Disrupting WiFi Networks with Mobile Devices
At this point, everyone should be pretty familiar with the “rogue AP” concept: an attacker creates an innocent enough looking WiFi access point, hopes people connect to it, and then does nasty things when they do. It’s simple to setup, hard for the average user to detect, and increasingly common.
But putting up an access point is only half the battle. How do you get victims to actually connect to an rogue AP once it’s setup? An attacker can give it a tempting name, and if it’s the only open AP in an area with nothing but encrypted networks it may have a shot, but more often than not the client machines are going to connect to whatever their appropriate network is and ignore any other APs that may have popped up. So the question is, how could one nudge an unsuspecting user off of their own WiFi network and onto another one?
One way is to simply blast the rival networks off the air.
To be very clear, calling this technique jamming is inaccurate, but that hasn’t stopped a number of developers from using the term, so we’ll just play along for the sake of consistency. To properly jam WiFi (or any other form of radio communication), you basically blast out a lot of random noises on the frequencies that particular technology uses. It’s conceptually very simple, but also a very big infraction as far as our friends at the Federal Communications Commission are concerned; so it isn’t something you won’t be doing with any consumer-level WiFi hardware.
Since jamming on the hardware level is out of the question, a number of developers have found a way to clog up WiFi communications in software. This is much more akin to a denial of service attack, where tools are used to repeatedly spam deauthentication packets at WiFi access points and clients to force them to disconnect. With the appropriate software and a powerful WiFi adapter that supports packet injection, an attacker can put a stranglehold on legitimate communications.
There are a couple of ways it can be done, but for this example we will look at wifijammer by Dan McInerney.
This tool takes the form of a single Python script, wifijammer.py, that you can grab right from GitHub. Installing it on your device is as simple as opening the terminal and running:
git clone https://github.com/DanMcInerney/wifijammer.git
Once you’ve cloned the Git repository and entered the newly created directory, you should be able to run it right away. Unfortunately, when you try and run it you’ll probably get an error about not being able to find “./dvips”.
A little digging around shows this is actually a bug in the python-pyx package that’s been floating around since at least 2012. You can get around this by simply removing the python-pyx package with “apt”, but that will also remove wifitap, which you may not want to do.
In the end, as silly as it sounds, the easiest workaround for this bug is to simply create an empty directory named “dvips” so it finds what it’s expecting:
After creating the directory (or removing python-pyx), you just need to plug in your external WiFi adapter and you’re set.
Note: In testing, it has been found that unplugging the external WiFi adapter after running wifijammer has a tendency to lock up the device. It’s suggested that you shutdown the device before disconnecting the external adapter to prevent data loss.
If ran with no options, wifijammer will select the strongest WiFi interface on your device that supports packet injection (your external WiFi adapter) and puts it into monitor mode. It will spend a few seconds on each WiFi channel collecting data, and then once it has a list of clients and APs, it starts rapidly going through them and firing out deauthentications.
The top of the screen will show the devices that have been deauthenticated, while the bottom of the screen will continually scroll devices that wifijammer has detected.
With a powerful external WiFi adapter, a setup like this will destabilize the WiFi networks within a fairly large radius, say a few hundred feet.
But it’s a completely non-discriminatory attack, it will try to knock out every WiFi network it sees. It may however be advantageous to try and jam one specific access point, or perhaps even just one client device. In other cases the broad radius attack may fail, and a more direct approach is required. For those situations, wifijammer has a number of options to tailor the attack to the situation at hand.
The advanced parameters for wifijammer let you specify things like the target’s MAC address and channel, as well as some under the hood options like how many packets to send and how long to wait between deauthentications.
A good starting point for experimentation is something like the following:
wifijammer -c <CHANNEL> -a <TARGET MAC> -p 5 -d
Aside from the obvious channel and target variables, the -p option tells wifijammer to send 5 deauthentication packets at a time, and the -d option disables sending deauthentication packets to broadcast addresses (this speeds up the attack, and many devices ignore them anyway).
In practice, tools like wifijammer can be used to disable some or all of the WiFi networks in the target area, which can lead unsuspecting users to an rogue AP under an attacker’s control. It’s important to realize that attacks like this cannot literally force a target to switch networks (they would still need to select the rogue AP in their device’s network settings), but it may give them the impetus to check for additional networks where they otherwise wouldn’t have.
When deployed from a mobile device like the Pwn Pad or Pwn Phone, WiFi jamming attacks can be especially effective, as the source of the transmission can be brought in extremely close to the targets (such as in a coffee shop, office, or other public place) without arousing suspicion.