The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and our ability to capture credentials at a network level has long been established. Often, the most significant protection users have are hitting the right button on an error message they rarely understand. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link.
This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this; karma attacks work poorly against modern devices, network authentication of the weakest sort defeats rogue APs and interception tools struggle to find useful details.
This talk is the result of our efforts to bring rogue AP attacks into the modern age. The talk will provides details of our research into increasing the effectiveness of spoofing wireless networks, and the benefits of doing so (i.e. gaining access). It includes the release of a new rogue access point toolkit implementing this research.
Dominic is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 10 years. He is responsible for SensePost's wireless hacking course, Unplugged. He tweets as @singe.
Ian de Villiers is a security analyst at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided security training and spoken at security conferences internationally. Ian previously published numerous tools, such as reDuh http://research.sensepost.com/tools/web/reduh, but more recently, SapProxy http://research.sensepost.com/cms/resources/tools/servers/sapprox/44con_2011_release.pdf