|
|
CASE STUDY: PriorApproval
Our fictitious hacker Jake is on a cross-country roadtrip to New Orleans for Mardi Gras with his buddies Andy and Shawn. Since Jake really did not plan on doing much driving, he decided it would be a good idea to bring along his Linux-based laptop, Wi-Fi card, and Garmin GPS device. He figured occupying a little time with Kismet would not be too tough.
Driving from Ohio to Louisiana would certainly provide a good opportunity to gather some statistics about how people were implementing their 802.11 installations. Andy had plotted a route that involved driving through Kentucky, Tennessee, Mississippi, and Louisiana. By the time the guys arrived on Bourbon Street, Jake estimated he would have a few thousand access points in his Kismet logs. It would be hard to sort out the residential APs from the business APs, but Jake knew he would have fun nonetheless.
Not long after getting the rental car on the road, Jake stuck his omnidirectional antenna on the backseat window and fired up Kismet. The rest of the guys snickered along with Jake as he called out the various SSIDs that popped up on his screen. It got to the point where the boys could call out a particular store based on the SSID alone. Jake couldn't help but ask, "Does anyone need anything from Home Depot?" every time they passed a store broadcasting the SSID orange.
Antenna spotting soon became the theme after Andy saw a nice Yagi on the roof of a department store. "Why don't you let us know as soon as you see the next batch of access points so we can try to scope out the antennas?" Andy asked excitedly. After a few hundred miles of driving, the guys were practically experts at matching up SSIDs with their business owners and antennae.
By the time they reached Tennessee, Jake could not help but notice that several states had attached huge Cisco-branded Aironet antennas to highway overpasses and bridges. He tried to pay close attention to the road so when he spotted the next Aironet, he could be sure to notate the SSIDs in the area. Once he could pinpoint an antenna and match it up with an SSID, perhaps he could figure out a bit more about what exactly these large directional antennas were doing on the highway.
Shawn eventually yelled that he saw another Aironet antenna on the side of the road. Jake glanced quickly at his Kismet console and found, unsurprisingly, there was an active SSID lit up on the screen. Unfortunately, the digits 1701 did not really provide much information for him to go on. He thought it would be a good idea to grep his Kismet logs for other BSSIDs with the same vendor OUI.
"0802" BSSID: "00:40:96:2A:54:75" "0802" BSSID: "00:40:96:30:5D:8A" "1212" BSSID: "00:40:96:56:CE:08" "1701" BSSID: "00:40:96:30:5E:81" "1701" BSSID: "00:40:96:32:D6:2B" "1702" BSSID: "00:40:96:30:8E:4D" "1702" BSSID: "00:40:96:5A:AB:4D" "1959" BSSID: "00:40:96:53:7D:82" "1959" BSSID: "00:40:96:5B:7A:96" "4001" BSSID: "00:40:96:56:42:89"
Much to his surprise, they had apparently driven by ten or so of these networks with the weird four-digit SSIDs. He couldn't recall passing ten giant antennas along the side of the road, but then again, he was not looking too hard prior to the last hour or so. He noticed that several access points with the SSID of tsunami had the same OUI as his mystery APs. Having set up a few Cisco networks, Jake knew that tsunami was used as a default setting on older Aironet devices.
After driving for a few more hours, Andy exclaimed, "Dude, what the heck is that?" He pointed at what appeared to be a standard streetlamp pole with some kind of weird-looking radar detectors pointed down the highway.
Next to the device was the same Aironet antenna that they had seen on the overpasses earlier in the day. Several meters up the road was a small sign that said, "PriorApproval please follow in-cab signals."
Puzzled, Jake replied, "I have no clue, but we need to figure out what that antenna is pointing at!" About a mile down the road was a trucking weigh station and attached to it was the other Aironet antenna at what appeared to be the receiving end of the 802.11 network the boys had spotted.
The guys really did not know what to make of the small shack-like structure, odd radar gun-looking equipment, and large antennas. Shawn pointed out a sheriff's vehicle parked outside the building with the Aironet gear on it as he teased Andy about getting a speeding ticket from this fancy contraption that they had just passed. In the meantime, Jake decided it would be a good idea to go through the Kismet logs in a more thorough fashion to see what he could figure out.
He quickly noticed that in almost all cases these mystery access points had the beacon info field set to either airo_ws or airo_icn. Without a hitch, he began grepping for other networks with the same beacon data. Once he got the grep results, things started becoming a little clearer:
"scales" BSSID: "00:40:96:56:D1:87" "scales" BSSID: "00:40:96:56:D4:82" "scales" BSSID: "00:40:96:56:D7:39" "scales" BSSID: "00:40:96:57:04:D7" "laplaceeb" BSSID: "00:40:96:30:C6:C9" "laplaceeb" BSSID: "00:40:96:34:5B:FA"
In each of the subsequent states that they drove through, they came across more of the same thing: huge Aironet antennas, little shack-like structures, and odd-looking radar detectors. By this point, Jake had figured out that the facilities using this equipment were trucking weigh stations. He had no idea what was going on over the Wi-Fi networks these stations were using, but he had a feeling that whatever it was should probably be done over some sort of encrypted link.
Much to his dismay, Jake discovered that none of these trucking-scale implementations were using WEP encryption. After poking around in his Kismet logs, Jake identified several strings from each of the various stations that they had passed. Since there was no encryption, the data was simply flying around in the air in cleartext. Jake assumed that the strings he saw were some sort of challenge-response system:
s04022016334230000009999000217071000000000000000 s04022016334530000009999000217071000000000000000 s04022016335730000009999000217071000000000000000 s04022016340030000009999000217071000000000000000 s04022016340130000009999000217071000000000000000 s04022020501230000009999000220117000000000000000 s04022020501830000009999000220117000000000000000 s04022020502130000009999000220117000000000000000 s04022020502430000009999000220117000000000000000 s04022020502630000009999000220117000000000000000 s04022020503030000009999000220117000000000000000 s04022020505030000009999000220117000000000000000
At this point, Jake decided he should keep track of everything he saw from the truck scales, and he would attempt to notify whoever used the equipment to make sure they knew they were broadcasting in the clear. Obviously, this would have to come after the Mardi Gras trip, so for the time being, he would keep passively sniffing and enjoy the rest of the ride to New Orleans.
It really blew Jake's mind how many people blatantly broadcast information in the clear. During the rest of the trip, he saw everything from eBay auctions to parking-lot cameras transmitting data over unencrypted wireless networks:
"HTTP/1.1 302 Found Date: Sat, 21 Feb 2004 00:12:22 GMT Server: Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/1.6.91mdk) mod_ssl/2.0.47 OpenSSL/0.9.7a Accept-Ranges: bytes Location: " "<a href="http://musicstore.real.com/music_store/album?al" "<TD COLSPAN="3"><CENTER><font size="-1" face="Arial"><A href="http://cgi1.ebay.com/aw-cgi/ebayisapi.dll?myebaylogin">my eBay</A> | <A href="http://pages.ebay.com/sitemap.html">site Map</A> <BR>" "230 Anonymous user logged in." "PORT 64,215,45,196,73,159" "STOR cam1@192.168.0.123.tmp" "PASS 12345" "230 User NewOrleans logged in. "200 Type set to I." "200 PORT command successful." "150 Opening BINARY mode data connection for 64.xx.xx.210.tmp." "226 Transfer complete." "RNFR 64.xx.xx.210.tmp" "350 File or directory exists, ready for destination name." "RNTO Cam5.jpg"
Jake even saw snippets from someone checking their email. He simply could not believe that people explicitly trust unencrypted wireless networks.
"+OK You have 0 messages totaling 0 octets from /home/xxxxxx/mail/xxxxxnola.com/info/inbox (full load)" "+OK 0 0" "+OK Bye!"
After a long weekend of debauchery on Bourbon Street, Jake, Andy, and Shawn drove back home as Jake's laptop once again sniffed the whole way. The final stats from the trip showed that the guys had passed by approximately 1784 unique access points. It turned out that only 33.3 percent were WEP encrypted (594 total) and the other 66.7 percent were not (1190 total). Regardless of how many other folks were not using encryption, Jake thought it would be a good idea to give the weigh stations a call and suggest that they switch their infrastructure to WEP-based (or even better, WPA-based) encryption.
Recalling the sign that said something about following in-cab signals, Jake decided to scour the web for information on PriorApproval technology. After a short period of time, he ran across a boatload of info on what he and the other guys saw when they were on the road. The website for PriorApproval stated that it was an automatic vehicle identification system that allows participating transponder-equipped commercial vehicles to bypass designated weigh stations. Cleared vehicles do not have to stop at the weigh station, and they can continue on at highway speeds.
Again, Jake thought this was something that ought to be secured. He poked around the site for a while and eventually found the contact information for the engineers who built the system. He called the standard support line and asked how to report a security issue, and he was eventually given the contact info of a manager on the engineering team. Jake took a moment to explain to the manager that the system as it currently stood leaked internal IP addresses from the PriorApproval network and that it transmitted data in cleartext. Because he was talking to someone who helped design the system, he also inquired about what exactly was going on at these little stations on the side of the highways.
Jake was told that basically "several computers are connected to a modem bank that communicates with a central database system." The wireless network was apparently used to identify the vehicles that were passing by and subsequently authorize them to pass or request them to pull into the weigh station. Once again, Jake voiced his opinion about the usage of an unencrypted network; however, he was abruptly cut off with a comment that pretty much preached security through obscurity. The general response was that PriorApproval was "not concerned with intrusions on the network simply because it had been in place for over 10 years and they had not yet had a problem with it." Having done his due diligence, Jake simply hung up the phone and shook his head at what he observed as general stupidity.
Jake often wonders to himself, whenever he passes various weigh stations in different states, "What were those guys thinking? Did they honestly think it was going to be okay to use cleartext networks forever?" He really hoped that eventually the people who implemented this system would wake up. Unfortunately, for the moment, Jake felt as if he had little impact on the folks who designed PriorApproval. At the very least, he did make an attempt at educating PriorApproval's staff; they, however, were not interested in learning.
|
|