There’s a storm brewing, and although we have only seen the first rumblings, it’s gonna be a whopper! I’m talking about what I call the “WI-Fi Security Crisis”, and if you don’t know what it is, then please read on…
Ask Yourself One Or More Of These Questions:
Q: Would you let a terrorist walk in off the street and call their buddies in Iran or Afghanistan using your phone?
Q: Would you allow a pervert to use your Internet connection to download child pornography?
Q: If you are a hotel General Manager, would you knowingly allow a thief to steal the data from a guest’s computer?
EVERY DAY, this and much more happens at WI-Fi hotspots around the world, but nobody seems too concerned about it. WHY?
Some recent examples:
1. A US Military war driving team finds an access point installed on the base granting open, unencrypted, unrestricted access to the internal US Military unclassified network. The access point is accessible from a K-Mart parking lot outside the military base.
2. A six-page, full-color article in Russia’s “Hacker Magazine” describes in complete, step-by-step detail how to attack hotspots of three Moscow Marriott Hotels operated by MoscomNET.
3. In a recent prosecution of a man for possession of child pornography. His defense that “he was on an open access point so it must have been someone else” failed, and he’s now looking at doing some hard time with the other criminals.
Open, unsecured access points aren’t the only threat, but they make a great entry point. Just drive around with NetStumbler and see how many access points still have the default D-Link or Linksys SSID and even the default username and password for administrative access and you have a small sample of the scope of this problem.
Even if the hotspot has reasonable measures to protect unauthorized users from accessing the Internet, few operators bother protecting legitimate users from intra-site attacks. Once the attacker can associate with an access point — any access point — they can begin port-scanning and attacking any users… that means YOU…associated with the same access point, and most often, users associated with any access point in the entire hotspot — all without needing any connectivity through the gateway.
Unsecured, unpatched client computers are juicy targets for data thieves, or anyone wishing to implant key loggers, root kits or any other malware. Hackers can easily get access to your passwords, credit card information, and now…automation codes for your home and security systems that protect your family. Such computers are all too easily found with simple, freely downloadable scanning and analysis tools. On the Internet, stolen identities are bought and sold everyday like so much coffee.
Interestingly enough, when interviewing one of the major authentication providers in preparation for writing another article, when asked what his company was doing about security, his response was, “We don’t worry much about it, the only hackers are in Russia…”
For operators with these attitudes, the wake-up call may be coming sooner than they think. Just go to Google Video and search for WI-Fi, war driving or wireless hacking and you will find videos with step-by-step demonstrations on exactly how to do it and what tools to use.
Hotels represent a unique problem. Most hotel IT Managers are ill equipped to understand let alone respond to the dangers wireless networks present. If the hotel is relying on a third-party operator to run their hotspot, the hotel IT Manager won’t have access or control of that network and couldn’t apply additional security even if they wanted to.
This is the case in Moscow where the three Marriott hotels rely on third-party operator MoscomNET to operate their hotspots. What baffles me is why virtually nothing has been done to secure the network since August 2006, when the Hacker Magazine article was published. To this very day, from the hacker’s perspective, nothing has changed and the same vulnerabilities still exist.
One major flaw in the Marriott/MoscomNET WI-Fi system is that they are still using MAC-address-based authentication. Such systems are wonderful for ‘ease-of-use’ but a total disaster with regards to security. (MAC addresses are the simplest thing in the world to harvest and spoof.)
For example, at a popular American hotel, I borrowed a WI-Fi adapter for my notebook computer, plugged it in and had instant, free access to the WiFi network. How did that happen? Very simple… the guest who borrowed the adapter before me returned it while time still remained on his account. The MAC address from the adapter automatically authenticated me to the system — no other credentials required.
And what if I did something evil, such as setting up a P2P server pirating music? As I had never purchased an account, the previous user of the account would receive the blame. As for attackers just capturing MAC addresses out of the air and spoofing them — they are completely untraceable and can do whatever they want with complete impunity.
Who can be held responsible and accountable? Hotel General Managers? Hotspot operators? IT Managers? Authentication and roaming partners? There is plenty of blame to go around, but nobody wants to take responsibility or action. It seems the safety and security of the guest’s computer or any other security matters are of no concern.
Is the problem a technical one? Not at all! Every commercial-grade access point is easily secured with WPA or WPA-2. (Forget about WEP.) Newer commercial access points allow simultaneous dual-mode operation — where the user can choose to associate insecurely or securely. This simple measure could reduce the risk of wireless eavesdropping to near zero. Only clients whose computers were incapable of operating in the secure mode would remain vulnerable.
So why don’t hotspot operators implement even minimal security precautions? I suspect it could be because:
1. Many WI-Fi operators simply lack the knowledge, skills and experience to properly secure and monitor their networks.
Let’s face it…setting up a couple of access points to share an Internet connection isn’t rocket science — but properly securing and managing even a small system does require knowledge, skills and experience well beyond the capability of the local ‘computer guy’.
2. WI-Fi hotspot operators who are more concerned about profit than security.
Secure systems ARE harder to manage and harder to use — which is another reason commercial operators are less likely to implement even the most basic of security measures. Real security would mean implementing encryption all the way from the client to the Gateway, and secure authentication — likely implemented through a Public Key Infrastructure and digital certificates.
Of course I realize that some client systems can not support certain security mechanisms, but at least give the client the option of borrowing supporting equipment and/or notifying them of the potential hazards they could be exposed to.
As of this writing, it does not appear that WI-fi cafes, hotels, or local small business will be taking any precautions to protect their customers from any level of threat here. I can only say that if you are considering transmitting your company information over a unsecured hot spot…think twice.