Don’t let me get bored. Ever. I tend to do things I probably shouldn’t. Sometimes it’s harmless like acting a bit quirky to get a laugh or a reaction, other times I’ll just casually scan an open network looking to see whether the IT guy has a clue or not.
This is a story about one of those times. The latter of the two.
A few months ago I attended a conference at a fairly well known venue on the Gold Coast. They had a bunch of speakers talking on various topics and when one of the presenters started talking about cash-flow management my attention span went flying out the window.
Maybe I’ve been spoilt by too many truly engaging speakers, but it does seem like this is one subject matter most fail to deliver in an engaging way.
ANYWAY. I’ve got about 5 1/2 minutes before the next speaker to kill and realise that the venue offers a free guest WiFi service. “HAZZAH! This should kill a few minutes!” I think to myself.
So I sign my mobile phone onto the wireless network and quickly open up my trusty network discovery tool to see if it’ll show me anything.
Let me stop here for a second and explain a few things.
Firstly, the tools I use are publicly available in the Google Play (Android) store. They are not some special hacking or penetration testing software. You can download them too. I use Wifi Analyzer and Network Discovery. Enjoy.
Secondly, a guest wireless service should enforce a few basic security features.
- Captive Portal. A captive portal is a system which forces you to a web page to authenticate in some manner to get access to the internet. You will see one every time you visit a hotel, the Qantas Club, or wherever some form of guest WiFi service is available – free or charged.
- Client Isolation. Client isolation blocks access between devices on the wireless network. Effectively no device can see another. This stops one device from trying to ‘break into’ (or infect) another device on the network, or perform simple man-in-the-middle attacks by telling every other device on the wireless service that ‘it’ is the router.
- Restrict Access to Infrastructure. No client signed onto the wireless network should be able to see any of the businesses infrastructure other than the captive portal website and the internet itself. No access to the router, wireless access points, switches, servers, etc etc.
So with all this in mind, let’s continue…..
My network discovery comes back and there’s about 50 or 60 devices on the network. I take a closer look and realise that some of the devices are mobile devices and laptops signed onto the network, but that’s not all. I can see the network switch managing the network and a bunch of other pieces of infrastructure.
This is wrong Dave!!
If I wanted to be malicious I could have launched a simple ARP-based poisoning man-in-the-middle attack which would have tricked every device on the network to think I was the router, pushing all their internet access through my mobile phone (yes, my mobile phone!!). This in turn would have let me collect a dump of all internet access on that network and with a small amount of effort I can guarantee I would have obtained someones username and password for an email account or some system they used that wasn’t properly secured.
But I’m not a malicious person. Instead I took a bunch of screenshots of what I found and searched for the General Managers details. I found them on his current IT providers website (in the testimonial section), searched his name on LinkedIn and sent him an email outlining what I’d found. He in turn forwarded the information to his IT Guy, who then promptly fixed the problem. Or at least, that’s what he told me. I haven’t been back there to see if the problem is fixed.
I don’t want to point fingers, but I had to laugh. Shortly after I reported the security issue I noticed the IT provider had updated their website to offer “Security Audits”….
ANYWAY. This a prime example of why using free wireless services is dangerous. We talk about hackers setting up fake wireless networks, but this was the venues own service and it was completely open to the world.
In this particular instance it was a fairly prominent venue, which means there is an intrinsic expectation of ‘trust’ we give them. Trust that their infrastructure is secure. Trust that we are safe.
How long had this problem existed for? I don’t know. Since whenever the wireless service was installed or upgraded, or whenever the last technician made changes to it. Who knows.
Do I think someone could have already exploited this problem? Quite possibly.
Should the venue notify guests that their security could have been compromised? That’s a really tough call. But if we change the question to “Would I want to know if my security was potentially violated?”, I would hazard the answer would be a resounding “YES!”.
What can you do?
- Don’t just sign on to every public wireless internet service because it’s there.
- Make sure that every account on your devices uses encrypted communications.
- If you’re using older style email services like POP and IMAP, use POPS over POP, IMAPS over IMAP, SMTPS over SMTP.
- Don’t enter account details into unsecure websites (HTTP).
- Don’t sign on to a public WiFi service because it’s there. Yes I’m repeating myself. You have data on your phone!!!
And don’t just trust that every IT guy out there knows about security. If your business is in the spotlight, get an external contractor to pentest (Penetration Test) your environment regularly and make sure you’re not being lulled into a false sense of security. The ramifications of this particular issue could have been monumental.