http://www.newarchitectmag.com/documents/s=2445/na0902h/index.html By Lincoln D. Stein New Architect September 2002 A few days ago, I was waiting at Delta gate D13 at LaGuardia airport when I noticed something odd. The connect light on my wireless (IEEE 802.11b or "Wi-Fi") card lit up, indicating that it had found an access point somewhere to bind to. I sat up in surprise. Some U.S. airports have installed public-access wireless throughout their terminals, but LaGuardia isn't so forward thinking. Looking around, I spied the doorway of the nearby American Airlines Admiral's Club. As innocently as I could, I walked toward the door, keeping my eye on the signal power. As I moved closer, the signal increased. Popping up a Web browser confirmed my suspicion. Instead of seeing my usual home page, I was taken to a login page for a wireless Internet service that operates out of Starbucks, several hotel chains, and, yes, the American Airlines Admiral's Club. Bingo. I thought I would take advantage of this windfall by reading my email and surfing the Net. Unfortunately, the service wasn't free, and the subscription fee was too rich for my blood. Without purchasing the service, I couldn't get past the registration Web server. Sniffing the Net So I decided to do a little security research. I popped up my favorite network sniffing tool, the tcpdump application that's found on all Unix systems. A few seconds later, I was listening in on all of the wireless traffic in the Admiral's Club network. I detected three users on the network. One was actively reading his email using POP. I intercepted his incoming and outgoing messages, and because POP sends passwords in the clear, I also captured his login username and password. The second user wasn't using the Web actively, but his laptop was checking his office every five minutes for new mail. I soon had his login information as well. The third user was browsing the Web. I could see the address and content of each of the Web pages he accessed, along with all of his cookies and the contents of the online forms he submitted. Occasionally, he connected to a secure site using SSL, and then all I saw was encrypted gibberish. Well, at least someone was doing their job. Because the second computer user wasn't actively working on the network, I borrowed his connection for a while. I noted the IP address of his laptop and assigned it to my own machine. Seconds later, I had full Internet access. Having stolen a legitimate owner's IP address, the registration server now thought that I was a paying customer. I spent the next few minutes surfing the Internet freely. If the user noticed anything, he would only have thought that his Internet connection went down for a short period of time. Not Just Airports Was the ease with which I was able to hack into the Admiral's Club wireless network an isolated incident? Sadly, no. A few weeks earlier, I had done essentially the same thing while sitting in a public café adjacent to the National Science Foundation (NSF) building in Washington, D.C. Some employee had set up a wireless access point for mobile access to the NSF's network, but he or she didn't realize that this gave everyone else in the vicinity access as well. In this case, I didn't have to do any hacking. The network was wide open. For more examples, take a look at the article "Exploiting and Protecting 802.11b Wireless Networks" at Extreme Tech (www.extremetech.com/article/0,3396,s=1024&a=13880,00.asp). The authors explain how they drove through the streets of major metropolitan areas with sensitive antennas. In just a few days, they had identified hundreds of unsecured corporate networks. Wireless Insecurity If you're running a wireless network, there are some things you can do immediately that will make it harder for strangers to hitchhike on your network. You can activate Wireless Equivalent Privacy, change your network's service set identifier, and configure your access points to reject connections from unknown wireless cards. Other wireless security measures are described in "LAN Sharks" by Paul Sholtz (New Architect, May 2002). Ubiquitous public mobile networking is the manifest destiny of the Internet, and nothing will stand in its way. To work, the public mobile Internet has to be open, letting people join and drop out at will. This means that public wireless communication will be vulnerable to sniffing, so there's no longer any excuse for failing to use end-to-end encryption for email, Web, and login protocols. Encryption must become easier, more transparent, and ubiquitous. If it doesn't, the innocent-looking fellow with the laptop at American Airlines gate D13 is sure to find you, too. Lincoln is an M.D. and Ph.D. who designs information systems for the human genome project at Cold Spring Harbor Laboratory in New York, NY. You can contact him at lsteinat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 08:23:06 PDT