Researchers claim to be able to hijack cell-phone data connections.
In a presentation today at Black Hat Europe, a computer-security conference in Amsterdam, a group of researchers claimed to have found a way to hijack the data sent to and from mobile phones. The researchers say that the attack might be used to glean passwords or to inject malicious software onto a device.
Mobile phones are becoming ever more useful for transmitting data in addition to making voice calls, and they’re increasingly being used for sensitive activities such as online banking, as well as for searching the Internet and downloading mobile games.
The new attack relies on a protocol that allows mobile operators to give a device the proper settings for sending data via text message, according to Roberto Gassira, Cristofaro Mune, and Roberto Piccirillo, security researchers for Mobile Security Lab, a consulting firm based in Italy. By faking this type of text message, according to the protocol an attacker can create his own settings for the victim’s device. This would allow him to, for example, reroute data sent from the phone via a server that he controls. The researchers say that the technique should work on any handset that supports the protocol, as long as the attacker knows which network the victim belongs to and the network does not block this kind of message.
Some trickery is required to make the attack work, however. Ordinarily, to transfer settings to a device remotely, a mobile operator will first send a text message containing a PIN code. The operator will then send the message to reconfigure the phone. In order to install the new settings, the user must first enter the PIN.
As wireless networks evolve, so does the security encryption needed to protect them. As usual, the methods to hack this encryption evolves just as fast, so let’s take a look at how its done and how to protect yourself from these types of threats.
WEP-based encryption was the first to be developed, and therefore first to be easily cracked and made vulnerable. Then came WPA-based encryption which took the security up a level and introduced some new methods. Let’s look at some differences between the two. WEP, or Wired Equivalent Privacy, is a basic form of wireless security where both the “WAP” and the user are configured with an encryption key of either 64 bits or 128 bits in HEX. When someone connects to the network, the access point issues a “random challenge.” The user inputs the key which is encrypted with the “challenge answer.” If the answer is correct, the user is granted access to the network. WEP is easy to crack because the network key required to gain access is static, and with very little effort can be figured out.
WPA-based encryption, or Wi-Fi Protected Access, is similar in theory to WEP but doesn’t use a static network key, but rather a “Temporal Key Integrity Protocol (TKIP),” which changes keys with every data packet sent or received. This by itself makes WPA a very secure method for wireless networks, but the problem is that in most home-based environments, a “shared pass phrase” is used to access the network. If this pass phrase is any word found in the dictionary, a hacker can crack it through what is known as a “brute force dictionary attack.” While it may take a long time, it can be done.
Since WEP can be easily cracked, we’ll focus on educating you on how your WPA-encrypted wireless network can be cracked and made vulnerable to attacks as well, and how to prevent this from happening, or at least lower your risk considerably. With WPA, there’s two different versions; PSK and RADIUS. In the simplest terms, PSK is hackable and RADIUS is not. PSK uses the TKIP process I mentioned above to authenticate the network, and therefore makes it vulnerable to cracking. While WPA is indeed much more secure than WEP, only WPA-RADIUS is un-crackable. Ninety percent of access points and home wireless routers don’t even support WPA-RADIUS, only advanced enterprise-based routers do, which leaves most WPA-secured home-based networks almost as vulnerable as WEP-secured networks.
You can leech free wifi from some paid hotspots by monkeying around with the URLs. Most paid wifi hotspots accept your browser’s request and then redirect you to a login page where you need to pay to access the network. But some systems of this nature are set up in such a way that images and other direct file requests seem to slip through without the redirect to the login page. It’s essentially an oversight on the network administrator’s part, so it may not work with every hotspot. But here’s the hack: just append ?.jpg to the end of your queries to trick the network into loading the full webpage for free. The browser passes this info along as an extra parameter and the site in question will likely just ignore it, loading the page as normal. Of course this tip comes from a blog post that’s nearly two years old, so there’s no guarantees. But here’s the basic code, which I pulled from a commenter on Lifehacker’s write up:
if (window.location.toString().match(".jpg") == null) { window.location.replace(window.location + '?.jpg'); }
Save that as JavaScript file and add it to Firefox via Greasemonkey and give it a shot. Of course since there are plenty of free networks in most places, there isn’t much point to hacking paid networks. But for situations like airports, hotels and other isolated, expensive networks, it could come in handy.
(more…)
WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling.
Tool Capabilities :
The current tools are Perl based, and are composed of the following scripts:
1) WeakIVGen.pl – This script allows a simple emulation of IV/encrypted output that one might observe with a WEP enable 802.11 Access Point. The script generates IV combinations that can weaken the secret key used to encrypt the WEP traffic
2) prism-getIV.pl – This script relies on output from Prismdump [or from Ethereal captures if libpcap has been patched for 802.11 monitor
mode], and looks for IVs that match the pattern known to weakned secret keys. This script also captures the 1st byte of the encrypted output and places it and the weak IVs in a logfile.
3) WEPCrack.pl – This script uses data collected or generated by WeakIVGen to attempt to determine the secret key. It will work with either 40bit or 128bit WEP.
Additionaly, a script prism-decode.pl is included that will decode most 802.11 frame types. This tool is intended to be used with prismdump, but could also be used against Ethereal 802.11 saved captures. It might be useful for capturing SSIDs, AP MAC addresses, or authentication data.