On Sat, Sep 19, 2015 at 1:01 PM, Xen wrote:
He had to do nothing else. The software started displaying passwords for email services and facebook and the like as they were sent by these devices to those services. I remember reading that "it is encrypted" but that equally it was painless to decipher it on the spot. His device just relayed the connections to the real SSID he was connected to (the real BSSID). He showed the journalist how he could now log into their facebok if he wanted to and he opened some of these pages (without logging in) and we saw the pictures of people sitting across the table etc. He could send them an email if he wanted to. He also said that his device would probe the devices for lists of SSIDs and we saw (e.g. on the journalist's phone) how the 'room' was being populated with those SSIDs by that device, ie. the device just posed as all of them simultaneously. I don't know or remember for what purpose.
Unless you configure your computer or phone to connect to a specific BSSID, a computer set to connect to a particular SSID could have connected to his access point instead. He likely configured his device to relay the network traffic to the real access point. This is called an "evil-twin attack". A successful "evil-twin attack" allows an attacker to control virtually all network traffic between your computer and the Internet. For a long time, Facebook, some financial institutions, and other major companies had login pages that were served via HTTPS (preventing disclosure of your username and password), but left other pages unencrypted. Anytime a user would request a webpage from these companies via an unencrypted channel, a portion of the session cookie that identified the user would be automatically sent by the browser. This allowed anyone to capture the session cookie generated during login and impersonate the user. An extension called Firesheep [1] used to do this automatically without requiring any expertise. If you connected to a public wireless access point without any form of wireless security, performing an "evil-twin" attack to obtain such session cookies was not necessary since these networks are unencrypted. You could perform such attacks passively since user's computers are transmitting HTTP data to the access point unencrypted. Today, most websites enforce HTTPS for all pages (mitigating such attacks) since HTTPS no longer requires a lot of overhead. Additionally, proper session cookies should be set with the "secure" attribute to prevent them from being transmitted over a unencrypted HTTP connection. Also, even with an "evil-twin" attack, newer security concepts such as RFC 6797/HTTP Strict Transport Security (HSTS) would prevent typical MitM attacks on SSL/TLS enabled websites. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org