With the evolution of new threat actors and their latest attack vectors, the cyberthreat landscape is larger than expected. Security experts from AirEye recently uncovered a new hacking method, dubbed as SSID Stripping, which could be leveraged to trick unwitting users into connecting to fraudulent wireless networks.
What is SSID Stripping?
In a joint research with Technion, AirEye revealed that threat actors could manipulate the name of a wireless network, particularly the SSID (Service Set Identifier), to display as a legitimate network to the users. SSID Stripping enables attackers to trick users into connecting to rogue Wi-Fi networks set up by them. Users connected to these networks would become vulnerable to device compromise, malware attacks, and data thefts.
In general, Wi-Fi networks are identified based on their network name, formally known as SSID. The SSID acts as the primary identifier for a user to find and connect to a specific network. Different devices provide different network names, which are also called Access Points (APs).
The SSID Stripping method appeared to be a severe security threat, as it impacts several networks and devices running on Windows, macOS, Ubuntu, Android, and iOS. “The SSID published by any AP in the proximity of a wireless client is processed by that client – regardless of whether there is any trust between the client device and the AP. Hence an attacker may attempt to include malicious payload within the SSID in an attempt to exploit a vulnerable client implementation,” AirEye said.
The research discovered three types of “display errors” using which attackers alter/manipulate the network names. These include:
- Display Error 1 – A display of only a prefix of the actual network names
- Display Error 2 – Omissions of some characters from the display name
- Display Error 3 – Some characters are pushed outside of the visible portion of the display name
Cybercriminals can use SSID Stripping to perform various attacks, which includes:
- Creating a more effective rogue Access Point (AP), easily deceiving the user into connecting to a rogue network
- Incorporating an attack within a network name without raising suspicions from a user or system admins
- Deploying a malicious code on devices in the rogue network
- Monitoring or stealing sensitive information from the compromised devices
How to Check for SSID Stripping Vulnerability
AirEye has released a free Windows-based tool, dubbed Hide ‘n Seek, using which users and organizations can verify if they’re vulnerable to the SSID Stripping attack.
“The tool publishes numerous network names using SSID Stripping techniques, based on the original SSID that the user provides. Users can then find out how these network names are displayed on the various devices in their organization to get a sense of how vulnerable their environment is,” AirEye added.