Practical Exploitation Using A Malicious Service Set Identifier (SSID)

Presented at DerbyCon 3.0 All in the Family (2013), Sept. 27, 2013, 1 p.m. (50 minutes).

How easily we overlook a simple wireless SSID and think nothing of it or its potential risk to us. In this presentation I will be discussing the leveraging of SSIDs to inject various attacks into Wireless devices, and management consoles. The type of injection attacks discussed will include XSS, CSRF, command injection and format strings attacks. I will be discussing various malicious SSID restrictions, limitations, and potential attack success dependencies. Using live demonstrations I will show how each of these attack methods are carried out. In Conclusion I will be discussing how common this attack vector potentially is, and its overall risk factors.


Presenters:

  • Deral Heiland / percent_x as Deral Heiland
    Deral Heiland CISSP, serves as a Senior Security Engineer where he is responsible for security assessments, and consulting for corporations and government agencies. Deral is also founder of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral has also presented at numerous national and international security conferences including Blackhat, ShmooCon, Defcon, Securitybyte India, Hackcon Olso Norway and has also been a guest lecturer at the Airforce Institute of Technology (AFIT). Deral has been interviewed by and quoted by several media outlets and publications including Bloomberg UTV, MIT Technical Review, MSNBC and PCworld.

Links:

Similar Presentations: