[ISN] Wireless, Defenseless

From: InfoSec News (isnat_private)
Date: Mon Aug 19 2002 - 05:40:58 PDT

  • Next message: InfoSec News: "[ISN] Film being made about allegedly fabricating journalist"

    By Lincoln D. Stein  
    New Architect
    September 2002
    A few days ago, I was waiting at Delta gate D13 at LaGuardia airport
    when I noticed something odd. The connect light on my wireless (IEEE
    802.11b or "Wi-Fi") card lit up, indicating that it had found an
    access point somewhere to bind to. I sat up in surprise. Some U.S.  
    airports have installed public-access wireless throughout their
    terminals, but LaGuardia isn't so forward thinking.
    Looking around, I spied the doorway of the nearby American Airlines
    Admiral's Club. As innocently as I could, I walked toward the door,
    keeping my eye on the signal power. As I moved closer, the signal
    increased. Popping up a Web browser confirmed my suspicion. Instead of
    seeing my usual home page, I was taken to a login page for a wireless
    Internet service that operates out of Starbucks, several hotel chains,
    and, yes, the American Airlines Admiral's Club. Bingo.
    I thought I would take advantage of this windfall by reading my email
    and surfing the Net. Unfortunately, the service wasn't free, and the
    subscription fee was too rich for my blood. Without purchasing the
    service, I couldn't get past the registration Web server.
    Sniffing the Net So I decided to do a little security research. I
    popped up my favorite network sniffing tool, the tcpdump application
    that's found on all Unix systems. A few seconds later, I was listening
    in on all of the wireless traffic in the Admiral's Club network.
    I detected three users on the network. One was actively reading his
    email using POP. I intercepted his incoming and outgoing messages, and
    because POP sends passwords in the clear, I also captured his login
    username and password. The second user wasn't using the Web actively,
    but his laptop was checking his office every five minutes for new
    mail. I soon had his login information as well.
    The third user was browsing the Web. I could see the address and
    content of each of the Web pages he accessed, along with all of his
    cookies and the contents of the online forms he submitted.  
    Occasionally, he connected to a secure site using SSL, and then all I
    saw was encrypted gibberish. Well, at least someone was doing their
    Because the second computer user wasn't actively working on the
    network, I borrowed his connection for a while. I noted the IP address
    of his laptop and assigned it to my own machine. Seconds later, I had
    full Internet access. Having stolen a legitimate owner's IP address,
    the registration server now thought that I was a paying customer. I
    spent the next few minutes surfing the Internet freely.  If the user
    noticed anything, he would only have thought that his Internet
    connection went down for a short period of time.
    Not Just Airports Was the ease with which I was able to hack into the
    Admiral's Club wireless network an isolated incident? Sadly, no. A few
    weeks earlier, I had done essentially the same thing while sitting in
    a public café adjacent to the National Science Foundation (NSF)
    building in Washington, D.C. Some employee had set up a wireless
    access point for mobile access to the NSF's network, but he or she
    didn't realize that this gave everyone else in the vicinity access as
    well. In this case, I didn't have to do any hacking. The network was
    wide open.
    For more examples, take a look at the article "Exploiting and
    Protecting 802.11b Wireless Networks" at Extreme Tech
    (www.extremetech.com/article/0,3396,s=1024&a=13880,00.asp). The
    authors explain how they drove through the streets of major
    metropolitan areas with sensitive antennas. In just a few days, they
    had identified hundreds of unsecured corporate networks.
    Wireless Insecurity If you're running a wireless network, there are
    some things you can do immediately that will make it harder for
    strangers to hitchhike on your network. You can activate Wireless
    Equivalent Privacy, change your network's service set identifier, and
    configure your access points to reject connections from unknown
    wireless cards. Other wireless security measures are described in "LAN
    Sharks" by Paul Sholtz (New Architect, May 2002).
    Ubiquitous public mobile networking is the manifest destiny of the
    Internet, and nothing will stand in its way. To work, the public
    mobile Internet has to be open, letting people join and drop out at
    will. This means that public wireless communication will be vulnerable
    to sniffing, so there's no longer any excuse for failing to use
    end-to-end encryption for email, Web, and login protocols.
    Encryption must become easier, more transparent, and ubiquitous. If it
    doesn't, the innocent-looking fellow with the laptop at American
    Airlines gate D13 is sure to find you, too.
    Lincoln is an M.D. and Ph.D. who designs information systems for the
    human genome project at Cold Spring Harbor Laboratory in New York, NY.
    You can contact him at lsteinat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:23:06 PDT