Never do your banking at Starbucks: a laymans guide to ARP poisoning
Published: Tuesday, October 22, 2013
Updated: Tuesday, December 17, 2013 16:12
Identity theft. Bank scams. Botnets.
Now that I’ve got your attention, let’s talk cyber security. October is, after all, Cyber Security Awareness Month.
These days it seems no matter where you go, there someone else is, trying to steal your data. Worse, with the way data is shared across and between networks, stealing personal information has gotten easier. Computers have become so integrated into daily life that we barely think about them any more. The future we dreamed of in the 1980’s is happening now, a hundred years ahead of schedule.
Don’t believe me? When I was the age of the average UNO student (I’m old, trust me), I’d just finished my technical Air Force training and was getting ready to leave for my first assignment in Japan. I had a “sponsor,” a fellow Air Force guy over there ready to meet me when the plane landed, welcome me to the base and generally get things started before I got there.
Back then we didn’t have Facebook, Skype, or e-mail. A five-minute overseas phone call from a civilian line could easily cost $100 or more. The Internet existed, but only as a data exchange between universities and government agencies. So how did we make contact?
We wrote letters. That’s right; good old fashioned pen-and-paper. Sometimes I used a typewriter (you can still see examples of these at the Durham Museum).
Hackers were around back then as well, but their activities were mostly small-time and limited to cracking code and writing viruses. That being said, the subject of this column, ARP poisoning, is an attack that’s been well known since the earliest days of the Internet. It’s become more prominent today due to two factors.
First, the ubiquity of computer networks makes it a very lucrative attack. As I said, computers are everywhere and we use them without thinking about the risks.
Second, the widespread use of wireless technology makes the attack very easy to pull off. Software has been developed that enables attackers to poison a network with little or no effort.
But enough banter. Let’s talk tech!
Before we launch into the discussion, it’s fair to warn you that this column is going to be fairly heavy on tech. But my objective is to educate, so I’ll try to keep it real, yo.
Also, my goal is to explain how it’s done, not tell you how to do it. If you’re looking for advice on how to PWN a network, you won’t find it here.
First, a little history. Way back in the early stone ages of computers (the late 1960’s, early ‘70’s) engineers working on network development had several problems to solve. How do we get data from one computer to another over a shared, but limited, resource? A signal sent on a wire can only move in one direction at a time. So if you have multiple computers, only one can send at a time and the others have to wait.
To solve the problem they came up with a set of protocols. These you may have heard of; they’re those acronyms tech guys talk about all the time - IP (Internet Protocol), TCP (Transport Control Protocol), UDP (Universal Datagram Protocol), HTTP (Hypertext Transfer Protocol), and others. Basically, they discovered that by breaking up the data and sending it in small chunks (packets or frames) they could get dozens, or now millions, of computers to all share the same network without losing (too much) information.
One of these protocols is ARP, or Address Resolution Protocol. This is the one that your computer uses to look up web pages. You type in “www.facebook.com” and your computer looks in its ARP database, finds the numerical address associated with that web page (computers think in numbers, remember) and Facebook shows up in your browser.
The router you’re using to get there has an ARP table as well, and the router’s address and ID are stored in your computer in its ARP table.
Here’s where the attack comes in.
ARP, you see, is inherently trusting. To make a connection, your computer’s network card (NIC) first sends out a request. “Hello, I’m a computer, where’s the router?” it asks.
The router responds “Hello, I’m a router, send your signals through me!”
The two hook up, shake hands, and away we go.
Remember I said ARP is trusting? Well… an attacker can tell his computer’s NIC to send the same signal as the router, and your computer won’t know the difference. So instead of sending your data through “Bob’s Free WiFi” or whatever, you’re sending it first through Trudi’s Spoofing Laptop. And she’s probably recording everything you’re doing. Did you check your email? What about Facebook?
Your bank account?
Trudi’s got your passwords and user IDs. And you’ll probably never know it’s happened.
This is called an ARP Poisoning, or Man-In-The-Middle attack. It’s hard to detect and harder to defend against.
If so, it means you’re paying attention. Does this mean everyone you see with a laptop in Starbuck’s is a hacker stealing your data? Hardly. Most people using open WiFi are just like you - users minding their own business, just trying to check their email and share cat videos. But you need to be aware the threat is out there. It’s up to you how to respond to it.