Spoofing public Wifi networks - in the air!
Whether it's Starbucks, McDonalds, Target or your local airport you'll find open wifi almost everywhere. Many network give access with nothing more than the click of the "Accept" button, whilst others require more.
Xfinity claims over 1 million WiFi access points, but instead of just agreeing to terms and conditions that nobody ever reads, you instead need to enter your Xfinity credentials. The same is true of countless other locations, needing anything from your Facebook friendship through to your credit card details before the'll give you your fix of Internet access.
But how do you know that the network you're connecting to is legitimate? Configuring your own Access Point to present itself as "xfinitywifi", "attwifi" or "Google Starbucks WiFi" is trivial - but how readily will people connect to such an AP and believe it's real?
In order to test this idea, I picked a location where I had no other wifi networks to content with and a very captive audience - aboard an aircraft!
Whilst some airlines have wifi on all flights, many do not. For the purpose of this experiment I picked an airline that has Wifi available on some of their flights, but not on all. This allowed me to take a flight on a plane that did have wifi and screen-scrape the various captive portal login pages, saving the trouble of actually coming up with the web design myself - not to mention giving credibility to the look of the site due to it being the real thing!
The next step was to create an AP and captive portal, along with the code to intercept and redirect requests to the login page, and capture the login details entered - just like the real captive portal would do!
Thankfully I already had a TP-Link TL-MR10U portable AP/router that I'd picked up in China a few months earlier that I'd been searching for a use for. The TL-MR10U has 32MB RAM, 4MB Flash, WiFi, and most importantly can run OpenWRT - giving the opportunity to fully customize it for my needs. What's more, it also includes a battery capable of running the AP for about 6-8 hours, or even more when connected to a small external USB battery pack. It's also tiny - about the same size as a candy bar!
With OpenWRT installed, it was just a matter of configuring the Wifi AP, a web server for the captive portal (uhttpd), DHCP and DNS, including redirecting all traffic to the portal (dnsmasq), manipulating the previously captured web content a little, and setting up some scripts to handle the login/payment processes and record the supplied details.
A few weeks later I found myself on a flight from San Francisco to Europe, and according to the airlines website the flight would not have Wifi!
A few minutes after takeoff - right around the time all electronic devices are allowed - I switched on the router. Over the next 10+ hours over 30 distinct devices accessed Wifi. Of those around half attempted to login (which failed, with a recommendation to use the guest login), and roughly the same number attempted to purchase Internet access by providing their name, credit card details and home address - including several that tried multiple credit card numbers. Of course, all attempts to login or purchase access resulted in an error (after a suitably long delay whilst attempting to process payment!), and most people gave up fairly quickly - although a few did try to login/purchase access multiple times during the flight.
Over the next few months I ended up on a further 5 flights without wifi, including both flights to/from Europe and US domestic flights. All up, just over 150 people attempted logins (although a small number of those were probably people trying multiple usernames), and around 200 unique credit cards were used to attempt to purchase access.
One particular flight proved more fruitful than others for a reason that I could never have imagined. A few minutes after turning on my Wifi the flight purser welcomed everyone aboard, provided details of the flight, and then proceeded to announce that the flight had Wifi for only $3 for the entire flight! After a brief moment of panic I realized that he was actually referring to my wifi! I can only presume he had used his own mobile device to check and confirm that the flight was wifi-enabled and looked at the price.
I wouldn’t fall for that…
By now you might be asking yourself how stupid people must be to fall for this - but why wouldn't they?
The Wifi network had the exact same name as the real network - in fact even my own tablet connected to it automatically based on being connected to the real network on a previous flight.
The captive portal looked real - primarily because it was! By screen-scraping the real in-flight website and modifying it only where needed it was as realisitc as it could get.
But what about the URL? And the SSL certificate? That was the easy part! Do you know what exact domain your in-flight Wifi captive portal is supposed to use? By simply picking a domain that sounded realistic and was close to the correct domain I was able to register the domain, and then most importantly obtain an SSL certificate for that domain. The domain itself wasn't actually needed (as the DNS was captive, so I could have used any domain), but the registration was required in order to get the domain-verified SSL certificate.
Wanna buy some Credit Card numbers?
Sorry, not going to happen. My goal was never to actually steal anyone's credentials or credit card details, but instead to see how many of each I could actually get. As a result, no passwords were actually logged. Most of the credit card details were also not logged, only a few digits and the length - enough to be reasonably confident that it was a valid card number. CVC, card expiry and street address were also not logged.
All tests were done on planes that didn't already have wifi, so other than some minor inconvenience there was no impact to the users. If you think you may have been one of the passengers caught out, then rest assured that your details are safe, and I apologize for the few minutes of your time I wasted.
What's the moral of the story? Honestly, I'm not sure! The obvious one of "Don't trust Wifi!" goes without saying, but is pretty much unhelpful if you just can't live without a Wifi connection. Open Wifi offers no way of knowing that you're connecting to a valid base station. The nearest you can get to security is the URL used in the captive portal and the SSL certificate associated with it - but how are you to know that mcdonaldswifi.net isn't a valid domain for your McDonalds Wifi network, but nmd.mcd07221.sjc.wayport.net is?
You might notice I haven't mentioned which airline this experiment was carried out on - and that's deliberate. The simple fact is that it doesn't matter which airline it was - the results would have been roughly the same regardless of which airline was used. Or which coffee shop. Or any other location where either login or payment for wifi was required.