Pretty Fly For A Wi-Fi – Black Hat 2012

Share Post

The setup this year is a throwback to prior shows, where we have a WPA2 PSK available to all attendees on the SSID BlackHat (I know, mighty creative isn't it). The entire network consists of 23 mesh point AP-134s and 16 mesh portal AP-134s (wired into the hotel infrastructure), a 3600 controller, an S3500 48-P switch, AirWave, and that's about it; no PEAP / EAP-TLS "secure" network like we did last year, so no need for the captive portal, though we were ready with a ClearPass Guest server.

Noticeably absent as well this year is the red gaffers tape holding the APs to the speaker stands (apparently there was a run in the local supply stores on red gaffers tape), instead we used white tape which blends in nicely with the APs themselves, but doesn't make as bold a statement as the red tape.

Speaking of bold, as soon as we started broadcasting the network, we immediately started tracking various events and attacks. We barely had the network running and were already getting attacked – I know, welcome back to Black Hat, right? It's 5PM on the first full day of the show, let's see how the day was:

  • 815 users associated to the network (looks like we're going to see more folks on the network than last year)
  • The top users throughout the day have been generating more than 11Gbps of total traffic (looks like they are using more data than last year too)
  • Device OS mix – 24.5% both iOS and Linux devices, Win7 at 24%, Android at 14% and OS X rounding out the top 5 with 13%
  • Well over 1,000 unique attacks (a little lower than last year at this time but it's still early, anything can and probably will happen)
  • Top attacks thus far include expected attacks such as Block ACK DoS attacks but we're also seeing a great deal more MiFi hotspots popping up causing association errors and accounting for more suspected rogue devices
  • 280 rogue / suspected rogue devices detected
  • The most interesting SSID being broadcast – 2Fly4WiFi (I thought this was clever so I had to borrow it for the title of this blog post)
  • Most common question we got at the Aruba NOC; "Where is the PEAP / secure network?"

We had countless attendees approach us and ask for the secure PEAP / EAP-TLS network, even some blog posts about it! Looks like we will definitely have to bring the secure network next year. That's a wrap for day 1. Stay tuned for the final show stats and in meantime check out this on-site interview: