Hotspotter Attack

WiFi Manager raises this alarm when it detects the Hotspotter tool.

What is Hotspotter ?

Hotspotter is a open source tool to lure the clients using Hotspot SSID to associate to it by acting as an Access point.  Hackers can carry out different kind of attacks on the WLAN using this tool.

How does this attack work ?

This is how the tool works -

• Hotspotter can work with most of the wireless cards that can be configured using iwconfig, particularly with cards based on prism2 chipset or Atheros chipset.
• Hotspotter puts the wireless card into RFMON mode. 
• Hotspotter tool maintains a list of SSID which are commonly used in Hotspots or by Access points without encryption.
• It passively monitors for probe requests from the mobile clients.  These probe requests by the mobile clients includes the details of SSID/Wireless network they are looking for.
• Hotspotter compares the SSID in the probe request with its know list of SSID.
• If it finds a match, it immediately comes out of the monitoring mode and configures the wireless card to act as a soft AP (software Access point) and sends a probe response to the request from the client advertising that an Access point with such an SSID exists.
• The mobile client assuming the Hotspotter tool to be an Access point, associates itself with the tool, thus exposing itself and the whole network to attack.
• Hotspotter also gives the attacker options to execute scripts at various stages of the above explained attack.

What can be the impact of this attack ?

Since the Hotspotter tool gives the option to run scripts at various stages of the attack, there is no limit to what the hacker can do.

What should the WLAN Administrator do ?

• First and foremost Administrators should educate the WLAN users about this hotspotter tool, the attack and the impact that it can have on the network.
• Generally the users of the WLAN can be advised not to join any unsecured network.
  
• If users are using Windows XP then it is better to have a check on the wireless network configuration, particularly as to what is configured as part of "preferred networks"  as depending on the settings the OS, if it is not able to connect to a Access point will be sending the probe requests periodically to the SSIDs in the preferred list.