Are all these attacks possible with WiFi MitM or is it over-hyped nonsense?

Question

My dad sent me this video asking if he should be worried about this?

The video shows:

a wifi AP broadcasting an airport's wifi name
security researcher seeing the sites the victim browses
security researcher viewing files accessed by victim on cloud storage
victim installing attacker's "free wifi" app
the app giving the security researcher full control over the device

Obviously most folks should be wary of untrusted WiFi networks, but there’s a couple of strange things occurring that makes me wonder if this is just an over-hyped hacker story.

First, the Google search he performs seems to be protected by TLS, how is that possible with just MitM?

Then he does some truly mind-blowing stuff like being able to access the microphone, record audio and send it to himself. No way that’s done via just an MitM over WiFi.

Am I missing something, or does this community concur that this video is either over-simplified or just plain deceitful?

Connecting to a strange WiFi might get you into trouble, but it alone cannot cause this level of compromise... can it?

I am not sure a user connecting to an open AP could be considered a Man-in-the-Middle attack. I'd qualify it more as a social engineering attack: you present yourself as some "safe" entity (be it _"hi this is your faculty's IT department"_ or _"hi I'm the electrician from the insurance company"_ or _"hi this is your airport's WiFi AP"_) and convince them to give you sensitive information / access to their device (be it _"I need your user/pass to fix your computer"_ or _"I need to enter the server room to check the wall sockets"_ or _"I need you to install this app for you to have free WiFi"_). — walen, Jan 20 '20 at 08:48
Also, the purpose of such videos is not to be educational or useful, but to urge the viewer to share it, and to gather ad clicks on the website they are shared on. Therefore they are often over-sensational and inaccurate, even in cases they do contain a grain of truth. — vsz, Jan 21 '20 at 05:13
@walen The two aren't exclusive. Most MITM attacks exploit social engineering. Heck, even the stupidest viruses like ILOVEYOU were really social engineering. — Luaan, Jan 22 '20 at 12:09

score 72 · Answer 1 · edited Jan 21 '20 at 13:04

Am I missing something, or does this community concur that this video is either over-simplified or just plain deceitful.

I wouldn't say it's deceitful, but it's definitely overhyped/oversimplified.

First, the Google search he performs seems to be protected by TLS, how is that possible with just MiTM?

Yes. In order to do that, he would have to either strip SSL or install a root CA certificate on the mobile device. So you can't simply MITM https websites (the video over-simplifies it).

Then he does some truly mind-blowing stuff like being able to access the microphone, record audio and send it to himself. No way that’s done via just an MiTM over WiFi.

Of course not. You cant just use a phone's microphone via MITM over wifi. As you can see in the video itself, he says that you make a victim install an application and then you can record microphone or access data on the phone. He obviously oversimplifies it. Not only will the victim have to install the application, but also have to give all the required permissions to the app (if you are dumb enough to do that, I guess you could make someone install root CA as well).

Connecting to a strange WiFi might get you into trouble, but it alone cannot cause this level of compromise .... isn’t it?

At the end of the day using public WIFI is similar to being in the same network as the attacker but that's about it. Don't be stupid, keep software updated and be informed about security. The story is overhyped. Same as the ads from VPN companies.

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/103738/discussion-on-answer-by-vipul-nair-are-all-these-attacks-possible-with-wifi-mitm). — Rory Alsop, Jan 26 '20 at 14:48

schroeder · Answer 2 · 2020-01-19T13:32:55.547

40

All the attacks are possible and not over-hyped. In fact, these attacks are found in the wild. But you missed a detail that makes your conclusions incorrect.

There are some steps that the attacker and the victim take that are skipped in the video, but those skipped steps are specific to devices and those specific attacks. The premise and the underlying threats and possibilities are not affected by the missed steps. The video can remain valid for a much longer time by not delving into those missed technical steps.

Because these attacks actually happen in the wild, it's not fair to say that the missing parts make this an "over-simplified" video, just edited to be accessible by a wide audience (and not a technical audience).

The skipped steps for these specific attacks on the victim side:

ignore security warnings
install certificates (which the victim can be easily deceived into doing)
install the app supplied by the attacker and give it the permissions it asks for (the "free wifi" app shown in the video)

Installing the certificates allows the attacker to view TLS-protected sites (browsing, Google searches, accessing cloud storage)

The video clearly states that it's the installing of the app that gives the attacker full control over the device (microphone, etc.) The app could also be used to install the certificates. So, no, it's not just being a man-in-the-middle that does it, but by being in the middle, it is possible to serve the malicious app. This is the detail you appear to miss.

I suspect that the video is actually edited to be out of chronological order to show the simple attacks first, then get more serious. The situation on the attacker side could simply be:

broadcast a free wifi network that the victim is likely to trust (airport wifi)
show a webpage asking the victim to install an "authentication" app in order to gain access to the free wifi (for security reasons)
ask for permissions which give the app full control, install root certificates
grant the victim access to the Internet
profit

edited Jan 19 '20 at 13:32

answered Jan 19 '20 at 13:25

schroeder

125,553
55
289
326

7

"The video clearly states that it's the installing of the app that gives the attacker full control over the device (microphone, etc.) The app could also be used to install the certificates. So, no, it's not just being a man-in-the-middle that does it, but by being in the middle, it is possible to serve the malicious app. This is the detail you appear to miss". You're right. Thanks!. – keithRozario Jan 19 '20 at 13:58
77

The video absolutely is deceitful clickbait. It says in big scary capital letters: "when you connect to a hacker's rogue Wi-Fi, they can see every password you enter [and] email you send [and] document you access." That's BS. Connecting to their Wi-Fi is not the problem. Installing their app or their certificate is the problem. You act like the video is improved by the fact that it ignores or glosses over the things you actually need to avoid doing to avoid being hacked - when a responsible video would have talked *only* about those things. – benrg Jan 20 '20 at 07:37
1

@benrg and it ***depends on the audience***. You assume that everyone is going to be able to understand and are able to interpret the nuance required to use a hacker's wifi and still be safe. – schroeder Jan 20 '20 at 07:39
1

@schroeder You are totally right. Unfortunately most people cannot comprehend that accessing the internet from a random network is not as safe as doing so from their home (and that's still not 100% safe like a lot people seem to think). That's the whole point of the video in the end. – Giacomo Alzetta Jan 20 '20 at 07:56
41

@schroeder How does this video help such people in any way? Should they just... never connect to free wifi? The video tells them at the end to install "security solutions" to protect themselves (no examples are provided). How do you think that's going to go down? They'll probably search the Play Store for "security solution" and install whatever turns up, and give it all the permissions it requests. Installing dodgy apps is the real problem. Free wifi is a vector simply because free wifi is a thing that a lot of people want. "Security" apps are another vector. This video is not helping. – benrg Jan 20 '20 at 08:04
9

@benrg you act like "don't use free wifi" is some kind of new, controversial, or avant-garde advice. Are you unaware that that is the primary and most common advice by every authority to users and has been for years? And what's the alternative message for the video for non-technical audiences? "Here's an intentionally malicious network where the attacker will use every technical and psychological trick in the book (and some not in any book). But that's ok. You can use it safely as long as you do these steps ...." – schroeder Jan 20 '20 at 08:58
2

@schroeder but i kind of feel they should be a bit more honest and should show the complete step's taken, because at the end the solution they provide is 1.use security solutions which is vague and wont help.What security solutions would help you if you install malware or root CA? – yeah_well Jan 20 '20 at 10:24
1

@benrg he states that it makes is so "_the video can remain valid for a much longer time_" and that it simplifies it for the less technical viewer - not that it makes it a better video. – Baldrickk Jan 20 '20 at 12:10
1

@VipulNair a VPN would _help_ as it's only encrypted traffic that's being sent - at least against the certificate issue. If you install malware, then antivirus software detecting and automatically quarantining it might help. _might_ – Baldrickk Jan 20 '20 at 13:25
7

The thing one needs to be aware of is that you __don't__ install some random app just to get access to a public WiFi, even if it's a "genuine" WiFi AP. Especially if the app requires a bunch of fishy unrelated permissions. – Jasper-M Jan 21 '20 at 10:37
1

Exactly @Jasper-M . There's nothing MITM here. An airport is perfectly capable of developing an overreaching, poorly-implemented app with no effective oversight, which panders to vested interests, and then trying to foist it on users. It doesn't need a hacker at all just normal-for-software quality standards. (For an extreme example, see the Sony DRM scandal). – Dannie Jan 21 '20 at 13:04
1

Sigh. To downvoters: the context is in the question: "are the attacks possible or over-hyped?" I'm not answering about the ***entire video contents*** but the ***attacks***. They are possible, and found in the wild. And as I clearly state, the video is edited to remove some details, but that does not change the attacks or the threats. – schroeder Jan 21 '20 at 19:02
2

-1 I agree with the objections others have raised. Of course these attacks are possible, but the question is specifically about the threat of a malicious AP / MitM attack, and users installing some random app is not unique to that (email or ads would be another possible vector; but the advice then wouldn't be 'don't use email', but 'don't install random apps'). – tim Jan 21 '20 at 19:27
2

As an aside, the last time I tried to install a certificate in Android >=7.0 it was a pain because user-installed certificates aren't trusted by default. Apps have to be specifically configured to allow them (which most - including Chrome - don't), and bypassing that required a rooted device. – tim Jan 21 '20 at 19:28
2

I agree with @benrg. It absolutely **is** over-hyped, the same as if I said "Don't go to certain third world countries; you'll get a venereal disease" without mentioning that you would have to engage in certain activities with certain locals for it to even be possible to get such a disease. The same is true here; if you don't engage in certain "unsafe" computing behaviors it's pretty much impossible for these attacks to occur, and leaving that out is bordering on scare tactics. – Michael Jan 22 '20 at 03:19

score 18 · Answer 3 · answered Jan 20 '20 at 06:33

18

Everything derives from installing the App. Normally phone Apps are signed and limited to designated App Stores. You would have to disable unknow source protection, and manually allow installation. After that, the phone is owned and MiTM isn't even a factor.

So yes I think it's overhyped.

answered Jan 20 '20 at 06:33

user10216038

7,933
2
16
20

1

it's entirely possible to get your "WiFi authentication" malware onto the app stores to give it an added layer of realism. some of the wifi authentication processes for popular free internet provides ( used in pubs, hotels etc) require using an application to connect. The university internet provider Eduroam also uses a similar app that takes control of your wifi hardware and certificates in order to set you up on campus wifi. Those app's are available on the app store so i'm sure a functionally identical application by a malicious developer could be published too. – J.Doe Jan 20 '20 at 15:17
9

@J.Doe - All that is true but the logic is circular. Fundamentally what you're showing is that if an App compromises your phone, your phone can be compromised. None of which has anything to do with MiTM. – user10216038 Jan 20 '20 at 15:42
3

@J.Doe: if I can convince you to install my malicious "free wifi" app or "wifi security" app, you don't need to be on my network for me to steal your traffic. The MITM part here is superfluous. – Lie Ryan Jan 21 '20 at 13:02

score 0 · Answer 4 · edited Jan 21 '20 at 05:49

Just to complement the answers above.

A man in the middle attack is just forwarding the data it receives after looking at or modifying it. You can do some stuff with it, like changeing some values or denying communications. Online game hacking is basically this same stuff. For example, the device sends a jump command, you can intercept it and change it for a crouch command. Notice that we did not do anything to the device itself, we just modified the data the device sent.

Now the good stuff, to get access to the device you need to locally install a program to control it or you need to find one or multiple vulnerabilities that will let you run commands remotely. These vulnerabilities vary on device to device and are very hard to find in updated devices (zero days). Metasploit has a list of known vulnerabilities ready to use, but its more difficult than just spoofing the Wi-Fi traffic. So a man in the middle can mess with unencrypted data, but to mess with the device you need to exploit it. If you do exploit it and get root, then you pretty much own the device and can do anything!

score -3 · Answer 5 · edited Jan 20 '20 at 16:41

-3

This is definitely not overhyped. It can be done. I did the same thing recently to my test phones.

The attacks are indeed possible with the right tools, and the victim wouldn't even necessarily know.

One of the phones, I was able to dump call logs, sms messages, and contacts. I also accessed the mic for recording and both front and rear cameras for snapshots. I also sent an MP3 file to her speakers of a dog growling. I'm sharing 2 screenshots of the metasploit session helpscreen showing a few commands available to me.

]2

edited Jan 20 '20 at 16:41

schroeder

125,553
55
289
326

answered Jan 20 '20 at 16:36

Chuck Woolson

11

10

"and the victim wouldn't even necessarily know" - what did you install and what user interaction did it require? That seems to be the sticking point for people above . – schroeder Jan 20 '20 at 16:40
1

Ok- sorry. Yeah, on phone 1 I used Msfvenom to create an Android APK payload. I then copied that file to the phone's Download folder via USB. I clicked on the Newly minted malicious APK file and plowed through all the virus warnings. Once installed, I had to open a reverse TCP session with meterpreter to get the access I needed. That's where I got the 2 screenshots. So, yeah, there's a lot of interaction from the victim to the attacker with that method. Phone 2 was less interactve. I put a payload in a link and disguised it as a tinyurl. All I did was click the link and noticed nothing else. – Chuck Woolson Jan 21 '20 at 03:53
5

Your phone 1 is nothing like the scenario in the question. Your phone 2 is, but you didn't go into details on that one. Can you expand on how your phone 2 test is similar to the video? – schroeder Jan 21 '20 at 07:10
3

Please provide details about this phone 2 and the link in question, because that sounds like nonsense to me. – Will Jan 21 '20 at 11:37
1

*payload in a link* - I assume this payload exploited a known or 0-day vulnerability in the phone's browser or OS to effectively do something similar and get a malicious app installed silently? – Peter Cordes Jan 22 '20 at 07:54

Are all these attacks possible with WiFi MitM or is it over-hyped nonsense?

5 Answers5