domain, not just the last bit of it.
