KARMA’s a … blast.

Dino Dai Zovi | January 18th, 2006 | Filed Under: New Findings

Ok, so I’ve just spammed DailyDave and BUGTRAQ (if you read these or have been to CanSec, I won’t be hurt if you skip reading this post) with 1-year later announcements of a project K2 and I worked on called KARMA. KARMA is a tool assessing wireless client security (or for being a jerk in public places). KARMA has a small curses GUI that displays what networks nearby clients are probing for. KARMA has a driver patch to MadWifi to act as an AP that responds as any network that a nearby client probes for. KARMA has a framework of fake services that can capture plaintext credentials and launch client-side exploits (no exploits are included). KARMA demonstrates the risk of letting people connect laptops to corporate networks and random wireless hotspots while they are traveling.

The root of the problem is that Windows and MacOS X have lists of preferred wireless networks that they look for and probe for explicitly, in case they are hidden networks and not beaconing. Any network that you join is automatically added to the top of this list. So when you open your laptop in a public place, you look for all the insecure hotspots you’ve recently connected to. If someone is spoofing that network, your laptop will automatically join it, dhcp, etc. Software you have running may try to check for updates, check mail, etc, opening up a large client-side attack surface. While Windows XP and OS X Tiger let you edit this list (In OSX 10.3, it was a base64 blob in an XML preference file), most people don’t.

An empty preferred networks list is not even completely safe. With most 802.11b-only cards under XP, the card will also probe for randomly-generated SSIDs between rounds of scanning for preferred networks and will even associate to a network if it responds to the random probe (albeit it will only be associated for about a minute before scanning again). Apple had a similar issue w/ the classic 802.11b AirPort cards, but this was fixed in the AirPort 4.2 update.

Since the new Intel Macs have onboard Atheros chips, I can port the BSD atheros driver to IOKit and run KARMA on my mac with no extra equipment necessary. Another reason that Macs are great for security people :).