John Bambenek had a great post over at the ISC a few days ago about the importance of patching and mitigating against “passive exploits” (i.e. Man in the Middle attacks, KARMA, Airpwn, etc). John certainly raises some very good points, and I agree with him whole heartedly. As security professionals, we need to remain vigilant in protecting and patching against these threats.
However I’d like to disagree with a few points. I’m not of the belief that passive attacks limit the attacker to a geographic location.
Take this theoretical example: I’m an evil hacker somewhere in Europe (apologies in advance to our European readers), and I happen to compromise some defenses at some coffee shop in the Midwest USA (apologies…). Now, through the compromised coffee shop network, I’m able to configure their servers and or firewall to do my bidding, such as MiTM attacks. I’m also able to discover that the wireless APs that the coffee shop is using, have some sort of open source component to them in which I can port some of those passive attack tools too – say KARMA or Airpwn.
What about compromising the clients attached to the coffee shop wireless network directly? Compromise those hosts, upload a Virtual Machine and set up KARMA and/or Airpwn on the VM running on a victim. Now when those victims leave the coffee shop and fire up their laptop elsewhere, their geographic location has changed, and is now compromising more hosts.
Now, those examples do pose some significant technical problems: Lack of appropriate drivers and code to make those attacks work on Access Points, small, hide-able VMs with appropriate PCMCIA support, etc. But, isn’t our job to think about the future? I can see a works when, in some shape or form, all of those technological hurdles will not exist.
Let’s start thinking about these type of threats NOW, instead of reacting to them later. In a world where everything has wireless, and everything is internet connected, doesn’t the example seem reasonable? Please share your thoughts.