[ISN] Best Buy hit by WLAN snooping

From: InfoSec News (isnat_private)
Date: Sat May 04 2002 - 22:00:44 PDT

  • Next message: InfoSec News: "[ISN] Re: FAA hacked by patriots"

    http://www.theinquirer.net/02050207.htm
    
    By Mike Magee, 02/05/2002 09:02:29 BST
    
    US RETAIL FIRM Best Buy was forced to close its wireless network
    yesterday after people were able to snoop on transactions by using
    easy-to-obtain software running in laptops in parking lots.
    
    Best Buy uses wireless technology to transfer data from cash tills to
    central computers in their shops, but people are easily able to grab
    packets containing all sorts of confidential data including credit
    card details by tuning into the wireless waves.
    
    One hacker on a board said that he had fired up Kismet outside a shop
    last week and bought a unit with his own credit card to see what info
    was transmitted.
    
    He said that when he searched the logs he saw SQL queries and table
    headers in his log including his own credit card number.
    
    He tried a number of other Best Buy stores and his software was able
    to pick up lots of other transactions from customers flying on the
    airwaves.
    
    WLANs are notoriously insecure, although safeguards can be built into
    them.
    
    Because the technology is comparatively cheap and also fast, it has
    been touted as an ideal solution for large businesses wanting to save
    money on their IT infrastructure.
    
    At this year's Intel Developer Forum, the firm was dishing out loaned
    WLAN cards to the world's foremost journalists, many of whom were
    happily typing their stories and sending their emails under the
    protective cone of a Chipzilla hotspot.
    
    We wondered if this was necessarily a good idea at the time. Top
    datacomms journalist Tony Dennis said that when Intel did a similar
    thing at last year's Developer Forum, he noticed that the system was
    inherently insecure.
    
    Oops...
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Sun May 05 2002 - 01:18:05 PDT