Beware: Hackers are lurking in public places





Within a millisecond, a hijacker can use a wireless card to break even a VPN's secure channel and reroute traffic over a different channel.

The tools of a man-in-the-middle attack

What the hijacker needs


Media access control address of wireless access point

Victim's MAC address

Access point's current channel

Wireless LAN's service set identifier

Two client wireless cards



Readily available tools


NetStumbler or Kismet

Kismet or Ethereal

NetStumbler or Kismet

NetStumbler, Kismet or essid_jack

Typical cards found at most computer stores


While waiting to fly out to your agency's field office in Denver, you decide to tap the airport's wireless hot spot and do some work before your flight.

A window pops up on your notebook PC, welcoming you and stating the hourly fee for Internet access. You enter your credit card number and start surfing.

A few weeks later, you receive a credit card bill listing $5,000 worth of items you never purchased over the Internet. How did this happen?

The culprit might have been someone at the airport sitting 10 feet from you and working at a notebook or handheld PC. He hijacked your connection with the airport's wireless network and made you a victim of a classic man-in-the-middle attack.

The Internet has many, many Web sites with countless programs dedicated to helping such people. Equipped with a notebook running any version of Linux, a CD-ROM full of strangely named software and a couple of wireless PC Cards, even a novice can identify IEEE 802.11b WiFi signals and spoof media access control addresses.

Hacker favorites among wireless PC Cards include one from Cisco Systems Inc. of San Jose, Calif., that has the widest range and one from Proxim Corp. of Sunnyvale, Calif., that is the easiest for faking MAC addresses.

A free, downloadable program called essid_jack and similar tools can detect cloaked or broadcast service set identifiers (SSIDs) of wireless access points.

Once your airport neighbor sniffed out your MAC address and SSID and the airport access point's SSID, the hacker could jump in between you and the AP with a program such as Monkey_Jack.

From his middleman connection, the hacker could steal your data, launch a denial-of-service attack or simply run up purchases on your credit card.

Not encrypted

Everything passing through his notebook would be unencrypted and vulnerable because your system thinks it is communicating securely with the access point, which also thinks it's communicating with you.

Linux-based personal digital assistants, such as Sharp Electronics Corp.'s tiny Zaurus, can now carry out wireless attacks. A hijacker who suspects he might be fingered can simply pocket his device and walk away.

The hacker has plenty of ammunition at his disposal. Free programs such as Wellenreiter can detect SSIDs, MAC addresses and even packet counts. Wellenreiter runs in the open-source Open Palmtop Integrated Environment on a Zaurus or Hewlett-Packard iPaq.

Installing Wellenreiter is complex for a novice, but the interface is simple. That's also the case with other hacker tools such as Kismet and NetStumbler.

You're vulnerable not only in public hot spots such as airports but also through your office's wireless LAN.

But no matter how scary this hacker scenario sounds, remember that for every tool designed to invade wireless connections, there are several steps you can take to protect your data and your wireless connections.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above