Can you explain how clients probing for preferred networks can be exploited?

When a wireless client joins a network, it first issues a probe request management frame, which notifies access points in the area that a client wishes to join the named network. If a wireless network which matches the SSID responds, the client connects to that access point.

Many client wireless management systems, both those provided by wireless card vendors and those built into the operating system, maintain a list of preferred networks: Networks which the user has connected to in the past, and networks which have been pre-configured by the IT department. When the client is not connected to a network, it will begin probing for networks to join by looping through the preferred network list.

Unfortunately, when probing for previous networks, a client exposes information about itself and opens itself up for attack. A network listener can detect the networks being probed for. If a corporate client uses an obvious network name such as "My Fortune 500 Company", an attacker not only knows that the user likely works at that company, but that the client system may have sensitive data worth attacking. A network SSID does not carry any inherent security information. Unlike the key or certificates used to encrypt the network, it is not considered private or protected information by the 802.11 protocols, however by advertising the origin of the client system it raises the attractiveness for an attacker.

Additionally, by probing for networks, the wireless management software is putting the system in a state where it is ready to join the first network to respond. By providing a network with the appropriate name, an attacker can provide the client with a fake address, fake networks, and even fake mail servers, just waiting for the user to try to check for new email. The Karma tool uses modified wireless drivers to provide an answering network for every probe request, no matter what the SSID.

Typically, if a preferred network is defined as using encryption or strong authentication such as 802.1x, the wireless management software will not connect to networks which do not advertise those capabilities. It may be possible in some situations, via design or bugs, for the management software to accept an unencrypted network. Since the preferred list typically includes all networks recently joined, unencrypted public networks such as those in coffee shops or bookstores may be requested as well.