7

Say someone drives up and parks in front of my house. They get a list of all SSIDs they can pick up. My phone is configured to save the WPA2 password and automatically login when the SSID is in range.

Is it possible for someone to follow me when I leave my house next, and then once we are away from the vicinity of my house, they start up a wireless network with each SSID name they picked up when near my house, and then wait to see what WPA2 passwords I send to them when my phone tries to log in?

Or, is there something in WPA2 or Android that won't try to login automatically to an SSID if it knows it is not the same piece of hardware at my house?

I think this same scenario could occur with a laptop, although my laptop is usually off until I get settled in a building somewhere, so it would be less convenient and more obvious for someone to do it to a laptop.

user1748155
  • 173
  • 1
  • 4
  • 1
    How would your phone know it is not the same piece of hardware? – Hennes Sep 08 '13 at 20:15
  • "Trojan AP" http://cecs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm#_Toc77524657 – Logman Sep 08 '13 at 20:24
  • If it is a major concern I would suggest turning off SSID broadcast from your wireless router –  Sep 08 '13 at 20:30
  • 3
    Turning off SSID broadcast on the router won't really help when the client just ends up broadcasting it anyway. – jjlin Sep 08 '13 at 21:04
  • @Logman, Are you sure "trojan" is the right term here. "Phishing AP" sounds more appropriate. – Pacerier May 25 '15 at 06:38

3 Answers3

9

The situation you describe isn't really a concern. The WPA2 handshake never actually sends your password across; both the access point and the client send derived messages that demonstrate that they know the same password. So, spoofing a WPA2 access point won't help recover the password. However, it is possible to record the messages involved in a successful authentication between your client and the access point, and then attempt to brute force it offline, so it's important to have a strong password (or really, passphrase).

jjlin
  • 206
  • 1
  • 2
  • 2
    well, that is really reassuring then, because i do keep my passphrase at least 25 random characters long, which i think is fairly strong. do you have any technical reference that describes how the derived messages are compared that demonstrate that they know the same password? –  Sep 09 '13 at 02:56
  • 1
    You can just refer to http://en.wikipedia.org/wiki/IEEE_802.11i-2004#Protocol_operation. Note that for WPA2-PSK (i.e., where you use a passphrase), PMK = PSK. And http://www.cwnp.com/wp-content/uploads/pdf/802.11i_Key_Management.pdf gives a good overview of how the PSK is generated. – jjlin Sep 09 '13 at 07:19
5

With WPA2 PSK (as "pre-shared key"), what the client (your phone) and the access point send to each other is sufficient to run an offline dictionary attack: the attacker, observing these messages, can then "try passwords at home" on his own computers. However, he will not get, immediately, the password itself. Your phone does not "send the password" to the access point; instead, the AP sends a "challenge" (a random value) and the client responds with a value computed from the challenge and the password. The computation is one-way. Assuming that all the involved cryptographic algorithms are secure (right now they seem to be), the best the attacker can do is password guessing: try a potential password by running the same computations, and see if that yields the same values as the ones he observed.

The computations include PBKDF2 with 4096 iterations, which is not bad. Each "guess" will cost the attacker about 16 thousands of invocations of the SHA-1 hash function. If he has a few good GPU, he may still try about one million passwords per second, so you'd better have a good, strong, random password. If your WiFi password consists in, say, 20 random letters (each letter chosen randomly, uniformly, and independently of the other letters), then dictionary attacks won't work. A very long and random password is not that big a hardship: all clients record the password; you don't have to type it often.

Note that none of the above requires the attacker to do anything actively, like setting up a fake access point. He just needs to observe a normal connection between your phone and your access point.

Thomas Pornin
  • 326,555
  • 60
  • 792
  • 962
  • Does this mean that if we have a strong password, the attacker can't really do anything else besides passive sniffing and recording? – Pacerier May 25 '15 at 06:45
4

Sure, if someone were to put up a rogue AP in that situation, your phone would handshake with it. People do that all the time.

However, that doesn't give away your password, because with WPA2-PSK there is a challenge response portion to the handshake using the authentication frame. At that point, the WPA2 PSK or Pre-Shared Key (also known as the PMK/Pairwise Master Key) would need to be brute force attacked. In fact, it is essentially identical to an attacker if they observe your device's handshake with your actual AP as it is to get you to handshake with them; it will still take them the same amount of effort to crack your key or get access to your wireless network.

In a functional WPA2-PSK handshake, the PMK would then be used to derive a PTK (Pairwise Temporal Key), which is what is actually used to encrypt your session.

I noticed that above somebody comment and suggested not to broadcast your SSID, which is typically a setting available on your AP/wireless router. This will not do anything against even the most basic attacker because of a couple of reasons. First, when you tell an AP not to broadcast your SSID, that doesn't mean it stops broadcasting (or "beaconing"). Instead, it just sets the SSID field of the beacon frame to null (\x00), so if you just listen to the airwaves for a couple of seconds or minutes, you will find out that there is an AP in range of your antenna.

Secondly, even if the AP/wireless router was completely turned off, or you somehow were able to get it to stop beaconing (Bad idea by the way...) clients will send out what are called "probe requests." These essentially say "I have an AP saved with SSID abc123, are you out there?" The attacker could then derive an SSID from those probe requests and build a rogue AP with that SSID to get your handshake. The best way to prevent an attacker from handshaking with you would be to either use 802.11w (Which almost nobody does at this point because not all hardware supports it), or to 'forget' or not save previously connected to wireless connections.

In short: Don't worry about this sort of attack vector unless you have a weak password.

JZeolla
  • 2,996
  • 2
  • 20
  • 25
  • You stated that "the attacker could then derive an SSID from those probe requests and build a rogue AP with that SSID to get your handshake". But how would this be possible if he doesn't have the password? Say, I attempt to connect to an AP called "HomeWifi" using password "horsepasstaple". The attacker can spoof the name of "HomeWifi", but how could he establish a connection with me unless he knows the password "horsepasstaple"? – Pacerier May 25 '15 at 06:50