From The Sky: Destroying Wifi & Listening In, Too
A successful WEP attack often involves using a deauthentication attack. What does this mean? Well, the 802.11 specification has commands, called frames, for managing the wireless infrastructure. One of these commands is the deauthentication frame. This frame is usually sent out by the access point, and it tells the clients that communications are about to terminate, so they should look elsewhere for a valid connection.
When someone wants to be a party killer, they can send out deauthentication frames non-stop while pretending to be any nearby access point. If you send deauthenticate frames on all Wi-Fi channels, whilst impersonating all Wi-Fi access points, you can effectively kill the entire wireless infrastructure. Wireless (802.11, that is) simply stops working, with no indication to the end-user as to why.
This evening as I completed my upcoming lecture for the Iowa State computer security group, I pondered what would happen if you were to create a device that flew around and killed off Wi-Fi networks in mass. I know that sounds completely nuts, but think about it for a second. Let’s say I go out and buy a $1,000 RC helicopter, then attach a small device running some flavor of Linux or Android. Now I run a custom-made program that searches for all the broadcasting APs, and my device sends a deauthentication frame while pretending to be the real AP.
Things to think about:
- The helicopter wouldn’t need to stay flying the whole time. You could land on top of a really high point. At Iowa State, maybe I’d choose the campanile; it’s a central location and it’s high up. Or perhaps the old water tower, as many buildings with considerable Wi-Fi usage are very close in proximity.
- The small device (PDA or smart phone would probably be preferable) could be attached to an external battery pack and would be able to run for many, many hours.
- We are used to Wi-Fi killing out once we’re just a few hundred feet away. We are experiencing a high degree of packet loss, so requests start failing, etc. A deauthentication frame is one packet, meaning that the probability of at least one of those deauthentication packets reaching really far (past where Wi-Fi normally would be accessible) is very, very high. So yeah, we might be really far from a client PC we’re trying to kick off of the Wi-Fi, but at least some of these packets will make the distance.
I know some people will read all of this and ask “who cares?” Well I admit, this idea isn’t some revolutionary invention by any means. However there are applications for this type of denial-of-service attack. Perhaps an attacker wants to be sure everyone in a physical area wanders to his wide-open access point. For example, Iowa State University’s wireless network is called “IASTATE”. One could create a small wireless network (also called IASTATE) that performed man-in-the-middle attacks by tampering with data as it hits the custom-programmed APs. Then you can tailor your deauthentication attack to only effect those APs which aren’t yours.
Wi-Fi Traffic Sniffing
Perhaps this situation is a little more practical: a custom-programmed Android phone, running as the RC helicopter payload. This unit listens in on unencrypted Wi-Fi traffic over a broad area, capturing useful-looking packets for later analysis, while tracking its own GPS coordinates in flight.
Or perhaps you know a business or other point of interest has Wi-Fi secured with a crackable encryption type, but physical access near the signal is very limited. You need to get in, capture WEP IVs (for WEP cracking) or WPA handshakes (for WPA-TKIP cracking). This remote, mobile intruder could fly in to the area outside, park somewhere unseen, and then an attacker could watch for useful data and information.
Warflying isn’t anything new, but it’s still cool. One could warfly over a small area to tag and better understand nearby APs, without the area restrictions that normal wardriving entails, or the costs that full-size aircraft-based warflying involves.
A Third Way To Use An RC Helicopter
And this one has nothing at all to do with Wi-Fi. To gain access to a system inside a gated or guard protected facility, you could craft malware-ridden flash drives, and then drop them over internal building entrances, etc. Even someone who has been repeatedly trained to not insert foreign flash drives might still be tempted to do so if they feel that the drive must be safe, considering it was found at a “secured” area.
I suddenly want an RC helicopter