( en hu )

# The tale of a rogue access point

Peter Kasza

## Wireless for all

In late 2014 UPC has activated a roaming wifi service called Wi-Free on it’s CPE devices. The service is designed to allow subscribers to use each other’s network connections and thus create a sort of a roaming network. The service is appealing to many users since it provides fast and unlimited internet access almost everywhere in contrast to the usually slow and expensive mobile network packages.

The service is activated for all subscribers by default, with the possibility to opt out; in which case the user can no longer access the wireless network.

### How it works

The Wi-Free service works by setting up a secondary access point on Wi-Fi enabled devices. Subscribers can register for a username/password pair to access the network. New users are assigned with a randomized password consisting of eight alphanumeric characters and symbols.

When a user connects to an access point he/she gets a public IP address on UPC’s network. All traffic between the private network (including the CPE device) and the roaming wifi is firewalled off; the router acts only as a gateway forwarding packets to the public internet. Compromising the gateway is not possible from the Wi-Free network without some kind of serious vulnerability in the firewall or the network stack of the device’s operating system.

### The weak spot

The secondary access point is protected by WPA2-Enterprise using the PEAP/MSCHAP2 802.1X authentication protocol. Generally WPA2-Enterprise authentication is considered secure if both the access point and the client can verify the authenticity of each other and the authentication is done through a secure protocol. The authenticity of the client can be verified either by a certificate or by the credentials it provides. The authenticity of the server must be verified using a trusted certificate.

Without authentication implemented for the server, a malicious user could easily set up a rogue access point which advertises itself as part of the wifi network, but secretly gathers credentials sent to it by the users trying to connect. The attacker could also perform a MITM attack by providing network access.

Unfortunately UPC provides no CA certificate for it’s Wi-Free access points and has made no attempt to warn it’s users about this kind of attack. A user connecting to the Wi-Free network cannot know whether he/she is connecting to a legitimate access point. To further aggravate the problem, most devices automatically try to connect to wireless networks when the network’s name (ESSID) matches the name of a network that was connected to before.

## The attack in detail

### Setting up the rogue ap

To perform the attack the attacker needs to set up both an access point and an authenticator. On Linux this can be done using hostapd and freeradius.

There is a modified version of the radius server called freeradius-wpe, which adds patches for logging credentials and it is preconfigured to request the weakest authentication method possible. Unfortunately for the attacker, the authentication method cannot be downgraded to plaintext methods in this case. To gain access to the Wi-Free network, the attacker has to crack a NETNTLM hash.

NETNTLM hashes are a challenge response variant of the NTLM hash. Both the client and the server chooses a random challenge, so cracking these hashes using a rainbow table is not possible. Bruteforcing is still an option however, and a powerful GPU would crack any eight character NETNTLM password in a matter of days.

freeradius-wpe logging a sample NETNTLM hash:

## Conclusion

We have shown that it is possible to gather a large number of credentials for the Wi-Free network and that choosing a stronger password doesn’t increase the time needed to bruteforce the key. An attacker can perform a MITM attack using the rogue access point or using the recovered key can decrypt previous traffic where the 4-way handshake was captured.

Never trust networks you don’t own. If it is possible, connect using a trusted VPN. It might not solve every problem, but at least your traffic will be secure.