Hackers ambush web applications through free hotspots

Hackers are playing a dangerous game of ‘piggy in the middle’ with unsuspecting users of wireless hot spots, going largely undetected and putting corporate data and back end servers at major risk, according to Bill Robson, lead Penetration Tester for data assurance and security experts e-Sentinel.

Robson, a big fan of the free wireless access on offer at increasing numbers of outlets such as fast food restaurants and airport lounges, said Australians’ habit of looking for and grabbing free bandwidth to check email, transact online or make quick calls by Skype has provided hackers with another easy gateway to access corporate information.

“Corporate Australia already knows that wireless networking is insecure and the considerable risks it presents to them and their data,” he said.

“What they may not recognise is how we’re using our mobile phones to do business wirelessly and the significant opportunity it has given to hackers to infiltrate the gateway, place themselves between the user and the web application the user is accessing, and effectively be an unseen ‘man in the middle’.”

Robson said “Man-in-the-middle” (MITM) is a particularly insidious form of attack hackers are using to bypass the security usually provided by SSL encrypted data flowing between a secured point such as a desktop computer and a company’s end server.

“Basically at free hotspots, the hacker places themselves between the unsuspecting user of the wireless mobile phone and the web application they’re using,” he said.

“When the hacker is in place, all encrypted data the user thinks they’re sending to the web application is actually sent to the hacker. The hacker then decrypts it, reads it and/or modifies it, re-crypts it and then sends it on to the end server.”

According to Robson, hackers can only launch MITM attacks if users ignore authentic security certificate alert windows or if web browsers accept fake security certificates cleverly loaded to Windows Crypto API by hackers.

“Many of us are guilty of ignoring the security alert window that often pops up when a banking page or application we’re trying to access is not what it should be,” he said.

“Once we’ve continued on with our transaction, believing we’re on an authentic web application or site, the damage has already been done because the hacker is already in place, having hacked into the web application.”

Robson said that hackers had cleverly overcome the security certificate default in some browsers with the first known attack reported in December last year. “It’s now possible to force a web browser to browse a compromised SSL-protected site without the error message even popping up as a safeguard,” he said.

“The second weak point is that Windows Crypto API can be tricked into accepting fake security certificates using a Null Prefix form of attack and this mainly applies to Internet Explorer, Google Chrome and the Windows version of Safari.”

Robson said to their credit, major browser manufacturers had issued a patch to fix the problem of sites not generating the security alert error message but the danger is that most users don’t install patches and that a patch for the second weak point had yet to be released.

This type of vulnerability isn’t just limited to PC’s; BlackBerry's have been shown to be vulnerable as well with the discovery of an exploitable flaw discovered only a few weeks ago.

He warned businesses that an over reliance on SSL would not protect them against attacks launched from malicious hotspots.

“Of the hundreds of web-based apps we’ve tested, most rely solely on the protection provided by SSL encryption,” he said.

“Without other layers of security built-in at the time they’re developed, MITM attacks will create significant issues for Australian companies information security in terms of hijacked sessions, variables protection, cross site scripting and SQL injection.”

If you have any queries or concerns about the security of your current web site or web applications or about application development, please contact us at e-Sentinel.

e-Sentinel is one of Australia’s most trusted, independent providers of information assurance and computer system validation solutions working with clients in passenger air transport, medical, pharmaceutical, manufacturing, critical infrastructure, finance, banking  and gaming.

Bill Robson is e-Sentinel’s lead Penetration Tester and over the past decade has assessed the security of some of the largest corporations in the UK and Australia. His passion for information security keeps him on the leading edge of security research and trends in the connected world.a