DISCLAIMER: This article does not intend to facilitate phishing attacks or any other kind of illegal activities. The misuse of information contained in this article CAN bring criminal charges against you. The author will not be held responsible if criminal charges are brought against any persons utilizing any information related to this article, to break the law. DO NOT try to reproduce the scenario demonstrated in this article, with networks and devices you do not own, unless otherwise expressly permitted. The author has exclusively run this experiment on private premises and equipment.
This paradigm, inspired by academic interest on IT security, merely points out the risks to the confidentiality of data, submitted via WiFi access points that require their users to log in via a captive portal. It should act as a cause of concern both for the users, but mostly for the companies that have deployed such services and it's primarily their duty to protect their customers' privacy and security. If such an attack is commenced successfully, then the perpetrator can impersonate the legitimate user and perform malicious activities under the unsuspected victim's identity. Furthermore by disclosing the username and the password of this service, to a malicious individual, the credentials for others (e.g. online payment system, email etc) can be derived, especially if - as it is sadly a common practice - the same or similar are used.
The tutorial you will find below, is only about setting up a Physical Web Space, using an Open WRT device and specifically the Onion Omega. This attack, is a potential use case of the Physical Web Space, which could be as easily conducted, utilizing different technology. Additionally, the script that actually logs down the victim's credentials is not published, however it is practically very easy to compile.
To conclude, the combination of low cost, pocket sized equipment and software that does not require high technical knowledge to set up, can annotate this scenario as a valid threat that should be countered by appropriate security measures and increased user awareness. It is imperative that such risks are exposed publicly and coped with. Lack of security is not as dangerous as a false sense of security.
Despite not posting much in this blog lately, I have been particularly busy on various projects, mainly the SmartCar educational platform, more about which I promise to report on soon. One of them, was My Physical Web Space, that was published and featured on Instructables. The Physical Web Space, is a website that literally follows you around wherever you go, is hosted on a micro server that can fit in your pocket and the visitors can get access to it by using its WiFi hotspot. Moreover, the WiFi hotspot is enhanced by a captive portal, which redirects all requests to a specific (local) address.
A typical scenario of the Physical Web Space, begins the user detecting an open WiFi network on their smartphone, connecting to it (because we all love free Internet, don't we?), receiving a notification that sign in is required and then to be redirected to a local website hosted on the micro server. Additionally, all other (non https) requests are redirected to the local server.
The Physical Web Space original prototype, includes a Raspberry Pi Zero running lighttpd and just 3 AAA batteries as its power source which. Without any particular power consumption optimizations on the Zero, this setup provides enough juice for a couple of hours. Here, we will use it to demonstrate how easy it is to perform phishing attacks against users trying to connect to WiFi hotspots, that require some form of membership, paid or otherwise and a log in via a web page, in order to gain access to the Internet.
The rationale is fairly straight forward: The micro server will create a hotspot around it, with the same SSID as the network we want to target. At this point, it does not matter if the legitimate network actually exists in the area, but if it does, its access point(s) might have a stronger signal than your portable server and most clients will connect to it instead. On the server, a captive portal is configured, that redirects all requests to a certain webpage. That webpage looks identical to the legitimate one, with the only difference that it does not actually connect the user to the Internet, but instead logs down the supplied username and password! After the user has submitted their sensitive data, they can be redirected to the main page again, thus lead to believe that there is just something wrong with this network.
And that was it! Scary right? The Physical Web Space will be used as the proof of concept platform in order to demonstrate the validity and high risk of this attack.
In this tutorial, I will not use a Raspberry Pi Zero for the Physical Web Space but an Onion Omega. The Omega is a single board computer, running Open WRT, which is a lightweight Linux based operating system, commonly found in network oriented embedded devices, such as gateways and routers. I have always been fascinated by this operating system due to its limited requirements on hardware and high usability when it comes to networks.
The Onion Omega, is a tiny computer, that comes with (two) WiFi interfaces already up and running and will cost you from 20$ to 30$. Which is approximately the same price of the Raspberry Pi Zero plus the essentials (microSD card, WiFi adapter, cables etc), especially if you buy them from Europe. Provided that you are lucky enough to grab one while it's in stock. :-)
The procedure is fairly similar between the two devices, or any Linux system. If you have a Rasperry Pi and want to recreate this, follow the original tutorial and then jump to the steps . Since we will be changing some configuration files (not a lot), it is advised to create backups. You can easily create a backups by typing: cp /path/to/file /path/to/file.old