Denial of Convenience Attack to Smartphones
Using a Fake Wi-Fi Access Point
Erich Dondyk, Cliff C. Zou
University of Central Florida

A smartphone can connect to the Internet through only one broadband channel at any particular time
Cellular Channel (e.g. 3G) Wi-Fi Channel

Users are encouraged to use the Wi-Fi channel when available because:
1) It is usually faster
2) Does not consume the user’s data plan
3) Does not consume the cellular provider’s bandwidth

The following two characteristics of the Android and iPhone Wi-Fi protocol allow for exploit:
1) Wi-Fi protocol automatically connects (or asks the user to connect) to an open Wi-Fi APs
2) Wi-Fi protocol never checks if a Wi-Fi access point has a functioning Internet connection or not
• Could stop Internet access if the AP does not work
• Users have to know how to disable WiFi to get back
3G broadband access

 Currently, more than one third of all adults in the
United States own a smartphone.
 Many of these users are not technologically savvy to diagnose this type of attack and/or take corrective actions.
 Mounting a successful Denial-of-Convinience (DoC) attack can be achieved with simple hardware device.

Attack 1: Simple Passive Wi-Fi Access
Point
Setup a Wi-Fi AP without an internet connection
Implementations:
 Wireless router without an Internet connection
- OR -
 Laptop/smartphone configured as a Wi-Fi AP
Fake AP Internet

Fake AP implementation using a Linux netbook with an external ALFA network adapter costing less than $30
The adapter has a higher power (30dBm) than normal APs (20dBm): It could bury real AP that has the same SSID!

The result of Attack 1 on an Android phone: (a) the connection status of the fake AP and (b) the smartphone does not have a working Internet connection because of its Wi-Fi connection with the fake AP.

Defense 1: Static Identifier Validation
1) Sends a challenge to a validation server
2) Receives a response from the validation server
3) Compares a key in the validation response against a key stored in the device
Valid AP
Key
Internet
Validation
Server

 The simple validation procedure can detect fake AP used in Attack 1
 If the AP is invalid, Wi-Fi stack shows that the fake AP has been disabled by Wi-Fi Authenticator

Attack 2: Fake Validation Response
Redirect validation challenge to a fake validation server
1) Setup a fake Wi-Fi AP
2) Setup a local fake validation server (e.g., on the same laptop/smartphone)
3) Forward all probing packages to local validation server
Fake AP
Fake Validation
Server
Internet

Defense 2: Dual Channel Validation
1) Before connecting to a Wi-Fi AP, send a randomly generated validation key to the validation server through the cellular 3G network
In WiFi channel:
2) Send a challenge to the validation server
3) Receive a response from validation server
4) Compare the random key in the validation response against the key stored in the device
Valid AP
Key
Wi-Fi
Channel
Validation
Server
Key
Cellular
Channel
Key

Attack 3: Selective Internet Traffic
Throttling
1) Allow probing packages to reach the validation server
2) Block or throttle all other data traffic
Internet
Fake AP
Validation
Server

Defense 3: Network Performance
Monitoring
1) After connecting to a Wi-Fi AP, measure the performance of the connection
2) If below a predetermine threshold, transition back automatically to the cellular network
Internet
Network
Metrics
Analyzer
Valid AP

 DoC attacks are a threat against the two most popular smartphone operating systems, Android and iOS.
 There are several approaches to implement a DoC attacks.
 Defenses can be implemented to counteract each type of DoC attack considered.