A large number of the wireless Internet connections in Brazil are exposed to man-in-the-middle (MitM) attacks because they’re not secured properly, a researcher has warned.
André Luis Pereira dos Santos conducted experiments to determine how difficult it would be for an attacker to hijack Wi-Fi connections and capture users’ data. The problem, according to the expert, is that the routers provided by many Brazilian Internet service providers (ISPs) to customers use MAC address authentication, instead of wireless security protocols like WEP or WPA.
A report provided by the researcher to SecurityWeek shows that three main elements have been used in the experiments: a DD-WRT wireless access point (AP), a high-gain omnidirectional antenna, and a physical or virtual server with proxy/MitM software installed on it.
By configuring the AP with the same service set identification (SSID) and basic service set identification (BSSID) as the targeted AP, an attacker can intercept both SSL and non-SSL traffic within the antenna’s range by using open-source proxy software such as mitmproxy. As an evasion tactic, the attacker can drive around in a car while capturing data, Pereira dos Santos noted.
“The AP is connected to a server running the transparent proxy with a stack to make the MitM (mitmproxy). The proxy will receive the connection form AP, log all traffic to port 80 (HTTP) and if the connection go to port 443 (SSL) the proxy will make the MITM attack (forging a certificate, open the stream, log all stream, make a connection to destination with true certificate and send the stream to destiny),” the researcher explained in his report.
In the case of SSL connections, potential victims are presented with a Web browser alert when the attacker attempts to intercept their traffic, but the expert believes at least half of users ignore these types of warnings.
Cybercriminals can leverage the lack of security to steal personal and financial data, and even to blackmail their victims. In addition to stealing intercepted data, an attacker can also modify HTTP requests and responses on the fly to inject malware, the researcher said.
In the first half of 2014, the expert conducted tests on the wireless connections of 420 companies in 552 locations all over Brazil. Pereira dos Santos found that 37% of Wi-Fi connections are vulnerable to such attacks. He believes the situation could be similar in other countries as well.
The researcher told SecurityWeek that he conducted tests both in a laboratory environment, and in the wild with the aid of numerous friends. A car has been used to test the mobility aspect of the attack.
Around one third of the affected ISPs have been notified, but Pereira dos Santos says it’s impossible to reach out to all companies considering that many of them are small and highly distributed. While some of the affected services providers have promised to notify their tech departments of the problem, others have denied that an issue exists.
