Wireless, Defenseless

[InfoSec News <isn () c4i org>]

http://www.newarchitectmag.com/documents/s=2445/na0902h/index.html

By Lincoln D. Stein  
New Architect
September 2002

A few days ago, I was waiting at Delta gate D13 at LaGuardia airport
when I noticed something odd. The connect light on my wireless (IEEE
802.11b or "Wi-Fi") card lit up, indicating that it had found an
access point somewhere to bind to. I sat up in surprise. Some U.S.  
airports have installed public-access wireless throughout their
terminals, but LaGuardia isn't so forward thinking.

Looking around, I spied the doorway of the nearby American Airlines
Admiral's Club. As innocently as I could, I walked toward the door,
keeping my eye on the signal power. As I moved closer, the signal
increased. Popping up a Web browser confirmed my suspicion. Instead of
seeing my usual home page, I was taken to a login page for a wireless
Internet service that operates out of Starbucks, several hotel chains,
and, yes, the American Airlines Admiral's Club. Bingo.

I thought I would take advantage of this windfall by reading my email
and surfing the Net. Unfortunately, the service wasn't free, and the
subscription fee was too rich for my blood. Without purchasing the
service, I couldn't get past the registration Web server.

Sniffing the Net So I decided to do a little security research. I
popped up my favorite network sniffing tool, the tcpdump application
that's found on all Unix systems. A few seconds later, I was listening
in on all of the wireless traffic in the Admiral's Club network.

I detected three users on the network. One was actively reading his
email using POP. I intercepted his incoming and outgoing messages, and
because POP sends passwords in the clear, I also captured his login
username and password. The second user wasn't using the Web actively,
but his laptop was checking his office every five minutes for new
mail. I soon had his login information as well.

The third user was browsing the Web. I could see the address and
content of each of the Web pages he accessed, along with all of his
cookies and the contents of the online forms he submitted.  
Occasionally, he connected to a secure site using SSL, and then all I
saw was encrypted gibberish. Well, at least someone was doing their
job.

Because the second computer user wasn't actively working on the
network, I borrowed his connection for a while. I noted the IP address
of his laptop and assigned it to my own machine. Seconds later, I had
full Internet access. Having stolen a legitimate owner's IP address,
the registration server now thought that I was a paying customer. I
spent the next few minutes surfing the Internet freely.  If the user
noticed anything, he would only have thought that his Internet
connection went down for a short period of time.

Not Just Airports Was the ease with which I was able to hack into the
Admiral's Club wireless network an isolated incident? Sadly, no. A few
weeks earlier, I had done essentially the same thing while sitting in
a public café adjacent to the National Science Foundation (NSF)
building in Washington, D.C. Some employee had set up a wireless
access point for mobile access to the NSF's network, but he or she
didn't realize that this gave everyone else in the vicinity access as
well. In this case, I didn't have to do any hacking. The network was
wide open.

For more examples, take a look at the article "Exploiting and
Protecting 802.11b Wireless Networks" at Extreme Tech
(www.extremetech.com/article/0,3396,s=1024&a=13880,00.asp). The
authors explain how they drove through the streets of major
metropolitan areas with sensitive antennas. In just a few days, they
had identified hundreds of unsecured corporate networks.

Wireless Insecurity If you're running a wireless network, there are
some things you can do immediately that will make it harder for
strangers to hitchhike on your network. You can activate Wireless
Equivalent Privacy, change your network's service set identifier, and
configure your access points to reject connections from unknown
wireless cards. Other wireless security measures are described in "LAN
Sharks" by Paul Sholtz (New Architect, May 2002).

Ubiquitous public mobile networking is the manifest destiny of the
Internet, and nothing will stand in its way. To work, the public
mobile Internet has to be open, letting people join and drop out at
will. This means that public wireless communication will be vulnerable
to sniffing, so there's no longer any excuse for failing to use
end-to-end encryption for email, Web, and login protocols.

Encryption must become easier, more transparent, and ubiquitous. If it
doesn't, the innocent-looking fellow with the laptop at American
Airlines gate D13 is sure to find you, too.

Lincoln is an M.D. and Ph.D. who designs information systems for the
human genome project at Cold Spring Harbor Laboratory in New York, NY.
You can contact him at lstein () cshl org.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.