This is Karma, baby, or why the attack on wireless networks, which was supposed to sink into oblivion, is still alive

Today, wireless access points surround us everywhere: in cafes, restaurants, in shopping centers and in transport. This has ceased to be something unusual, and we calmly connect to an unprotected network or keep the search mode around for familiar points around. That is why in recent years the number of attacks aimed at this segment has been steadily increasing. It is not surprising, because getting access to user traffic opens up a huge field of action for an attacker. Today I would like to consider one of these attacks under the prosaic name Karma, invented back in 2005, but at the moment is still relevant.

At one time, talks about Karma (hereinafter - Karma) were very popular in the circles of security guards, and many heard about it at least with the edge of their ears. Those whom this topic has bypassed at that time may be familiar with it in absentia thanks to the well-known device called Pineapple. It was created specifically to conduct Karma and other similar attacks on wireless networks quickly and effortlessly.

A cursory examination of Karma itself makes it clear that in reality it is an evil twin “on steroids”, because, in essence, its main part is to pick up a copy of a certain access point. However, the devil is in the details, and the details allow the attack, created 13 years ago, not to lose its relevance and be used to conduct pentests to this day.

Cross-section, or where feet grow from

What is this dinosaur different from all the others, and thus survived? Karma stands out because it is not based on software vulnerabilities of access points or clients, but on the features of the universally used 802.11 standard, or rather, on the features of its authentication protocol. For a complete understanding of the Karma device, the authentication process itself will be considered in detail below. Readers familiar with this process can safely skip this part.

In order to announce its presence, the Access Point (access point, hereafter - AP) transmits the so-called Beacon frames — packets containing the SSID of the access point (i.e. its identifier, network name), supported data rates and encryption type that uses this wireless network.

The user finds wireless networks by listening to packets in search of Beacon frames from APs around him or by sending to access points from his list of preferred networks Probe request frames — packets consisting of the SSID that the user is looking for, as well as data rates that are supported user device. The SSID may be an empty string indicating that this is a Null probe request (a request addressed to all access points regardless of the SSID).

APs respond to Probe requests, their SSIDs, as well as Null probe requests using Probe Response packets. Probe Response contains data identical to the data in the Beacon frames: SSID, supported data transfer rates, and the presence of encryption.

If the wireless network uses encryption, the user's device must be authenticated before connecting. This process occurs through Authentication frames. If the user's device has already been authenticated or the network does not require it, the device will send an Association Request to the access point, to which the AP responds with an Association Response frame. After that, the user can work in this wireless network.

It is important to note that although the standard defines how a user joins an access point, the method for selecting this point is not defined, there is no mention of whether the base station should be authenticated or trusted by default. The solution to this problem was left to the suppliers of hardware and software of the operating system.

Now it became clear how Karma works. An attacker within the signal range (which high gain antennas and signal amplifiers can potentially help) can passively monitor one wireless channel and watch connection requests from users to all access points. He can use this information to recreate the victim’s preferred networks list. User requests to connect reveal only the names of networks, and their type of encryption is not. However, possessing only the SSID of the access point, the attacker can create a copy of it with the same name, increasing the likelihood of the victim connecting to it: for example, by amplifying the signal from the access point (the client usually automatically connects to the most powerful point), or perform an attack like denial of service "in relation to the selected AP. If the customer is expecting that the network will be encrypted, the connection will not be established, and the attacker can try the next network in his recreated copy of the victim’s preferred network list. When he stumbles upon a network that does not support encryption, a wireless network will be created, to which the victim will immediately join.

A bit about the attack from the creators of Wi-Fi Pineapple:

"Old, but not obsolete"

To date, the key problem in the standard has not been resolved, and Karma continues to be a real threat to users. For example, to test wireless networks now often use the above-mentioned WiFi Pineapple, which can be purchased freely. The creators of this project are actively supporting it and, with some frequency, release updates. A relatively new version of Pineapple was released recently: Tetra - a full-fledged router with everything you need, 4 SMA antennas and built-in 2 GB flash memory and Nano - a simplified version that has a USB adapter format with 2 SMA antennas, 16 MB ROM and a connector under micro SD.

For those who would like to try Karma on this wonderful device, I would immediately like to say that there is no point in buying from the hands early versions like Mark V, because the manufacturer has stopped supporting them, and the likelihood that you can simply download the necessary software through the device’s built-in store or update the device (the latest firmware for Mark V was released in August 2015) tends to zero, and to launch it and turn attack, even speech does not go.

Having a little rummaged on github, it is possible to find several implementations of Karma with open source code of different levels of execution:

• WiFi-pumpkin ;
• Wifiphisher ;
• Mana toolkit ;
• FruityWifi .

Although the last two of these implementations have already been given are not supported, but WiFi-Pumpkin and Wifiphisher are currently alive and continue to evolve. My Karma research did not start with them, but with Mana and FruityWiFi, which spent a tremendous amount of time analyzing. It was not possible to make them work, and the attempts were abandoned. However, in the near future I plan to return to this topic again and try WiFi-Pumpkin and Wifiphisher, these projects have their own small community and the probability of success in this case is much higher.

Also, the cherry on the cake and the interesting implementation of Karma can be called this small project that implements the attack using a cheap and popular ESP8266 microcontroller. The project is not a completely independent Karma, the user must create a Rogue AP (fake access point), there are no functions for creating a preferred list of networks. However, both of these problems are not so difficult to solve - ESP is quite generous in terms of resources for this, and, with due desire, you can get a good utility.

Fighting bad karma

And now what to do with this information, how to protect yourself? There is absolutely no magic here, the rules for protecting against Karma are simple:

1. Disable Wi-Fi search mode on all your devices until you need it.
2. Do not trust familiar access points, always check whether this point can be here at all (yes, MT_FREE, I'm talking about you).
3. Use VPN wherever possible and impossible.
   (Here everything works the same way as with an attacker who can listen to traffic in the network under control - using the VPN, he simply cannot decipher anything).
4. Create access points with encryption and give preference to them.
5. Do not re-log in to familiar networks (most likely, this is a fake access point of the attacker).

Despite the fact that the target OS has been updated hundreds of times since the advent of Karma and the systems have become more secure, this attack is still alive and threatening users. Expect that in the near future the standard will be corrected or added is not necessary, so we can only adhere to these simple rules and keep our ears open.