Tuesday, February 5, 2013 0 comments

What's ARP, Doc?

With more and more devices connecting to the internet nowadays, it's difficult to walk into any electronics store and NOT see a wide array of WiFi enabled devices. We got our usual suspects: phones, tablets, TVs, laptops and netbooks; followed by not so usual: WiFi refrigerators, thermostats and air conditioners. All this technology is great...until people start to take advantage of it.

Information theft was always a concern, way before the wireless days. Back then, a digital thief or a "hacker" would most likely physically gain access to a PC (or a Mainframe) and take whatever they needed. War dialing and social engineering techniques ruled. Large, wealthy corporations, those who could afford an internet connection, usually fell prey to the early hackers.

Today, things are different. A trip to a neighborhood Starbucks reveals dozens of people on their laptops, phones or tablets all happily mooching off of Starbucks' free WiFi. Millions of packets flying across the air, all full of sensitive personal information that I bet none of the people there would be willing to share with strangers. Everyday millions of people happily connect to "free" hotspots and log on to their Facebook, Google, Twitter and Amazon accounts, all while potentially exposing their personal information to a guy/gal sitting at the next table.

ARP (Address Resolution Protocol) spoofing/poisoning is probably the easiest way to spy on unsecured networks/clients. An attacker could potentially hijack browser sessions (cookies), steal passwords, redirect http requests or disconnect the target from the internet altogether.While this may have a minimal impact for WiFi air conditioners, it's a big deal for an unsuspecting user sitting at their local Starbucks.

ARP is what switches (or home routers) and clients use to learn about other machines on their network. Think of ARP as a messenger delivering a note to a room full of people. Not knowing what the recipient looks like, the messenger shouts out "Who is John?" Once John replies, the messenger would then hand him the letter. When a computer is first introduced to a network, it sends out an ARP requested asking "Hey, who is the router here?" The router would then respond and communication would begin. With ARP spoofing, a computer, a phone or a tablet can "pretend" to be the router, thus receiving all of communication between it and the target.

While some commercial software firewalls monitor ARP tables, none can stop ARP spoofing/poisoning altogether. There are some ways, however, to mitigate this problem:

1. Use a VPN when connected to an unknown hotspot. VPNBook is a good, free VPN provider which can be rather fast when used with the OpenVPN client.

2. Use WifiProtector on Android devices. This is a great app because it constantly monitors the device's ARP tables and instantly alerts you if someone is trying to "be the router." Rooted devices can enable "Immunity" mode, where the device will be completely immune to further attacks without issuing any alerts. As of this writing, I did not find a comparable app for an iDevice (of course, this does not mean such app does not exist.)

3. Use static ARP tables. Let me explain. Since our mobile devices are meant to be, well, mobile, most of the entries in their ARP tables will be dynamic. Since our home router's MAC address will be different from the MAC address of the Starbucks' router, dynamic entries are necessary for proper connectivity. Even though the gateway (router) IP may be the same in both cases (ex., the MAC addresses will be completely different. A free Windows program called ARPFreezeNG, binds the current router's MAC address to its IP address and makes the entry static, thus preventing any further ARP spoofing attacks. Sure this process needs to be repeated with any new WiFi connection, but its a small price to pay for privacy and a peace of mind.

The owner of this blog does not share personal information with third-parties nor does the owner store information is collected about your visit for use other than to analyze content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. The owner is not responsible for the republishing of the content found on this blog on other Web sites or media without permission.
Blog Comments
The owner of this blog reserves the right to edit or delete any comments submitted to this blog without notice due to;
1. Comments deemed to be spam or questionable spam
2. Comments including profanity
3. Comments containing language or concepts that could be deemed offensive
4. Comments that attack a person individually
Terms and Conditions
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
The owner of this blog does not condone or support any illegal activities. This blog is for educational purposes only.
This policy is subject to change at anytime.