Data Security

SSID Stripping flaw lets hackers mimic real wireless access points

SSID Stripping has emerged as a significant threat because it impacts almost all software platforms, including MS Windows, macOS, Apple iOS, Ubuntu, and Android.

A Team of researchers at AirEye in collaboration with Technion – Israel Institute of Technology’s Computer Science faculty, have discovered a vulnerability that changes a network’s name (which is actually SSID – Service Set Identifier) to another one in the device’s list of Networks.

Simply put: Unsuspecting users can be tricked users into connecting to WiFi spots setup by hackers. This would not only exposed users to data theft but access their personal information on their device –  That’s why the vulnerability has been dubbed SSID stripping.

SSID Stripping has emerged as a significant threat because it impacts almost all software platforms, including MS Windows, macOS, Apple iOS, Ubuntu, and Android.

The first “aireye_network” is real while the second has the “%p%s%s%s%s%n” as a suffix that is not visible (Image: AirEye)

What Does it Do?

The vulnerability can trick unsuspecting users into connecting to a network controlled by an attacker or cybercriminal. Basically, users will connect to the wrong network that they didn’t originally intend to connect to.

According to researchers, in an SSID Stripping attack, a user can see a connection that matches the name of one of their trusted connections. The catch here is that the user must connect with the fake network manually.

SEE: This map shows free WiFi passwords from airports worldwide

Conversely, the network will bypass the device’s security controls because the original name of the SSID will be stored in the string the attacker has inserted while the user won’t be able to see it on the screen. Resultantly, the users will connect to the fake AP.

“The SSID published by any AP in the proximity of a wireless client is processed by that client – regardless of whether there is any trust between the client device and the AP. Hence an attacker may attempt to include malicious payload within the SSID in an attempt to exploit a vulnerable client implementation,” researchers noted.

AirEye already notified vulnerable platforms back in July, but they all regarded it as a minor security glitch and may implement patches soon.

The Three Error Scenarios

Researchers reported about three types of display errors, one of which involved forcing Apple devices to display partial names by inserting a NULL byte into the SSID, whereas on Windows devices, it achieved the same effect using newline characters.

SEE: Hackers using fake live Coronavirus map to spread malware

The second type of display error is more common and is displayed via non-printable characters. An attacker may include special characters to the SSID’s name without alerting the user. For instance, the attacker can display aireye_network instead of aireye_x1cnetwork, where x1c represents a byte with 0x1c hex value.

The third display error pushes out a part of the network name from the screen’s visible portion. In such a scenario, an iPhone many display an SSID named aireye_networknnnnnnnnnnnrogue as aireye_network, eliminating the word rogue. This technique, along with the second type of error, can successfully hide a rogue network name’s suffix.

To Top

Pin It on Pinterest

Share This