[SGVLUG] if it possible to sniff packets if you can't get on the wi-fi network?

Henry B Hotz hbhotz at oxy.edu
Mon Jan 13 14:45:40 PST 2014 

I'm oversimplifying a bit (and going from memory as well).  Remember that ordinary physics pre-empts protocols and crypto and may render some traffic unavailable.

0) Don't use anything less than WPA if you're serious. There are at least half a dozen free tools to crack WEP.

1) The link management layer is not encrypted. In particular this means that all the time-slice allocation traffic is open and the MAC addresses used are likewise available. It also means that even someone who hasn't authenticated/negotiated a connection can command someone else to disconnect and renegotiate their connection (which has to start at this layer).

2) Once you've negotiated a connection, you get two keys, one for yourself and one for broadcast data like DHCP and ARP requests. You can do all the usual tricks with subverting broadcast responses just like on a wired network without the bother of getting physical access.

The ability of an uninvolved party to force a renegotiation is reminiscent of the 2008 crack of TLS which forced the creation of TLS 1.1. Since clients do not (and generally cannot) verify the identity of the AP they are connecting to, it follows that an evil AP can insert itself into any legitimate client's wireless connection as a MITM. In other words locking down the AP isn't sufficient.

A lot depends on the sophistication of the attacker.

--------

As for https://, it's easy, so yes, do it.  Just realize it's also got fundamental limitations, starting with the trust model which means the warnings you get mostly don't tell you about the real problems. 

You can get free certs from startssl.com.


On Jan 12, 2014, at 11:31 AM, Homan Chou <homanchou at gmail.com> wrote:

> A lot of businesses offer free wi-fi access within their walls as a perk of being there.
> 
> I have a friend that is a business owner that does NOT offer it because of "security" reasons.  In fact, in order to get on his wifi, he can't just give you the password, he actually has to whitelist your MAC address into his router or something like that.
> 
> His web developer set it up this way because their custom point of sale program is just a website. And they don't use https.  So my question is, if that website login form was accessed over non-secure http is the login just send in plain text in packets?  Could someone theoretically observe that with wire-shark without even being logged in to the wi-fi network?  Or do you need to be connected to the wi-fi router in order to be able to do that?
> 
> I think it's the former but I'm not a wire-shark expert, can someone confirm?  (Either way I will tell him he needs https).  And I want to encourage him to provide free wi-fi, and if his POS is secured over https it shouldn't make his business anymore vulnerable than he is now, is that correct?
> 
> Homan

Personal email.  hbhotz at oxy.edu

More information about the SGVLUG mailing list