|
It’s Friday afternoon and you’re sitting at the airport waiting to catch that flight home. Though your flight is scheduled for take off in less than 20 minutes, you can’t help but notice the lack of an airplane to board out of the terminal window. Casually, an airline employee, who just 10 minutes earlier had told you the flight was running on time, picks up the microphone: “Attention passengers of flight 220 from Houston to San Diego. We have just received word that the in-bound flight from (insert random faraway city here) was unable to depart due to a mechanical problem. They are attempting to repair the plane and once repairs are complete, we expect to be on our way. Once we have more information, we will be able to give you a new time of expected departure. However, as of right now, it will be at least a 2 to 3 hour delay.”
One might think that this kind of an announcement is an exaggeration, but I swear to you that I have lived it. What amused me most was that just 10 minutes earlier, I was being told my flight would be on time, while in reality the plane I was to be crammed into was two hours away sitting on the tarmac being repaired.
Really, I simply hate to travel. In fact, I currently have a running joke with my wife when I arrive at the airport and call her. She now answers the phone “So how long is the delay this time?”
Yep, the glamorous life on the road. And so what do you do when you have just been informed you will be spending more time in the airport than you spend on any given week with your kids? You open the laptop, of course, and see if you can get on the Internet. Ah yes, before Internet and wireless, I truly do not know how people, or I, survived airport layovers.
But now, you simply pop open the case, boot up and, sure enough, you get a wireless signal. In fact, you get two or three wireless signals. Anyone who uses wireless has been in this situation. You look at the names and click the one that seems most likely to give public access. In this case, you see one named “Unlimited Access.”
You proceed to open your browser and see if you got lucky. Is it free or are you are going to be stuck having to pay? The browser starts to come up and instead of hitting your default home page, it instead prompts with “Welcome to $1.99 Internet Access. Unlimited Access for just $1.99.” Though the idea of having to pay for Internet is disappointing, you have to admit that a buck ninety-nine is not that bad. You enter in your credit card information and within a minute you’re on the Internet. It’s great to be in America!
A couple months later, you’re at home with that hellish layover long faded from your memory. You open your credit card bill and your pulse races as you are unable to recognize the numbers that are listed under total amount due. Instead of owing just a few hundred dollars, your credit card is now maxed out with thousands of dollars worth of charges. You look at your spouse trying to figure out if she had been on a spending binge that she forgot to mention. As you read through the bill, reality sets in when you realize you are the victim of credit card fraud. Of course how it happened may or may not ever be resolved.
So, What Happened?
That $1.99 wireless was nothing more than a malicious laptop that was set up for the purpose of stealing credit card information. Several months ago, this idea came to me while I was at the airport. I realized as I typed my credit card information into the web page that I really had no idea what company I was giving information to. So I decided to see just how easy it was to pull off such a scam.
Back at the office I loaded a free proxy, called Squid, onto a laptop. I modified the code to support a web page that prompted a user for first and last name, credit card number, expiration date, the CSV number on the card and billing address. I then purchased a high-powered wireless access point with a high-powered antenna.
My first tests were designed to see just how many credit cards I could capture with such a device. The trick for success was to make sure that I set up only where there was already pay wireless access available. So most airports were good, but I also realized that places like Starbucks could be a gold mine, not to mention less risk and easier access.
How I Did It
At the airport, I would bring my equipment with me as carry-on luggage. Now, please keep in mind that the idea that you need a ticket to get beyond the security checkpoint is really just silly. Anyone can print an e-ticket from a computer and place any date and time they like on it. If you have an old e-ticket and a photo copier, you can modify the date to whatever day you feel like hanging at the airport. Once past the security checkpoint, you wander around to an area where flights have been delayed. This is generally not difficult to find.
You plug in your laptop and your wireless access point and turn everything on. The wireless device can be kept in your briefcase and the antenna sits on top of it very inconspicuously. When your laptop comes up, you connect to the pay service. Again, the cost ranges anywhere from $10 and up, but if you were truly doing this for malicious purposes, this minor fee is worth it. Once logged in, you enable the Squid proxy server. Keep in mind the wireless access device has already been set up to provide DHCP, which will be needed by users connecting to your service. Now, all that is left to do is sit back and wait for the connections to begin.
I found that the trick was in the name of the wireless device. When there were several to choose from, I needed to make sure that people would choose mine over one of the others. That is why the “Unlimited Internet Access” name was such a good one. As people looked through the list, they would see several and might even try others, but only mine was for the low price of $1.99.
During my tests at airports, each for about 3 hours, I would get anywhere from 10 to 60 accounts. Now obviously, I did not keep the information and only stored the first 4 digits of the credit card number, which would indicate what kind of card had been used. The purpose of the test was to see if there really was a risk and if this type of attack could be successful.
As I mentioned earlier, I also visited other locations such as Starbucks. This was where I found far more action and far less risk. I could simply park my car next to the Starbucks, power up all my gear in the car and then just sit around. No one ever noticed that I was sitting in a running car as I would just read a book while waiting. In many cases, I would go in and purchase something just so it seemed less unusual for a guy to be sitting in the parking lot. Since Starbucks charges for its wireless access, it was simple to pick up everyone through my account. People would bring up their wireless, see the hotspot option and then see mine. Unless they already had a pre-paid plan with the hot spot, they would always choose mine. During these tests, I found that I would get at a minimum of 20 accounts during a three-hour period. In addition to these locations, I also targeted hotels and had very similar results. In every case, I was able to get credit card numbers and in every case I was not detected.
After my first few tests I started thinking about all of the other information that was there to be obtained. Keep in mind that every user that utilized my “service” was passing everything they did through my computer. This means that anything they sent, I could log. Email, for example, was there for the taking. So I modified my code to start logging all communications. Though this took a large amount of disk space, it became clear how much information could be obtained. I saw emails that ranged from personal letters to corporate emails discussing the upcoming termination of employees. To be fair, I did warn every single user that connected to my service that I was going to do this.
As with most services, there is always a license agreement. In the agreement, generally the organization is making sure they cannot be sued for anything. I too had a license agreement on the signup page. With my agreement, I also included a short statement explaining that everything users sent through this connection was being logged and monitored. Of course, I buried this information deep in the license agreement with the understanding that no one ever reads the agreement. In addition, I also had a statement that said the credit card submitted would never be charged and that this was simply an experiment. I even went so far as to say that if they were reading this, they should go to a specific link and they could bypass the credit card portion entirely. Of course, not a single person ever went to that link.
At one point, I even included an active X script that the user was told to load onto their computer in order to use the service. The script did nothing other than load onto their system, but it demonstrated how many computers I could have compromised with malicious software. I did similar tests with executable software that the user was instructed to download and install. Like the active X script, the executable did nothing but run an install program. Once it completed, it made a single web connection to a waiting web page that let me know it was installed. Every single user that made the connection to my “service” installed the software.
Beware of Wireless Risks
Organizations all over the world have hired us to train them and help them understand the risks associated with all levels of the Internet. When I began these tests, I truly had no idea just how easy it would be to pull off. By the time I was done, I was convinced that when using wireless connections, you are at major risk.
Though I did not get into it during this article, I also just offered free service in order to capture data. Much like the paid service, I had immediate results. People need to understand that wireless access can be extremely convenient, but there are major security risks that can be involved. Most people have only looked at the security risks of offering a wireless access point, however few think about the risks of using public access points.
Unfortunately, there are no simple solutions. Anyone can mimic a legitimate wireless service provider, so even if the name listed is something you trust -- such as T-Mobile -- it doesn’t guarantee that is who they are. In addition, even if the site is free, the information you are passing during that session could be logged. Encrypted communication is key during these sessions. If you use standard POP to receive your email, you might think twice before opening your mail tool. If you’re not sure about POP, contact your system administrator. Though I don’t think there is a good solution for this today, I want to make sure that people were aware that these risks exist. This time it was simply me running a test; the next time the person might have different intentions.
About the Author
Jim Stickley is the CTO of TraceSecurity, Inc. (www.traceSecurity.com), a provider of enterprise-class vulnerability management solutions and security assessments. He can be reached at jstickley@tracesecurity.com.
Go Back
|
