One key property of open 802.11 networks is that they are built around a broadcast medium, where any wireless station can transmit wireless frames, and can listen to all other frames transmitted on the network. This is reminiscent of shared Ethernet segments of the 90's.
This property makes wireless LANs susceptible to spoofing and injection attacks, as discussed extensively in the context of wired Ethernet (but effectively disappeared with the emergence of switched Ethernet). The basic idea is that an attacker can monitor the communication between hosts on the wireless network, or between a host on the wireless network and an external party. If the communication is not properly encrypted, the attacker can elicit session state through eavesdropping, and if the communication is not authenticated, he can then inject frames to one session endpoint pretending to come from the other session endpoint.
Most protocols, such as DNS, DHCP and TCP are susceptible to this attack. In the case of DNS, the attacker can watch for outgoing DNS queries and inject responses pointing to a host under his control. For TCP the attack is similar - all the attacker needs to know is the current state of the connection in terms of sequence numbers. At connection setup, he may even completely take over the connection by injecting the proper SYN-ACK, resulting in the legitimate endpoint being out of sync. Injection is also possible at any point in the connection as long as the attacker can time injection attempts to properly deliver TCP segments to the victim network stack. The DHCP protocol can be spoofed to have a victim use an IP address and default gateway that gives the attacker full control over all of his traffic. However, it may be less attractive than DNS and TCP spoofing as the attacker has to wait for the victim to refresh his DHCP lease, or else attack only hosts that have connected after the attacker has obtained access to the wifi network.
While in the 90's such attacks were seen as enablers for unauthorized access, in today's threat landscape they are more likely to be used for "modern" attacks such as phishing, spam and exploit injection. In the previous section we briefly discussed how injection can be used to propagate a worm through client-side vulnerabilities. In this section we focus on spoofing primarily for the case of launching phishing attacks, and discuss ways to detect and prevent them. DNS spoofing is highly attractive for phishing as, for example, the attacker may set up a mock banking website that would relay manipulated requests to the real site in a man-in-the-middle fashion. We note that in this case, two-factor authentication cannot help. Similarly, TCP injection can be used to insert redirection instructions, advertisements, or spam to otherwise legitimate Web pages. Sophisticated attacks can even subvert user's services, such as using a victim gmail account, etc.
The use of such techniques in wifi for phishing has been documented previously. The so-called "parking lot attack" involves the attacker being in physical proximity to the target network. While this attack may be interesting by itself, we are not aware of any extensive use of this technique. One main disadvantage is that the physical proximity constraint increases the risk to the attacker, especially in environments with pervasive CCTV coverage that can be used for forensics. In the context of this paper we explore how proximity enables remotely controlled bots to be used for such activities. In this case, the attacker can acquire access to a wifi-enabled host located in a wifi-rich location. In contrast to traditional Trojans, the attacker need not try to elicit information from the owner of the actual machine that is being exploited. Rather, the attacker may perform spoofing on any wireless network within range from the host under his control using channel hopping and/or temporary association for the duration of the attack. The dense use of wifi in metropolitan areas makes this model quite attractive, as it may significantly amplify the attacker's capabilities.