A new tool named “Snappy” developed by cybersecurity experts can assist in identifying rogue WiFi access points that aim to steal data from unwary users.
Attackers can spoof legitimate access points that have already been installed at stores, cafes, and shopping centers by setting up false ones there. By tricking people into connecting to the malicious access points, attackers may transmit sensitive data using their own equipment.
Threat actors can intercept and examine transported data by launching man-in-the-middle attacks while in control of the router.
Tom Neaves, a security researcher with Trustwave and a fan of wireless and RF technology, argues that it is simple for determined attackers to fake the MAC addresses and SSIDs of reliable access points on open networks.
When users return to the locations of open wireless networks they have previously connected to, their devices will immediately try to rejoin to a stored access point, unaware that they are actually connecting to a malicious device.
Snappy to the rescue
Neaves created a tool to assist consumers identify whether the access point they are using is the same as the one they used previously (and every time), or whether it may be a false or malicious device.
He discovered several static components by examining Beacon Management Frames, including the vendor, BSSID, supported rates, channel, nation, maximum transmit power, and others, that alter between various 802.11 wireless access points but remain constant for a particular access point over time.
The researcher reasoned that he could combine these components and hash them using SHA256 to produce a distinct signature for each access point that a scanning program might use to produce matches and mismatches.
Mismatches on the signature would indicate that something has changed and the access point could be rogue, whereas matches suggest that the access point is the same and hence trustworthy.
A Python script named Snappy that was released on Trustwave’s GitHub repository and made freely accessible had this feature.
In addition to the technique for producing SHA256 hashes of wireless access points, Snappy can also identify access points made by Airbase-ng, a program that attackers employ to make phony access points in order to intercept packets sent by connected users or even to snoop on their network traffic.
As long as Python is available, running Python scripts on laptops should be simple, but users of mobile devices will need to go above and beyond to find specialized interpreters and emulators.
Python scripts may be executed on Android phones using Pydroid, QPython, or Termux, while iOS users can use Pythonista, Carnets, or Juno.
Hopefully Trustwave will soon think about making the tool more accessible to a larger audience.