This is a short presentation about access point (AP) takeover attacks. It gives a brief overview of methods and the reasons hackers may want to use these attacks, it then provides some examples. A full paper on this topic is available at http://www.ericgoldman.name
AWS Community Day CPH - Three problems of Terraform
AP Takeover Attacks
1. Theory and Strategies for
Takeover Attacks
Presented by Eric Goldman – http://www.ericgoldman.name
2. This is an excerpt from a larger presentation
which covered numerous AP exploit strategies
and specified attacks. You can find more of my
presentations on SlideShare and at my main
website, http://www.ericgoldman.name.
Please feel free to post questions or comments
about this presentation. A full academic paper
on this topic is available on my website.
More papers & presentations at http://www.ericgoldman.name 2
3. AP is a gateway between wireless and wired
networks; all wireless traffic passes through
As a result it is usually the most valuable
target on the WLAN for Snooping or DoS
Wireless hardware is more vulnerable than
wired equivalents because it must support
more protocols and features, which are
relatively young and/or under development
Fun target because there are so many
different ways to attack an AP
More papers & presentations at http://www.ericgoldman.name 3
4. Gain unauthorized access to the network
◦ Attacker wants to get the rest of the network, but
too timely to break all security procedures
Monitor traffic and steal user data
◦ Steal valuable information about users or company
Make money
◦ By controlling AP you can insert your own ads on
every page and replace other adds with your own
◦ Examples: dd-wrt + NoCatSplash or a web proxy
More papers & presentations at http://www.ericgoldman.name 4
5. Multiple management interfaces may exist,
with different security (console, web, ssh, etc)
Setting misconfigurations, groups of settings,
or improper implementation of settings
Steal login information by cracking or finding
in-the-clear authentication (web, telnet)
Physical access- administration allowed w/o
password when direct connected, reset device
More papers & presentations at http://www.ericgoldman.name 5
6. Effects 8 different devices, 3 versions of IOS
Vulnerability is in Web Management Interface
When you switch from global password
control to local user list with individual
passwords in the web interface all login
security is disabled
As a result, anyone can easily access the
admin interface without having any login
information or credentials
More papers & presentations at http://www.ericgoldman.name 6
7. Router allows admin password to be
modified, but there is a undocumented
hardcoded account there as well
Hardcoded accounts: U= super, P=5777364
Accessible from both LAN/WLAN
Traced back to hardware developer in Taiwan,
5777364 is their phone number
◦ May affect other vendors who use their hardware
◦ Was still in later firmware upgrades for Netgear
◦ Vendor solution: make a new hardcoded account
More papers & presentations at http://www.ericgoldman.name 7
8. APs are a more valuable target than a single
client node; attack more users and resources
Wireless network equipment, especially
budget consumer products often are poorly
designed and coded
Attacking AP can cut off many users from
access, can make any connectivity difficult
Taking over an AP can allow the attacker to
accomplish many different objectives
More papers & presentations at http://www.ericgoldman.name 8
9. Cisco. (2006, September 20). Cisco Security Advisory: Access Point Web-browser
Interface Vulnerability. Retrieved April 6, 2009, from Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml
Hackers come up with new methods to hack Wi-Fi networks. (2008, March 21).
Retrieved April 6, 2009, from Internet Security: http://www.internet-
security.ca/internet-security-news-010/hackers-coming-up-with-new-ways-to-
hack-wi-fi-networks.html
Knienieder, T. (2004, June 3). Netgear WG602 Wireless Access Point Default
Backdoor Account Vulnerability. Retrieved April 6, 2009, from Secuirty Focus:
http://www.securityfocus.com/bid/10459/info
Mateti, P. (2005). Hacking Techniques in Wireless Networks. Retrieved April 6,
2009, from Wright State University:
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mat
eti-WirelessHacks.htm#_Toc77524669
Megidish, G. (2008, August 17). Getting Paid For Others’ Work. Retrieved April 6,
2009, from SecuriTeam: http://blogs.securiteam.com/index.php/archives/1128
Bellardo, J., & Savage, S. (2003). 802.11 Denial-of-Service Attacks:vulnerabilities
and practical solutions. San Diego, California: Department of Computer Science
and Engineering, University of California at San Diego.
More papers & presentations at http://www.ericgoldman.name 9