Study shows viral SSIDs could be creating a massive wireless botnet

A study of Wi-Fi networking at U.S. airports has revealed a viral SSID attack that is potentially infecting thousands of travelers and opening them up to data leakage on their laptops. The viral SSID attack could also be used by hackers to create a massive wireless botnet in the future.

The study, which was released this week at the Gartner Mobile and Wireless Summit in Chicago, was conducted between Jan. 30 and Feb. 8 by AirTight, a vendor of wireless intrusion prevention systems, at 11 U.S. airports and three airports in the Asia-Pacific using off-the-shelf Wi-Fi cards and standard packet tracing software.

AirTight researchers found that only 3% of users were using VPN to encrypt their connection. The rest were sending their usernames and passwords over the air in clear text that could be easily captured by an attacker and then used to compromise the user’s data and online accounts, and even take over the machine.

Even more disturbing was the discovery of various ad-hoc (peer-to-peer) Wi-Fi networks that are propagating in a viral way to create an avenue of attack for hackers. The most common SSIDs used by these viral attacks are “Free Public Wi-Fi” and “Free Internet!” AirTight does an excellent job of explaining this attack, and how it propagates, in the following slides.

This attack is essentially exploiting the way Windows handles ad-hoc peer-to-peer wireless networking — represented by the icon of the two laptops connecting to each other in the Choose A Wireless Network screen. Once a user clicks on the fake “Free Public Wi-Fi” SSID, Windows automatically adds that SSID to its preferred networks and begins broadcasting it to other users, who connect and are then “infected” as well.

There’s no payload or tricky code involved in this attack, and it would be virtually impossible to track down users who started these fake SSIDs. However, this exploit has created an “open source” attack vector that has made it not only possible for the original perpetrators to use this exploit for attacks, but that’s also open to any attacker who can figure out what’s going on. And the worst case scenario is that an attacker or group of attackers could use this to create a massive wireless botnet (if they haven’t already).

The AirTight study found that 10% of all the wireless users it scanned across all airports were broadcasting at least one of these viral SSIDs. In some airports, the percentage was much higher, as seen in the chart below.

Here’s a full list of the viral SSIDs that AirTight identified:

• Free public Wi-Fi
• Free Internet!
• US Airways Free WiFi
• Thrifty
• Verizon Wi-Fi
• Megahoc.21
• Megahoc.v22
• Megahoc.v24
• hpsetup
• WIRELESS
• ETWireless
• ConnectionPoint
• Jet Blue hot spot
• Raisinet
• Wireless
• WIFI
• Wireless Canes
• Annies
• Ramada
• Default

Bottom line

This study has major implications for business travelers and the IT departments that support them.

“It is ironic that the traveler passes through a phalanx of physical security to only to be sitting at a gate and be vulnerable to cybercrime,” said Sri Sundaralingam, senior director of product management at AirTight. “Both network administrators and business travelers recognize the benefits of mobility and anywhere, anytime computing but it is time for all of these constituencies to recognize the risks as well and implement best practices.”

One way IT departments can handle this is by educating Windows users to never click on an ad-hoc network — the icon with the two laptops — when looking for a Wi-Fi hot spot. Another best practice is for users to connect to the corporate VPN after connecting to a public hot spot and before doing any corporate work.

The larger option for IT is to implement software to handle policy enforcement and/or a wireless intrusion prevention system (WIPS), such as the software offered by AirDefense and AirTight, the author of the study.

Those who have clicked on one of these viral SSIDs in the past need to go into their wireless networking properties in Windows and delete these fake SSIDs from their Preferred Networks to stop propagating this exploit and to avoid being attacked by someone who knows about the exploit.

UPDATED:  Learn how to configure your Windows systems to keep them from being susceptible to this viral SSID exploit by reading the following article from Michael Kassner in TechRepublic’s Mobile & Wireless blog:

• How to prevent automatic association with Ad hoc networks