9

Say I enter a place with public WIFI. Of course, I would not connect to the network since I know it's risky, but I do have my computer turned on. Can an attacker know my computer is there and force a connection to it? If they would be able to do so, than my precaution is wasted, and any attacks a malicious network could do would be done.

Telling me whether this could be done and how to stop it would be very helpful, thanks.

As a sidenote, connecting to a known network may not be safe either, could hackers "replace" an existing network with a malicious network with the same name? If so, how to protect myself against it?

user1608487
  • 101
  • 3

2 Answers2

16

Yes, under certain conditions.

If you have previously connected to a "hidden" wireless network, your NIC may continuously broadcast their BSSID's in hopes of connecting to them. It's the only way to "automatically" connect to a hidden network, because there is otherwise no way for the card to know when it is in range to a known hidden network.

This looks like this:

Hello, 'Home Network'? Are you there?
Hello, 'Office W-Lan'? Are you there?
Hello, 'Home Network'? Are you there?
Hello, 'Office W-Lan'? Are you there
...

An attacker can listen to these probes and reply with "Hello, here is this 'Home Network' you are looking for." If the network was unsecured, or you have an OS that doesn't mind quietly deprecating security, you will then automatically connect to a malicious network.

This of course has a lot of "if" conditions, so if this is a real problem for you in practice is not sure.

  • How do I prevent this? Just turning off WIFI? This means that if I have never connected to a hidden network im safe right? – user1608487 May 27 '20 at 13:45
  • 2
    Also, what do you mean by "quietly deprecating security OS"? – user1608487 May 27 '20 at 13:46
  • 2
    @user1608487 Quietly deprecating security means if your access point "Home Network" is a WPA2 network, then the OS should only attempt to auto-connect if the other network is also WPA2. But on a badly-configured OS, it would also auto-connect to an OS without password. I don't know if any modern OS actually does that or not, but it's possible. As for how to prevent it, not connecting to any hidden OS's helps, or at least not auto-connecting to them. –  May 27 '20 at 14:20
  • 1
    The definitive way to prevent this across different OSs is to only use WPA2/Enterprise networks with certificate validation. All other options are subject to how the OS handles Wi-Fi connections. – Pedro May 27 '20 at 14:24
  • 2
    @Pedro Sadly, that's not really a feasible option for most home networks. And even if, sometimes you need to connect to networks beyond your control. –  May 27 '20 at 14:41
  • Note that some OSes have some protection against this by asking users whether they want to automatically connect to a network (hidden or otherwise) if this network is in a different location than expected. – Nzall May 28 '20 at 07:01
  • @Nzall True, but it requires the OS to have to some location information. On a mobile device, that *can* be possible - on a laptop, most likely not. –  May 28 '20 at 08:18
  • 1
    As a note, if the hacker knows the SSID of a network you have previously connected to, they don't even need you to have connected to a hidden network before as many OSes will automatically connect to any network they recognize. – user9123 May 28 '20 at 10:23
3

To answer the sidenote, a hacker could make a rogue access point or "evil twin" access point. This would not replace the known network, but it will pretend to be the known network by using the same SSID and BSSID as it. If the network is unsecured (i.e its a free public WiFi hotspot), any device that comes along with the connection details will connect to it automatically if it has a stronger connection to it than the original router. If the network is secured, getting clients to connect becomes harder but it is still possible, the attacker would just have to capture the WPA2 handshake to gain the pre-shared key (PSK). They then configure their access point to use the same PSK as the actual network. Hackers often use a Wi-Fi Pineapple or similar device to perform this type of attack. More info on Evil Twin APs

RandyAnon
  • 73
  • 7
  • Well, the PSK can't be captured unless the real PSK is known by an access point since the handshake will not proceed. – multithr3at3d May 27 '20 at 14:51
  • @multithr3at3d The handshake could be captured if the attacker has physical proximity to a network and is able to observe a device connecting to it. (They would need the computational resources to crack the handshake in order to obtain the PSK, though.) – Nonny Moose May 27 '20 at 22:21
  • 1
    @NonnyMoose yes, but the key is that the real network has to be in range. You cannot get a client to complete a handshake without knowing the PSK, hence why an evil twin attack does not work in that case. – multithr3at3d May 27 '20 at 23:05
  • I'm not an expert on WPA by no means, but if I'm not mistaken, the PSK is transmitted hashed with a salt provided by the access point, right? So surely you can configure your "evil twin" access point to transmit the same salt (from the captured handshake) every time to allow the client to connect (by matching the hash to the valid hash from the handshake) without even knowing the PSK. Alternatively, the evil twin can just ignore the transmitted hash and associate regardless pretending that the key was correct, right? – user9123 May 28 '20 at 10:28
  • 1
    After some more research, it is in fact not possible, and the access point must know the PSK. For more info see [this](https://security.stackexchange.com/questions/91232/does-a-wpa2-psk-authentication-only-succeed-if-both-parties-know-the-pre-shared?rq=1) question. – user9123 May 28 '20 at 13:27
  • In this case the evil twin AP would be set up at the same site as the original AP and would also be in range of it. – RandyAnon May 31 '20 at 06:40