ABSTRACT
Carrying over 75% of the last-mile mobile Internet traffic, WiFi has inevitably become an enticing target for various security threats. In this work, we characterize a wide variety of real-world WiFi threats at an unprecedented scale, involving 19 million WiFi access points (APs) mostly located in China, by deploying a crowdsourced security checking system on 14 million mobile devices in the wild. Leveraging the collected data, we reveal the landscape of nationwide WiFi threats for the first time. We find that the prevalence, riskiness, and breakdown of WiFi threats deviate significantly from common understandings and prior studies. In particular, we detect attacks at around 4% of all WiFi APs, uncover that most WiFi attacks are driven by an underground economy, and provide strong evidence of web analytics platforms being the bottleneck of its monetization chain. Further, we provide insightful guidance for defending against WiFi attacks at scale, and some of our efforts have already yielded real-world impact---effectively disrupted the WiFi attack ecosystem.
- 360zlzq.cn. 360zlzq: Providing Reliable Web Analytics. http://www.360zlzq.cn, 2019. (Now inaccessible. Last accessed on Nov. 25, 2019).Google Scholar
- C. L. Abad and R. I. Bonilla. An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks. In Proc. of IEEE ICDCS, pages 60--60, 2007.Google ScholarDigital Library
- Adblock-Plus.org. Adblock Plus: Surf the Web with No Annoying Ads, 2020. https://adblockplus.org/.Google Scholar
- M. D. Aime et al. Dependability in Wireless Networks: Can We Rely on WiFi? IEEE Security & Privacy, 5(1):23--29, 2007.Google ScholarDigital Library
- Alexa.com. Alexa Traffic Ranking for Websites, 2020. https://www.alexa.com/.Google Scholar
- Android.org. Android Privacy: MAC Randomization, 2020. https://source.android.com/devices/tech/connect/wifi-mac-randomization.Google Scholar
- J. B. and S. S. 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions. In Proc. of USENIX Security, pages 2--2, 2003.Google Scholar
- P. Bahl, R. Chandra, J. Padhye, L. Ravindranath, M. Singh, A. Wolman, and B. Zill. Enhancing the Security of Corporate Wi-Fi Networks Using DAIR. In Proc. of ACM MobiSys, pages 1--14, 2006.Google Scholar
- Baidu.com. Baidu Analytics: Web Statistics Platform (in Chinese). https://tongji.baidu.com/, 2020.Google Scholar
- K. Balakrishnan. Exponential Distribution: Theory, Methods and Applications. Routledge, 2018.Google Scholar
- BBC.com. BBC, 2020. https://www.bbc.com/.Google Scholar
- A. Bouch, A. Kuchinsky, and N. Bhatti. Quality is in the Eye of the Beholder: Meeting Users' Requirements for Internet Quality of Service. In Proc. of ACM CHI, pages 297--304, 2000.Google ScholarDigital Library
- D. Bruschi, A. Ornaghi, and E. Rosti. S-ARP: A Secure Address Resolution Protocol. In Proc. of IEEE ACSAC, pages 66--74, 2003.Google ScholarCross Ref
- J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring Pay-per-Install: The Commoditization of Malware Distribution. In Proc. of USENIX Security, volume 13, 2011.Google Scholar
- C. Cimpanu. Hacker Group Has Been Hijacking DNS Traffic on D-Link Routers for Three Months, 2019. https://www.zdnet.com/article/hacker-group-has-been-hijacking-dns-traffic-on-d-link-routers-for-three-months.Google Scholar
- P. Congdon, B. Aboba, A. Smith, G. Zorn, and J. Roese. IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines. RFC, 3580:1--30, 2003.Google Scholar
- M. Conti, N. Dragoni, and V. Lesyk. A Survey of Man In the Middle Attacks. IEEE Communications Surveys & Tutorials, 18(3):2027--2051, 2016.Google ScholarDigital Library
- H. M. Demoulin, T. Vaidya, I. Pedisich, B. DiMaiolo, J. Qian, C. Shah, Y. Zhang, A. Chen, A. Haeberlen, B. T. Loo, et al. DeDOS Declarative Dispersion Oriented Software. In Proc. of ACSAC, pages 712--722, 2018.Google ScholarDigital Library
- S. Fahl et al. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proc. of ACM CCS, pages 50--61, 2012.Google ScholarDigital Library
- B. Fleck and J. Dimov. Wireless Access Points and ARP Poisoning, 2001. https://digilander.libero.it/SNHYPER/files/arppoison.pdf.Google Scholar
- J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker. Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting. In Proc. of USENIX Security, volume 3, pages 16--89, 2006.Google Scholar
- A. Goldfarb and C. Tucker. Online Display Advertising: Targeting and Obtrusiveness. INFORMS Marketing Science, 30(3):389--404, 2011.Google ScholarDigital Library
- Google.com. Clickthrough Rate (CTR): Definition, 2020. https://support.google.com/google-ads/answer/2615875?hl=en.Google Scholar
- A. Greenberg. Researchers Found They Could Hack Entire Wind Farms, 2017. https://www.wired.com/story/wind-turbine-hack/.Google Scholar
- I. W. Group et al. IEEE Standard for Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Std 802.11-2016 (Revision of IEEE Std 802.11-2012), 802(11):1--3534, Dec 2016.Google Scholar
- L. N. R. Group. Arpwatch, the Ethernet Monitor Program; For Keeping Track of Ethernet/IP Address Pairings, 2016. https://ee.lbl.gov/.Google Scholar
- HACKERNOON. A hacker intercepted your WiFi traffic, stole your contacts, passwords, & financial data., 2019. https://hackernoon.com/a-hacker-intercepted-your-wifi-traffic-stole-your-contacts-passwords-financial-data-heres-how-4fc0df9ff152.Google Scholar
- H. Han, B. Sheng, C. C. Tan, Q. Li, and S. Lu. A Timing-based Scheme for Rogue AP Detection. IEEE Transactions on Parallel and Distributed Systems, 22(11):1912--1925, 2011.Google ScholarDigital Library
- C. Hetting. New Numbers: Wi-Fi Share of US Mobile Data Traffic Lingers at Around 75% in Q2, 2018. https://wifinowevents.com/news-and-blog/new-numbers-wi-fi-share-of-us-mobile-traffic-lingers-at-around-75/.Google Scholar
- J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS). RFC, 6797, 2012.Google Scholar
- A. Houmansadr, G. T. Nguyen, M. Caesar, and N. Borisov. Cirripede: Circumvention Infrastructure Using Router Redirection with Plausible Deniability. In Proc. of ACM CCS, pages 187--200, 2011.Google ScholarDigital Library
- H. Hu, S. Myers, V. Colizza, and A. Vespignani. WiFi Networks and Malware Epidemiology. Proceedings of the National Academy of Sciences, 106(5):1318--1323, 2009.Google ScholarCross Ref
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proc. of WWW, pages 40--52, 2004.Google ScholarDigital Library
- IANA. Special-Use IPv4 Addresses, RFC3330. Technical report, 2002.Google ScholarDigital Library
- D. K. and R. D. Application of S-shaped Curves. Procedia Engineering, (9):559--572, 2011.Google Scholar
- T. Komori and T. Saito. The Secure DHCP System with User Authentication. In Proc. of IEEE LCN, pages 123--131, 2002.Google ScholarCross Ref
- J. Korhonen and Y. Wang. Effect of Packet Size on Loss Rate and Delay in Wireless Links. In Proc. of IEEE WCNC, pages 1608--1613. IEEE, 2005.Google ScholarCross Ref
- K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Félegyházi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, et al. Click Trajectories: End-to-End Analysis of the Spam Value Chain. In Proc. of IEEE S&P, pages 431--446, 2011.Google Scholar
- Z. Li, W. Wang, C. Wilson, J. Chen, C. Qian, T. Jung, L. Zhang, K. Liu, X. Li, and Y. Liu. FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. In Proc. of NDSS, 2017.Google ScholarCross Ref
- Lifewire. The Dangers of "Evil Twin" Wi-Fi Hotspots, 2019. https://www.lifewire.com/dangers-of-evil-twin-wi-fi-hotspots-2487659.Google Scholar
- B. Liu, C. Lu, H. Duan, Y. Liu, Z. Li, S. Hao, and M. Yang. Who is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path. In Proc. of USENIX Security, pages 1113--1128, 2018.Google Scholar
- W. Lootah, W. Enck, and P. McDaniel. TARP: Ticket-based Address Resolution Protocol. Computer Networks, 51(15):4322--4337, 2007.Google ScholarDigital Library
- M. Maxim and D. Pollino. Wireless Security. McGraw-Hill/Osborne, 2002.Google ScholarDigital Library
- T. Melsen and S. Blake. MAC-Forced Forwarding: A Method for Subscriber Separation on An Ethernet Access Network. Technical report, RFC 4562, June, 2006.Google Scholar
- J. Miley. Starbucks' Free WiFi Hijacked Computers of Customers to Mine Cryptocurrency, 2017. https://interestingengineering.com/starbucks-free-wifi-hijacked-computers-of-customers-to-mine-cryptocurrency.Google Scholar
- N. J. Nagelkerke et al. A Note on A General Definition of the Coefficient of Determination. Biometrika, 78(3):691--692, 1991.Google ScholarCross Ref
- Oeebee.com. Oeebee: A Web Analytics Platform. http://www.oeebee.com/, 2019. (Now inaccessible. Last accessed on Sept. 12, 2019).Google Scholar
- J. Onaolapo, E. Mariconti, and G. Stringhini. What Happens After You Are Pwnd: Understanding The Use Of Leaked Account Credentials In The Wild. In Proc. of ACM IMC, pages 65--79, 2016.Google Scholar
- R. Padmanabhan, P. Owen, A. Schulman, and N. Spring. Timeouts: Beware Surprisingly High Delay. In Proc. of ACM IMC, pages 303--316, 2015.Google ScholarDigital Library
- K. Park, V. S. Pai, L. L. Peterson, and Z. Wang. CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups. In Proc. of USENIX OSDI, pages 14--14, 2004.Google Scholar
- C. party. Free WiFi is dangerous, 2015. http://jingji.cntv.cn/2015/03/15/VIDE1426429086847804.shtml.Google Scholar
- P. Pearce, V. Dave, C. Grier, K. Levchenko, S. Guha, D. McCoy, V. Paxson, S. Savage, and G. M. Voelker. Characterizing Large-Scale Click Fraud in ZeroAccess. In Proc. of ACM CCS, pages 141--152, 2014.Google ScholarDigital Library
- Phicomm.com. Phicomm: Smart WiFi Routers. http://www.phicomm.com/, 2019.Google Scholar
- D. C. Plummer et al. An Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. RFC, 826:1--10, 1982.Google Scholar
- B. Potter. Wireless Hotspots: Petri Dish of Wireless Security. ACM Communications, 49(6):50--56, 2006.Google ScholarDigital Library
- W. L. Pritchett and D. De Smet. Kali Linux Cookbook. Packt Publishing Ltd, 2013.Google Scholar
- X. Qie, R. Pang, and L. Peterson. Defensive Programming: Using an Annotation Toolkit to Build DoS-Resistant Software. In Proc. of USENIX OSDI, 2002.Google ScholarCross Ref
- V. Ramachandran and S. Nandi. Detecting ARP Spoofing: An Active Technique. In Proc. of ICISS, pages 239--250, 2005.Google ScholarDigital Library
- B. Reaves, N. Scaife, D. Tian, L. Blue, P. Traynor, and K. R. Butler. Sending out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways. In Proc. of IEEE S&P, pages 339--356, 2016.Google ScholarCross Ref
- C. Reis, S. D. Gribble, T. Kohno, and N. C. Weaver. Detecting In-Flight Page Changes with Web Tripwires. In Proc. of USENIX NSDI, volume 8, pages 31--44, 2008.Google Scholar
- C. Report. Phicomm: Security Vulnerabilities, 2017. https://www.cvedetails.com/vulnerability-list/vendor_id-16810/Phicomm.html.Google Scholar
- C. Report. Vulnerability of Phicomm Hotspots: CVE-2019-19117, 2019. https://cxsecurity.com/cveshow/CVE-2019-19117/.Google Scholar
- E. Rescorla et al. HTTP over TLS. 2000.Google ScholarDigital Library
- M. Roesch et al. Snort: Lightweight Intrusion Detection for Networks. In Proc. of USENIX LISA, number 1, pages 229--238, 1999.Google Scholar
- D. S. and R. L. An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack. In Proc. of ACM ACSAC, pages 287--296, 2011.Google Scholar
- P. Salgueiro, D. Diaz, et al. Using Constraints for Intrusion Detection: the NeMODe System. In Proc. of PADL, pages 115--129, 2011.Google ScholarCross Ref
- T. Security. 2018 Mobile Security Report by Tencent Mobile Security Lab (in Chinese), 2018. https://m.qq.com/security_lab/news_detail_471.html.Google Scholar
- F. Seredynski and P. Bouvry. Anomaly Detection in TCP/IP Networks Using Immune Systems Paradigm. Computer Communications, 30(4):740--749, 2007.Google ScholarDigital Library
- O. Shijia. Security Report of China Public WiFi in 2017, 2018. http://www.chinadaily.com.cn/business/tech/2017-03/08/content_28474488.htm.Google Scholar
- B. Shneiderman. Response Time and Display Rate in Human Performance with Computers. ACM Computing Surveys, 16(3):265--285, 1984.Google ScholarDigital Library
- Shopify.com. Create an Ecommerce Website and Sell Online! Ecommerce Software by Shopify, 2020. https://www.myshopify.com/.Google Scholar
- A. Singh et al. Vulnerability Analysis for DNS and DHCP. In Vulnerability Analysis and Defense for the Internet, pages 111--124. 2008.Google ScholarCross Ref
- R. Sommer and V. Paxson. Outside the Closed World: On Using Machine Learning For Network Intrusion Detection. In Proc. of IEEE S&P, pages 305--316. IEEE, 2010.Google ScholarDigital Library
- K. Soska and N. Christin. Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem. In Proc. of USENIX Security, pages 33--48, 2015.Google Scholar
- O. Spatscheck and L. L. Peterson. Defending Against Denial of Service Attacks in Scout. In Proc. of USENIX OSDI, pages 59--72, 1999.Google Scholar
- K. Springborn and P. Barford. Impression Fraud in On-line Advertising via Pay-per-view Networks. In Proc. of USENIX Security, pages 211--226, 2013.Google Scholar
- W. Stallings, L. Brown, M. D. Bauer, and A. K. Bhattacharjee. Computer Security: Principles and Practice. Pearson Education Upper Saddle River, NJ, USA, 2012.Google Scholar
- S. Stamm, B. Sterne, and G. Markham. Reining in the Web with Content Security Policy. In Proc. of WWW, pages 921--930, 2010.Google ScholarDigital Library
- B. Sugavanesh, H. P. R, and S. Selvakumar. SHS-HTTPS Enforcer: Enforcing HTTPS and Preventing MITM Attacks. ACM SIGSOFT, 38(6):1--4, 2013.Google Scholar
- K. Thomas, E. Bursztein, C. Grier, G. Ho, N. Jagpal, A. Kapravelos, D. McCoy, A. Nappa, V. Paxson, P. Pearce, et al. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications. In Proc. of IEEE S&P, pages 151--167, 2015.Google ScholarDigital Library
- K. Thomas, J. A. E. Crespo, R. Rasti, J.-M. Picod, C. Phillips, M.-A. Decoste, C. Sharp, F. Tirelo, A. Tofigh, M.-A. Courteau, et al. Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software. In Proc. of USENIX Security, pages 721--739, 2016.Google Scholar
- K. Thomas, C. Grier, D. Song, and V. Paxson. Suspended Accounts in Retrospect: An Analysis of Twitter Spam. In Proc. of ACM SIGCOMM, pages 243--258, 2011.Google ScholarDigital Library
- TMall.com. TMall: An Online Shopping Platform, 2020. https://www.tmall.com/.Google Scholar
- C. Torralba. Student Admitted to ARP Spoofing His School Network through Android Device, 2012. https://www.androidauthority.com/student-admitted-to-arp-spoofing-his-school-network-through-android-device-49129/.Google Scholar
- Umeng.com. Umeng: A Web Analytics Solution. https://www.umeng.com/, 2020.Google Scholar
- L. Von Bertalanffy. General System Theory. New York, 41973(1968):40, 1968.Google Scholar
- Whitewinterwolf.com. DHCP Exploitation Guide, 2017. https://www.whitewinterwolf.com/posts/2017/10/30/dhcp-exploitation-guide/.Google Scholar
- Z. Whittaker. Thousands of Vulnerable TP-Link Routers at Risk of Remote Hijack, 2019. https://techcrunch.com/2019/05/22/tp-link-routers-vulnerable-remote-hijack/.Google Scholar
- Wifi8.com. Selective Broadcasting in Metro Station, 2020. http://www.wifi8.com/.Google Scholar
- E. Wustrow et al. Telex: Anticensorship in the Network Infrastructure. In Proc. of USENIX Security, page 45, 2011.Google Scholar
- J. Xiong and K. J. Securearray: Improving WiFi Security with Fine-grained Physical-layer Information. In Proc. of ACM MobiCom, pages 441--452, 2013.Google ScholarDigital Library
- H. Yin, G. Chen, and J. Wang. Detecting Protected Layer-3 Rogue APs. In Proc. of IEEE BROADNETS, pages 449--458, 2007.Google Scholar
- A. Zafft and E. Agu. Malicious WiFi Networks: A First Look. In Proc. of IEEE LCN, pages 1038--1043, 2012.Google ScholarCross Ref
- C. Zhang, P. Patras, and H. Haddadi. Deep Learning in Mobile and Wireless Networking: A Survey. IEEE Communications Surveys & Tutorials, 21(3):2224--2287, 2019.Google ScholarCross Ref
- P. Zhang, Y. Jiang, C. Lin, Y. Fan, and X. Shen. P-coding: Secure Network Coding Against Eavesdropping Attacks. In Proc. of IEEE INFOCOM, pages 1--9, 2010.Google ScholarCross Ref
- L. Zhu, Z. Hu, J. Heidemann, D. Wessels, A. Mankin, and N. Somaiya. Connection-oriented DNS to Improve Privacy and Security. In Proc. of IEEE S&P, pages 171--186, 2015.Google ScholarDigital Library
Index Terms
- A nationwide census on wifi security threats: prevalence, riskiness, and the economics
Recommendations
Hardware-based cyber threats: attack vectors and defence techniques
There are certain vulnerabilities associated with computing hardware that attackers can exploit to launch destructive attacks which often go undetected by the existing hardware and software countermeasures. Side channel attacks (SCAs) and Rowhammer ...
Threats and countermeasures for information system security: A cross-industry study
IS security threats have increased significantly in recent years. We identified the gaps between manager perceptions of IS security threats and the security countermeasures adopted by firms by collecting empirical data from 109 Taiwanese enterprises. ...
Comments