Mitigation against MITM at Starbucks

Question

Free public WiFi, for example Starbucks, is convenient. I wonder if there is a way to verify that a laptop has connected to the Starbucks wireless router and not to a man in the middle that tricked my laptop using ARP spoofing.

I might use Starbucks WiFi to connect to a corporate VPN. Would it make sense to do a quick banner grab and common port scan of my default gateway to see if anything looks odd before I try to connect to the corporate VPN? Does Starbucks use a consistent RFC 1918 private network IP address for the router?

For this question assume the bad guy did his homework.

-My laptop receives an ARP spoof before I am able to connect to my VPN.

-The man in the middle has a certificate from a trusted CA.
https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html

Answer 1

There are a few ways that you can detect if you are a victim of a MITM attack, where the attacker has the ability divert traffic and/or to create bogus certificates from a trusted CA.

In the case where you are connecting to a host that you've previously connected to, certificate pinning can be used. With certificate pinning, your client stores the certificate that the host has used previously, and alerts you if the certificate has changed. This is how people in Iran discovered the MITM attack that the Iranian government was conducting in 2011 against Iranian citizens, using certificates issued by the CA Diginotar, which had been compromised. See https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google

Another way to detect a fake certificate served by a MITM attacker is to use a service like Perspectives (http://perspectives-project.org/) or Convergence (http://convergence.io/). These services work by creating a trusted distributed group of peers, or 'notaries' that work together to verify that every peer is seeing the same certificate for a given host, and connections between peers are done via PKE using pre-shared keys.

Answer 2

Not really, no.

First, some terms. You mention ARP spoofing; this is not something you can detect at the IP level. ARP is what tells you which MAC address to address your frames to in order to send them to a given IP; ARP spoofing means you think you're sending them to the right IP, but your device addresses them to the attacker at the MAC layer. This can, however, be detected by software that monitors ARP traffic (by paying attention to ARP updates, and noticing when someone sends one that seems to conflict with a previous update).

The defense to a MitM attack on a TLS-based VPN is certificates (others use shared secrets). Someone with a forged certificate has gone well beyond the "done their homework" stage, into the "this is a serious attacker with serious capabilities" stage. Relying on things that aren't designed to stop a MitM in any way and are easily replicable (like an RFC 1918 address, or the list of open ports) is not likely to work. If the bad guy has the capabilities your question implies, they can just forward all packets on to the router unchanged except for those they want to mess with. You can't detect this, except by checking the public key of the VPN certificate against a known-good value, or by detecting the ARP spoofing in the first place.

There are other things an attacker could do; for instance, they could set up a rogue AP connected to the real one. This doesn't involve ARP spoofing, and can't be detected at the IP layer. It's not all that difficult.

Basically: There are ways to do an MitM attack. To prevent that, certificates were invented; the point of a certificate on a VPN is to prevent MitM attacks. You're asking how to avoid an MitM while assuming the thing designed for that exact purpose has been compromised.

Answer 3

XArp can be used for detecting arp attacks. You can also use wireshark to analyze traffic flow through your device or observe arp tables to detect arp spoof!