Can someone knowledgeable elaborate on how this works? I'm not well versed in wi-fi MITM techniques.. Does it inject packets, pretending to be from Facebook's servers or is there some other trick to it?
This isn't a wi-fi MITM. It's just stealing a facebook/twitter session ID from the packets, tricking facebook/twitter to think the attacker is the real user.
It isn't a MiTM attack, it is a listening-in attack.
A wireless network is essentially a hub, rather than a switched network, and as such all hosts on one leg of the network get to see all the packets transported through it no matter what their source or destination and it is up to your network card and/or OS to filter out those that are relevant to it. In a switched arrangement (which all modern wired networks are) by contrast, the switch is bright enough to only send your NIC ethernet frames that are addressed to it.
Even if the network is passkey protected this does not stop all hosts seeing all the packets: the password and encryption are only for authentication and protecting the network from the outside, it offers no protection from other nodes on the same network leg once you have joined.
So an attack like firesheep doesn't need to inject anything pretending to be from the target node to get facebook to send it the session token - it simply sets the network interface to "promiscuous mode" so that it can see all the packets and not just those addressed to your machine. It then sifts through those packets looking for HTTP headers containing cookies destined for facebook, and reads the session token from them. Once you have that token you can make HTTP requests to facebook as if your browser is the one that opened that session, so you can post as that user and read all their stuff without knowing their password. The same goes for any other service operating over plain HTTP.
The only way around this with current wireless protocols is to use a secure transport for your communications. SSL based protocols, like HTTPS for instance, would protect the content of the communication from such inspection. The same goes for SSH, SFTP, IMAPS, and so forth. For facebook specifically you can switch on the "always user HTTPS" security option to protect yourself if using a web browser to access the service, but be aware that neither the iPhone or Android applications currently respect this setting.
If I ever connect my netbook to a public wireless network I always run all communication through an OpenVPN setup that I have - this way all packets travelling in and out of my machine are encrypted in a way that protects them from inspection by other hosts on the same access point, even if the packets themselves are not protected (by being part of an HTTPS stream for instance). This probably isn't an option for the non-technical man-on-the-street, nor does it currently protect streams direct from my phone (though I'm told OpenVPN can be made to work on Andriod, I have yet to try) if I ever let it connect to a public wireless access point, so isn't a perfect solution.
> A wireless network is essentially a hub, rather than a switched network, and as such all hosts on one leg of the network get to see all the packets transported through it no matter what their source or destination
The article claims that it works on WPA-2, but WPA-2 doesn't work the same way. WPA-2 uses individual encryption between the router and the device. This happens to be one of the biggest reasons it's recommended over unencrypted or WEP encryption, which are both passively sniffable. With WPA-2, you don't get all traffic on the network, you have to trick hosts on the network to explicitly send it to you.
To sniff WPA-2 traffic, this app must generate some kind of active MITM attack, probably ARP spoofing or flooding. I feel [very slightly] bad for the poor guy who tries this on his campus network and gets nailed in about four seconds.
Assuming you mean WPA2-PSK, it's easily sniffable as well. You can start up a copy of Wireshark and enter the network password and you'll see everything, as long as you capture the initial key negotiation traffic when a client connects to the network.
If you connect before the eavesdropper then WPA-2 will protect you as you will have a per-client key by that point.
But if the eavesdropper was present on the network as you joined I believe it is possible to intercept that key during the negotiation process, due to flaws in the design of that process.
This may be impossible to prevent (for non-https users) but can't it at least be detected, i.e. in a coffee house setting, since the probability of two devices requesting the same user's FB page under normal circumstances is almost nil. Then you can let all requesters know and block any further traffic.
IDEABOLT: How about a startup selling self-contained routers to e.g. Panera, Starbucks, or B&N that can add this extra security. Then they can advertise this as an extra differentiating feature.
This doesn't just affect mobile usage of social networks. It.s basically just FireSheep running on a mobile platform. Any one accessing those social networks over a network with someone running this is vulnerable.
12 comments
[ 3.1 ms ] story [ 42.3 ms ] threadFiresheep for Android.
A wireless network is essentially a hub, rather than a switched network, and as such all hosts on one leg of the network get to see all the packets transported through it no matter what their source or destination and it is up to your network card and/or OS to filter out those that are relevant to it. In a switched arrangement (which all modern wired networks are) by contrast, the switch is bright enough to only send your NIC ethernet frames that are addressed to it.
Even if the network is passkey protected this does not stop all hosts seeing all the packets: the password and encryption are only for authentication and protecting the network from the outside, it offers no protection from other nodes on the same network leg once you have joined.
So an attack like firesheep doesn't need to inject anything pretending to be from the target node to get facebook to send it the session token - it simply sets the network interface to "promiscuous mode" so that it can see all the packets and not just those addressed to your machine. It then sifts through those packets looking for HTTP headers containing cookies destined for facebook, and reads the session token from them. Once you have that token you can make HTTP requests to facebook as if your browser is the one that opened that session, so you can post as that user and read all their stuff without knowing their password. The same goes for any other service operating over plain HTTP.
The only way around this with current wireless protocols is to use a secure transport for your communications. SSL based protocols, like HTTPS for instance, would protect the content of the communication from such inspection. The same goes for SSH, SFTP, IMAPS, and so forth. For facebook specifically you can switch on the "always user HTTPS" security option to protect yourself if using a web browser to access the service, but be aware that neither the iPhone or Android applications currently respect this setting.
If I ever connect my netbook to a public wireless network I always run all communication through an OpenVPN setup that I have - this way all packets travelling in and out of my machine are encrypted in a way that protects them from inspection by other hosts on the same access point, even if the packets themselves are not protected (by being part of an HTTPS stream for instance). This probably isn't an option for the non-technical man-on-the-street, nor does it currently protect streams direct from my phone (though I'm told OpenVPN can be made to work on Andriod, I have yet to try) if I ever let it connect to a public wireless access point, so isn't a perfect solution.
The article claims that it works on WPA-2, but WPA-2 doesn't work the same way. WPA-2 uses individual encryption between the router and the device. This happens to be one of the biggest reasons it's recommended over unencrypted or WEP encryption, which are both passively sniffable. With WPA-2, you don't get all traffic on the network, you have to trick hosts on the network to explicitly send it to you.
To sniff WPA-2 traffic, this app must generate some kind of active MITM attack, probably ARP spoofing or flooding. I feel [very slightly] bad for the poor guy who tries this on his campus network and gets nailed in about four seconds.
But if the eavesdropper was present on the network as you joined I believe it is possible to intercept that key during the negotiation process, due to flaws in the design of that process.
IDEABOLT: How about a startup selling self-contained routers to e.g. Panera, Starbucks, or B&N that can add this extra security. Then they can advertise this as an extra differentiating feature.