SkyJackerTheft from Above

Imagine RIT 2014

• Service Set Identifier (SSID)o human readable “network name”

• Devices store past SSID connections

Wireless Basics

• Steps for connectiono Probingo Authenticationo Association

• Probingo activeo passive

Wireless Basics

Wireless Basics (Probing)

• Active Directed Probeo client sends a named-specific SSID

AP with that SSID replies with probe response

Wireless Basics (Probing)

• Active Broadcast Probeo client sends a null SSID

all APs send probe response

More About Probe Requests

• Sent by devices seeking connection

• Devices will automatically connect to previously associated access points

• Requests are NOT secret

Mobile Devices Probe Requests

• iPad o probes for last three associated APs

• iPhoneo probe based on movement

• Androido probe based on movement

Why Should I Care?

• Unique SSID given in probe requesto use www.wigle.net to determine physical location

• Rogue Access Point with same SSIDo device will automatically connecto redirection of traffic/traffic injection

Enter SkyJacker

• Capture and display probe requests

• Imitate access pointo create rogue APo redirection of traffic