“Covert Channel [Wikipedia]: a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.”
Today, in a world where the hacking techniques are getting more and more sophisticated and security measures are growing up to fight against them in a form of firewalls, sensors, interceptors and DPI, the hackers have to be more creative in order to develop new methods to exfiltrate data from secured facilities.
Data exfiltration defines the act of extracting and transferring information from computer systems without authorization of the owners. During the last years, data exfiltration has grown by the use of covert channels techniques, like using known protocols, such as DNS and ICMP, implementing video steganography, or employing power consumption monitoring, glitch analysis, RF emission, etc.
All of these methods exfiltrate information or help command and control devices remotely.
For an upcoming presentation at BSides Munich, I will be discussing another method for bypassing well-known protocols, such as 802.11 (Wi-Fi), and modifying its packet structure to fool drivers and protocol handlers in a way where they will ignore or discard this kind of malformed packets, thereby avoiding security detection or analysis of these communications.
To demonstrate these abilities, I developed a chat application (using Python Programming language in combination with Scapy packet handling library) that creates a kind of covert channel using 802.11 packets.
The usage of this chat is very simple: just connect a monitor mode Wi-Fi card that supports traffic injection capabilities, and then enter your alias and a secret IRC room name. Based just on this name, the Wi-Fi card sets on a specific channel, a destination MAC address, and initializes an AES symmetric key for the encryption of this virtual room.
Every user that knows this secret room name will be in the same room, being notified about the actual users in the IRC room. All the users will work also as Wi-Fi repeaters to increase the signal between nodes.
It’s also possible to send files or pictures to anyone. It’s possible to create so many rooms as needed, so you can create a small infrastructure inside a building. Internally, I am using malformed 802.11 packets that are usually silently discarded by standard Wi-Fi cards (this improves also security).
For an in-depth look at how my chat application works, please join me at BSides Munich for my presentation entitled “Data exfiltration: Secret chat application using Wi-Fi covert channel.” It will take place at 14:50 local time on Monday, 3 April 2017.
About the Author: Yago F. Hansen specializes in delivery of infrastructure and network management. During the last ten years, he has focused on wireless technologies, having successfully managed projects in design, implementation and auditing of Wi-Fi wireless networks, both private and public, covering hotspots, multi-point and point-to-point-technologies, mesh and other 802.11 based technologies. Mr. Hansen is a recognized authority in IT security topics. He successfully managed projects related to the design of IT security embedded systems (Linux based). Mr. Hansen is a frequent keynote speaker at IT security industry conferences and forums and has published extensively. Hansen co-founded a public TV show about security and hacking in Spain, which stands for the fourth season. He’s a known trainer for Government, Defense and Intelligence services about Wi-Fi security for many countries.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.