SSID Stripping: New Method for Tricking Users into Connecting to Rogue APs
The cyber threat landscape has become more complex, with new threat actors and their latest attack vectors. SSID Stripping is a new hacking technique recently uncovered by AirEye security experts, which could be abused to trick unwitting users into connecting to fraudulent wireless networks.
What is SSID Stripping?
Researchers at AirEye and Technion found that threat actors can exploit wireless SSIDs (Service Set Identifiers) to carry out wireless network impersonations and manipulate the network name to appear legitimate. SSID hackers can trick users into connecting to a rogue Wi-Fi network created by attackers using Stripped SSIDs. Those connected to these networks become susceptible to data theft, malware attacks, and device compromise.
Network names, or SSIDs, are the most common way to identify Wi-Fi networks. A user uses an SSID as a primary identification factor when looking for and connecting to a specific network. Devices have different naming conventions for their networks, also known as access points (APs).
In light of this method’s vulnerability, SSID Stripping appears to be a serious security risk, as it impacts many networks and devices, including Windows, macOS, Ubuntu, Android, and iOS. In any case, an AP’s SSID is processed by wireless clients in the vicinity, whether or not a trust relationship exists between the client device and the AP. “This could be used by an attacker to exploit a vulnerable client implementation by including malicious payload within the SSID,” AirEye said.
Research findings
There were three types of “display errors” used by attackers for altering/manipulating the network names found in the research.
During the study, they discovered three types of “display errors.” One involved inserting a NULL byte into the SSID, which removed the first byte from the name, causing Apple devices to display only the part of the name before the null byte. To achieve the same effect, the attacker could use “new line” characters on Windows devices.
Another display error can be caused by characters that you cannot print, which appears to be the most common. The attacker can insert special characters into the SSID, but these characters will not be visible to the users.
According to the researchers, network names like ‘aireye_x1cnetwork’ (x1c representing a byte with 0X1C hex value) appear the same as ‘aireye_network.’
Another display error occurs when a certain part of the network name is pushed out of the screen’s visible area.
The researchers went on to explain that, for example, the SSID can be “aireye_networknnnnnrougue.” “N” there denotes the New Line Character. Thus, the network name may be displayed as “aireye_network “to an iPhone user as the word “rogue” has been pushed out of the display. This, along with type 2 errors, can effectively mask the suffixes of rogue network names.
In simple terms, these are the three display errors:
Display Error 1 – The network names are displayed only as a prefix
Display Error 2 – The display name has some characters missing
Display Error 3 – Parts of the display name are outside the visible area
A variety of cyberattacks can be performed using SSID Stripping, including:
- Easily tricking the user into connecting to a rogue network by setting up a rogue Access Point (AP)
- Incorporation of an attack into a network name without causing suspicion from the user or system admin
- Adding malicious software to the rogue network’s devices
- Taking advantage of compromised devices to steal sensitive information
It has been well known for many years that SSID spoofing poses a threat. An attacker may intercept a victim’s communications if they convince them to connect to their Wi-Fi network.
During attacks, the attacker typically sets up a rogue Access Point that appears similar to one normally used by the target. To prevent unwitting users from automatically reconnecting to rogue APs, operating system vendors have introduced protective features that match more than just the connection name before automatically connecting.
The user will see a connection whose name matches that of a connection they trust, but they will need to connect manually for it to work. This prevents the victim from connecting to the rogue AP since the device processes only the actual string of the SSID, not what the user sees, and does not bypass the security controls.
However, vendors do not seem to view it as a serious security threat. Nevertheless, researchers cited their findings as a vulnerability. AirEye reported the findings in July to Apple, Microsoft, Google (Android), and Canonical (Ubuntu). Even though they acknowledged the issue, they said it has only “minor security implications,” and they will roll out no patches any time soon.
How to Check for SSID Stripping Vulnerability
To check whether they are vulnerable to the SSID Stripping attack, AirEye has launched a free Windows-based tool called Hide’ n Seek.
“The tool generates numerous network names based on the original SSID provided by the user. The user can then understand how these network names are displayed in their organization to gain a better sense of their environment’s vulnerability,” says AirEye.