Exploiting Public WIFI Networks via MAC Spoofing
One of the most overlooked aspects of security is public open WIFI networks, and there’s a reason for that. First is they’re easy to deploy, and most importantly it doesn’t need a computer genius to operate.
In this research article, we’ll take a deep dive into how WIFI networks authenticate a user’s internet connection using MAC addresses are inherently vulnerable, and I’d also like to share a Proof-of-Concept I’ve made a few months back.
How Does it Work?
Let’s start first on how MAC Addresses and MAC address authorization works on a network to gain basic knowledge on how it operates.
To put it simply, MAC (Media Access Control) Addresses are the physical identifiers that the router uses to identify devices on the network.
MAC authentication on the other hand, uses the aforementioned MAC Address to grant the device access to a network. Or in this case, internet connection. The most basic way of granting someone access is by using the router’s MAC control where you can grant or deny access to a MAC Address. Additionally, more advanced setups may use RADIUS servers for authentication.
How Does This Apply on Public Networks?
Public WIFI networks typically use a captive portal to do the authentication, since it’s an open network and no password is initially required to connect to the WIFI network, they do this as an alternative and only granting internet connection when a certain action is achieved (i.e. buying a product and receiving an authentication code at the counter)
What’s the Vulnerability?
Since authorization solely relies on MAC Addresses, it can be easily spoofed by an attacker with the right information, such as the target MAC Address and to the connected network. There are various ways that an attacker can achieve this kind of attack. In my research process, I used nmap and bettercap to gather active MAC addresses, and used a tool called macchanger for changing the MAC Addresses.
Therefore using a packet sniffing tool it is quite easy to extract valid MAC addresses “off the wire”. Once you have the MAC address, as you already know, spoofing the MAC address is even easier.
(User answer from https://superuser.com/questions/19383/why-is-mac-based-authentication-insecure)
Spencer Taylor also stated
it can make them vulnerable to spoofing attacks, where an attacker impersonates a legitimate device by changing their MAC address to match one on the allowed list
(reference: https://www.linkedin.com/advice/0/what-challenges-risks-using-mac-address-authentication-wifi)
The Exploit
As stated earlier, spoofing is key to successfully executing this type of attack. An attacker can attempt to execute this attack manually, but for simplicity purposes, I’ve made an tool to automate the process of gathering, testing, and verifying the connection. The automation process is shown in this diagram below:
Note that the script does not work EVEN if there are other devices connected but is not whitelisted on the MAC filter.
link for the script: https://github.com/keru6k/openpwn/
I would also like to include that using the script for malicious purposes is punishable by law. Wherever you are, there are cybercrime laws that you need to abide and should NOT violate.
Full Demo:
For the attack, I’ve used the script provided to automate the attack. However, to save time due to the network being so large that the scanning takes a chunk of my time, I’ve used the manual mode and the already knew the MAC address, which was my iPhone XS.
Before changing the MAC address, almost every website always redirects back to the captive portal. Why “almost”? because I can still visit websites like Facebook and YouTube which was quite peculiar in this case.
Target MAC: 6e:e6:09:ff:5a:4d (do note that this MAC address was already authenticated by the network)
After changing the MAC, I tried to visit websites that was leading me back to the captive portal. In this case, I tried to visit TryHackMe (https://tryhackme.com/) as a Proof of Concept.
It works!
Overall, wireless attacks like MAC spoofing can cause significant problems especially to business owners. Here in the Philippines, some businesses employs a vendo machine that gives out a code and in return, authorizes the person with a WIFI connection after inserting a coin to the machine. (more info about it here)
This can be problematic due to the reason that attackers, even those who has little technical knowledge on how wireless networks function, can easily carry out these types of attacks and potentially cause financial damage to the business owner/s.
As of right now, there is no definitive way on how to prevent these types of attacks, since MAC addresses are broadcasted unencrypted, one of the only things a business owner can do is to monitor the network with the help of an Intrusion Detection System (IDS), though solutions like these are costly and takes manpower to operate.
References
Ash. (2009, August). Why is MAC-based authentication insecure? . Superuser. 2024, https://superuser.com/questions/19383/why-is-mac-based-authentication-insecure
Taylor, S. (2023, December 22). What are the challenges and risks of using MAC address authentication for WIFI in public places?. MAC Address Authentication for WiFi: Challenges and Risks. https://www.linkedin.com/advice/0/what-challenges-risks-using-mac-address-authentication-wifi
