| Executives April 21, 2016

April 21, 2016

Using spoofed Wi-Fi to attack mobile devices

By David Richardson

Screen Shot 2016-04-20 at 10.36.23 AM
Does the screen above look familiar? It should. Millions of people around the world connect to public Wi-Fi networks on their mobile devices as they travel and seek their regularly scheduled Internet.
The problem is, not all networks are official. The image above is that of a fake, or spoofed, hotel Wi-Fi network; one created by Lookout for a demonstration on 60 Minutes.
Connecting to the network meant that the victim, in this case 60 Minutes’ reporter Sharyn Alfonsi, no longer had control over her data.
The attack is called a Man-in-the-Middle attack, as many in the security industry will recognize, and allows a person to intercept another person’s Internet connection and gather all of the information being transmitted across that network. This kind of attack has been around for years, impacting PC users, but today the mobile phone is just as susceptible.
Here’s how we did it:
At a high level
It all starts with a little social engineering, or tricking the victim into giving over information or performing an action that the attacker intends. Given the way our data plans work in today’s world, most people are on a constant hunt for a Wi-Fi connection that will relieve them of their data usage. Knowing this desire to connect exists, an attacker can play into this by providing that very thing: a captive portal that looks just like a safe Wi-Fi connection. An attacker establishes this trust by modeling the portal — what you’re seeing in picture above — after a familiar brand or a familiar experience.
In this case we built a captive portal that looked like the hotel Wi-Fi. It used the same name as the hotel, and lead a victim to a page that had connection instructions that you would see when connecting to any hotel or airport Wi-Fi. Travelers would know this user experience and find comfort and trust in its familiarity. Then, they would connect.
Setting up the network
Setting up the network was actually fairly easy. We plugged a wireless router with an Internet connection into a hotel ethernet port. Then we gave the network the same name as the official hotel Wi-Fi network. That was essentially it.
Screen Shot 2016-04-20 at 11.04.45 AM
What happens when someone connects?
When Sharyn connected to our network, we were able to see any information being accessed or broadcasted by her device. This included emails, the apps on her phone, communications coming to and from those apps, other messages, web traffic, and more.
Most of the captive portals you see just want you to accept the company’s Terms and Conditions or enter in your hotel room number to confirm you’re staying there. However, attackers also leverage captive portals to try to phish information from a user (like their credit card information for paid Wi-Fi). In this case, we used our captive portal to trick Sharyn into trusting a certificate that allowed us to decrypt even her encrypted Internet traffic. This allows us to pretend to be any legitimate web service, such as Gmail, by signing the legitimate email communications with our own certificate. The phone trusts our certificate and therefore decrypts the traffic as though it was legitimately signed by Gmail. In a normal MitM attack, encrypted traffic would read as gibberish to an attacker, but because the phone trusted our certificate, we were able to see all of the traffic decrypted.
Did it work?
As we were setting it up for Sharyn to connect, we got a ping that someone else had connected to our network. Turns out, one of the producers had connected without prompting — without even knowing what our Wi-Fi network was called or what it looked like. The spoof worked.
The phone has to be jailbroken or rooted, though, right?
No, the phone doesn’t need to be in an altered state. It doesn’t matter whether it’s iOS or Android. It’s the connection that counts and the user’s decision to connect to that network. Unfortunately, a convincing spoof is usually very convincing.
Staying Safe
When you connect to Wi-Fi, you should be wary of any action it asks you to take in order to access the Internet. A hotel asking for your room number and name is one thing, but if it’s asking you to set up networks and certificates or download anything, that’s when you can get into trouble.
Research is very important to us at Lookout. We are actively researching all types of mobile threats and are developing solutions to protect you and your business from them.
Check out the 60 Minutes video here and, if you’re interested in learning about the other demonstration in the segment, you can check that out here.


David Richardson,
Director, Product Management

Leave a comment



Rosario says:

May 28, 2016 at 4:38 pm

1Be aware of all your surrounding and monitoring profits 2 find the root of the cause to avoid or avoid negative impact 11 on deck

Rosario says:

May 28, 2016 at 4:41 pm

Will not allow error to re occur so now I'm focus on every detail

Natalia says:

May 01, 2016 at 3:33 pm

I'm using Lookout for several years now on my phones and tablets and have been very satisfied but lately as I have Barclays banking app every time when I log in shows me a message that they have noticed I am not running security software on my android device and they strongly recommend using one. So I am a little concerned now and wonder why is that. On the other hand I can see my Lookout is working fine scanning regularly shows nothing is wrong.

Meghan Kelly says:

June 06, 2016 at 10:05 am

Hi Natalia, that is odd. We're looking into this. Rest assured, if you have Lookout, you are running security software on your device!

Sonja Lee Walker-Miori says:

April 27, 2016 at 11:04 am

I feel very comfortable using Lookout for several years now. It let's me know that it has scanned everything that has come through as it does each time. I feel safer! Thanks for Lookout App Sonja Lee

Meghan Kelly says:

April 29, 2016 at 9:44 am

So glad to hear, Sonja! Thanks for leaving a comment.