For people who have heard of Face niff or Firesheep , they must have a idea, how easy these apps make it possible to access Facebook accounts of people in your wifi network. Now we have another app called DroidSheep based on Firesheep which gives you access to Facebook ,Flickr ,Google account etc of anyone logged in your wifi network. This apps can even bypass WPA security. Okay let me stop here and elaborate for people who did not understand what i said above.
We do come across wifi networks in public places such as airports,cafes , restaurants and offices. Now if you have an android tablet , you need to install Droid Sheep from android market and here you will find yourself accessing Facebook , Google , Flickr , Youtube accounts just at one click.Difficult to believe but trust me it’s quite easy. Thanks to open wifi networks. The purpose of the article is not to promote use of such apps but rather such apps should be used to find loopholes in wifi network . Besides this we also wants to create an awareness as how unsafe these public wifi spots can be & how vulnerable these new devices are.
Now the question that people must be having is that how is it that one can access others accounts .The app works even on networks protected by WPA and WPA2 encryption schemes by using a technique known as ARP spoofing to redirect local traffic through the attacker’s device. An attacker would have to know the wifi security password, however.
In a WPA2 network, a malicious insider broadcasts fake packets (with the AP’s MAC address as the transmitter’s address) encrypted using the shared group key (GTK) directly to other authorized Wi-Fi clients in the network. One example of an exploit that can be launched using GTK is the classic ARP poisoning (man-in-the-middle) attack (demonstrated at Black Hat Arsenal 2010 and Defcon18).
In the ARP poisoning exploit, the insider can include for instance an ARP Request message inside the GTK-encrypted packet. The ARP Request has the IP address of the actual gateway, but the MAC address of the attacker’s machine. All clients that receive this message will update their ARP table – mapping the attacker’s MAC address with the gateway’s IP address.
All “poisoned” Wi-Fi clients will send all their traffic, encrypted with their respective private keys (PTKs), to the AP, but with the attacker’s MAC address as the destination. The AP will decrypt the traffic and forward it to the attacker, now encrypting it using the attacker’s PTK. Because all traffic reaching the attacker (from the AP) is encrypted with the attacker’s PTK, the attacker can decrypt the traffic (including login credentials, emails and other sensitive data).
The attacker can then choose to forward the traffic to the actual gateway of the network, so that the victim Wi-Fi clients do not see any abnormal behavior and continue their communication.
