LAS VEGAS—When I sat down on the first day of Black Hat 2016, a journalist attending the event for the first time asked what precautions I had taken. I told him I was using a burner phone, VPN service, and a borrowed laptop. He nodded, and told me he had done the same but that he thought all the paranoia was overblown.

That morning, I would have agreed with him and said it was better to be safe than pwned. But by the evening, the Pwnie Express team showed me that there was some very scary things going on in the Black Hat airspace.

The team detected a Karma attack, which entices devices to connect to a malicious Wi-Fi access point. The team also believes it found a malicious cell tower set up on premises. Black Hat certainly lives up to its reputation.

Bad Karma

Pwnie Express has been monitoring a Karma attack since early in the week. An attacker created a wireless access point that listens for requests from laptops, cell phones, or anything else. Victim's devices send out probes asking if known Wi-Fi networks are available. The devices are trying to quickly connect to networks that they've already seen before. The evil access point simply responds to each and every request with "yep, that's me!" and the victim's devices connect.

Since Pwnie first detected the evil access point, they've seen 35,000 unique devices unknowingly connect. As of Wednesday, the access point had impersonated 1,047 different Wi-Fi networks. That doesn't mean 35,000 people all thought their home networks had been mysteriously transported to Las Vegas. Devices often search for and connect to known networks without user consent, in order to ensure constant connectivity. It's very likely that the victims of this attack never knew they were connected.

The company is able to do this with its Pwn Pro sensor. The device is effectively a high-powered wireless sniffer, passively observing traffic moving through the air. The Pwnie sensors are then microcomputers with antennas attached. They are capable of some nasty behavior themselves, but only for penetration testing purposes. These are the good guys, after all. To gather all the data about malicious wireless networks, the Pwnie devices don't have to use any attacks; they just listen to the information being broadcast publicly.

When it first appeared, the access point listed itself as a humble HP printer. With more and more smart printers that double as network devices, it's a benign cover for something far more devious. When the Pwnie team took a closer look at the access point, they discovered that it was using a TP Link Adapter, which is not used by HP.

If you follow security stories, you've probably heard about a man-in-the-middle attack. That's when an attacker manages to place himself between you and whatever you're trying to communicate with, usually the Internet. In the case of Wi-Fi networks, if someone has control of the access point, they can decrypt your traffic, monitor it, and then pass it along to its intended destination with you being none the wiser. When I asked the Pwnie Express researchers what kind of information the access point operator at Black Hat could be taking, I was told he or she could have whatever they wanted.

Not So Safe on Cellular

The Pwn Pro device that Pwnie Express has on premise can also monitor the cellular airspace. As of yesterday, they detected a suspicious cellular tower that could be operated by attackers. When I spoke with them, the sensor hadn't gathered enough data to make a definitive call on whether or not it was malicious. But when I asked how likely it was that this cell tower was legit, I received a cocked eyebrow and the words "at Black Hat?"

One of the most suspicious aspects of the detected cellular access point is that it's only broadcasting in the 2G range. Most modern phones operate at 3G and LTE, and only drop to 2G out of dire desperation. It's also suspicious because the encryption used to secure the 2G band has been broken for some time. When security professionals talk about attacking cellular devices, the attack almost always begins with creating a malicious 2G access point and then jamming the 3G and LTE bands in order to force nearby phones into connecting.

As of writing, there is no evidence of anyone jamming the spectrum. The Pwnie Express team suggested that the attacker may have just stood up the network to see what connects.

The Pwnie team is keeping an eye on the cellular access point. In particular, they're watching the standard deviation. This is a measurement of signal strength over time. If it starts changing, that's an indication that the cellular access point is getting closer or further from the Pwnie sensor. Legitimate cell towers don't tend to move.

Stay Safe, My Friends

Here's the thing about getting attacked on the Web: You might not know it's happening, or that it has happened at all. The people who have connected to the evil access point at Black Hat could have lost valuable data or nothing at all. Several may have moved into range of the access point, had their devices automatically connect, and then moved out of range without sending a thing. The problem is, there's almost no way to tell.

That's why you want to take steps to safeguard your security, especially when traveling and especially when you're at or near a hacker convention. It's a good idea to reconfigure your phone to be less noisy, and not send out probes actively seeking Wi-Fi networks. And it's a very good idea to use a VPN service when connecting to Wi-Fi. When a VPN is active, all your data is encrypted before it leaves your device. Even if you're connected to an evil access point, the attacker will just see blobs of useless data.

Black Hat and DefCon are always a bit of a wild ride. Hackers and security researchers play around with these kind of tools, but so do intelligence agents (and you know there are at least a few in Vegas this week) and actual, malicious actors. But this attack could have easily been staged at an airport or a Starbucks. You never know you might be snooping on you.

Further Reading

Security Reviews