Security issues identified with some hotel Wi-Fi

AnCatDubh

via RTE morning ireland.

Ronan Murphy , CEO of Smarttech , discusses the extent of the cyber security breaches his company uncovered at a number of top hotels in Ireland offering free Wi-Fi to customers

http://www.rte.ie/news/morningireland/player.html?20131211,20488946,20488946,flash,232

gizmo555

Having listened to this, the gentleman concerned talks about being able to access login names, passwords, credit card details, etc

Surely if, for example, I'm accessing my Paypal account - which was one of the services mentioned - the https encryption on the Paypal website would protect my user data, regardless of the encryption level on the public wifi network?

GarIT

Hasn't this been known for the last 10 years? It's part of the way WiFi works, I assumed most people would know this.

GarIT

gizmo555 wrote: »

Having listened to this, the gentleman concerned talks about being able to access login names, passwords, credit card details, etc

Surely if, for example, I'm accessing my Paypal account - which was one of the services mentioned - the https encryption on the Paypal website would protect my user data, regardless of the encryption level on the public wifi network?

Nope, once you're on a public network a smart hacker could get everything. You need to be using a VPN at minimum on a public network.

The Glass Key

GarIT wrote: »

Nope, once you're on a public network a smart hacker could get everything. You need to be using a VPN at minimum on a public network.

I've not gone into it in great detail but in the case of paypal and other connections where ssl was used the client being attacked could spot what was happening because they wouldn't see the https in the URL bar before they logged in.

I know that's not the best protection but some people would spot it.

h57xiucj2z946q

GarIT wrote: »

Nope, once you're on a public network a smart hacker could get everything. You need to be using a VPN at minimum on a public network.

If content is encrypted, smart hacker cannot forge a trusted certificate. So un-less the user is using software to ignore invalid certificates, there should not need to worry about content encrypted.

gizmo555

Rudy Most Zucchini wrote: »

If content is encrypted, smart hacker cannot forge a trusted certificate. So un-less the user is using software to ignore invalid certificates, there should not need to worry about content encrypted.

This is what I would have expected - was the threat described greatly overstated, or am I missing something else?

To me, it seems like the biggest risk would be if you're logging into websites or services which don't use encryption and the passwords for those are also used for other accounts. For example, Boards's login page isn't encrypted.

timetogo

gizmo555 wrote: »

This is what I would have expected - was the threat described greatly overstated, or am I missing something else?

At the end of the piece on RTE the guy said 70% of all traffic in hotels is probably being watched if it's not encrypted. It's almost as if he put an asterix on his sentence and said the encrypted bit as an afterthought. I think that was the only time the word encrypted was mentioned during the piece.

If you have a valid SSL certificate I don't know how bank details / credit card numbers could have been lifted by this company. Is this stuff not illegal to do. They said they did some hotels from the car park. That's kind of implying they had nobodys permission.
If they managed to get users credit card numbers and banking information what did they do with it. Are they storing it, did they delete it straight away. I'm pretty sure there are laws about this. It doesn't matter if it's easy to grab. It doesn't mean you can do it.

timetogo

gizmo555 wrote: »

To me, it seems like the biggest risk would be if you're logging into websites or services which don't use encryption and the passwords for those are also used for other accounts. For example, Boards's login page isn't encrypted.

Boards login page is encrypted for me.

https://www.boards.ie/auth/login

Actually, you don't want to reuse passwords for important sites anyway. There have been several instances over the last year where sites have been hacked and the passwords were exposed to the public.

theedude27

Although not mentioned in the RTE News report obviously, I would assume that they used some sort of robust packet sniffing tool in order to capture all the sensitive data in the same way that a keylogger would capture data on a local machine. Am I correct in saying that?

Yes there are Data Protection laws in Ireland but I dont know what the Commissioner's stance on unauthorised penetration testing and war-driving (what they were doing outside the hotel) is!! Will be interesting to see what Billy Hawkes has to say on the matter, especially about the capturing of all the sensitive data and whether it has been stored or disposed of (in a secure manner).

Coming from an information security background myself and constantly having to remind staff of the dangers of using unencrypted devices in unsecured locations, I initially scoffed at the report when I seen it this morning but actually this is something positive for the public because if they are willing to listen and try understand the type of threats (to privacy and data) that are out there, they will be reminded of these threats everytime they go to do something that involves inputting personal data aka online banking, posting to facebook, twittering, using weak passwords etc and hopefully it will make them more vigilant and avoid them resorting to silly rants on the aforementioned sites and boards.ie of course:D

gizmo555

timetogo wrote: »

Boards login page is encrypted for me.

https://www.boards.ie/auth/login

The home page, which includes a login dialogue box, doesn't appear to be:

http://www.boards.ie/

timetogo wrote: »

Actually, you don't want to reuse passwords for important sites anyway. There have been several instances over the last year where sites have been hacked and the passwords were exposed to the public.

You're right of course, but as we know, a great many people do.

theedude27 wrote: »

Although not mentioned in the RTE News report obviously, I would assume that they used some sort of robust packet sniffing tool in order to capture all the sensitive data in the same way that a keylogger would capture data on a local machine. Am I correct in saying that?

Sorry, can you clarify how this would work on, say, an encrypted connection to my Paypal account? What kind of robust packet sniffing tool could break the encryption?

theedude27 wrote: »

. . I dont know what the Commissioner's stance on unauthorised penetration testing and war-driving (what they were doing outside the hotel) is!! Will be interesting to see what Billy Hawkes has to say on the matter . . .

A spokesman for his office was quoted briefly in the RTÉ report and they seemed pretty relaxed about it.

h57xiucj2z946q

timetogo wrote: »

Boards login page is encrypted for me.

https://www.boards.ie/auth/login

Actually, you don't want to reuse passwords for important sites anyway. There have been several instances over the last year where sites have been hacked and the passwords were exposed to the public.

Login page itself is encrypted, but after login, you immediately fall back to good old http to facilitate cookie stealing, which I guess can be as dangerous. Having either the password or the session cookie exposes the user's account, so in my opinion, both should be protected. I have been able to sniff out boards.ie cookie sessions on my local LAN at home and inject cookies into my browser on a different setup and be authenticated as the original user simply using their cookies. But this is valid for any website using session cookies and http. Boards.ie should give the option to use ssl, let alone forcing it. It would create a considerable extra load on their servers though.

If you force it to use https for normal browsing:
https://www.boards.ie/vbulletin/forumdisplay.php?f=24

Your browser should block non encrypted content if you are accessing the page over https, otherwise its possible to still steal cookies. And as it seems, boards.ie serves some static content only over http. Look at the https link above with a recent version of firefox or chrome, and even internet explorer! to see what I mean. Older versions of these browsers still loaded the non encrypted content but gave a warning. Now they won't load the content.

h57xiucj2z946q

I think a more interesting threat to public wifi spots that require login code or paid authentication:

https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass.sh
https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass-android.sh

Works on many guest wifi's places I tried.

cormie

Rudy Most Zucchini wrote: »

I think a more interesting threat to public wifi spots that require login code or paid authentication:

https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass.sh
https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass-android.sh

Works on many guest wifi's places I tried.

What are them links for? What do you do with them? Pretty scary stuff out there, especially after watching this: http://www.youtube.com/watch?v=lA4R84xfLOQ

mambo

It's reasonably well known (though not by the general public) than regular HTTP traffic on open wi-fi networks can be easily intercepted and sessions hijacked, etc.

It's strange the guy would go on Morning Ireland, etc. claiming they could easily access, say, people's online banking information, but go into no more specific detail of what was available or how it could be accessed, and not publish any details on their website.

I'm sure the banks would want to know if their SSL encryption was being broken!

Far be it from me to claim they were exagerrating what's possible in order to get more publicity for themsevles. :cool:

gizmo555

mambo wrote: »

It's strange the guy would go on Morning Ireland, etc. claiming they could easily access, say, people's online banking information, but go into no more specific detail of what was available . . .

He went into a lot of very specific detail - quoting directly from the interview: "user names, passwords, login details, credit card info, online bank details including Paypal logins and passwords, email addresses and passwords . . ."

What I'm struggling to understand and where the detail was lacking is how this is possible if the websites concerned were using bog standard encryption.

MyPeopleDrankTheSoup

it's just crap for publicity. they can't break SSL. the guy who wrote it is Tom O'C who used to be with databackup.ie
https://twitter.com/databackup/status/410712172470087680

http://databackup.ie/

I respect the hustle to get in all the media today but it looks pretty poor on the part of our national broadcaster making it a main news story. And the Irish Times, the so called paper of record.

AnCatDubh

gizmo555 wrote: »

The home page, which includes a login dialogue box, doesn't appear to be: http://www.boards.ie/

The homepage isn't but the login form on the homepage has an action which will post the user data over https/ssl so effectively is for login purposes.

But yes, then falls back to http. Perhaps not the end of the world if your boards account gets hacked or a session is temporarily stolen.

gizmo555

gizmo555 wrote: »

What I'm struggling to understand and where the detail was lacking is how this is possible if the websites concerned were using bog standard encryption.

This Indo story gives a little more information about what they say they did - does this make sense?

It said that most public wifi networks share a single internet provider, or IP, subnet and this gives potential hackers the ability to pretend that their laptop or mobile device is the gateway on that subnet. It is known as a Man in the Middle Attack.

AnCatDubh

georgiecasey wrote: »

they can't break SSL. https://twitter.com/databackup/status/410712172470087680

The company seems to be tweeting a lot about ssl / https, and man-in-the-middle attacks. He's also been saying that they will publish/blog about some of the detail/findings.

I think it would be really interesting if they were to release at least some detail of the technical exploits used to better inform as to what they actually found wrong.

hmmm

I want to find out who their PR company are, they've done a great job with this non-story.

mrdarrenm

AnCatDubh wrote: »

The company seems to be tweeting a lot about ssl / https, and man-in-the-middle attacks. He's also been saying that they will publish/blog about some of the detail/findings.

I think it would be really interesting if they were to release at least some detail of the technical exploits used to better inform as to what they actually found wrong.

They don't need to 'break' ssl, just to do the man in the middle and some other trickery. Look up a tool called sslstrip, it can allow you to do this very easily and the site will have an explanation by a guy called Moxie Marlinspike who wrote it. Basically the attacking machine initiates the ssl connection. Because it is one way SSL (no client side certs) this is fine as the server won't have verification of correct user, only vice versa.

So the html which is encrypted by this valid ssl session is passed from the man in the middle attacker back to victim in cleartext html. There won't be an ssl lock icon for the end user but most people won't notice. Credentials are captured in the middle before being passed in to the attackers valid ssl connection. Don't know if I'm explaining well, could do with a diagram. Anyway, this is more than likely what they did.

There's also other attacks like dns cache poisoning. Few options really. I haven't seen the story but sounds like nothing new about hotels; same as cafes, airport, anywhere. Unless there's more to it than it sounds.

mrdarrenm

AnCatDubh wrote: »

The company seems to be tweeting a lot about ssl / https, and man-in-the-middle attacks. He's also been saying that they will publish/blog about some of the detail/findings.

I think it would be really interesting if they were to release at least some detail of the technical exploits used to better inform as to what they actually found wrong.

They don't need to 'break' ssl, just to do the man in the middle and some other trickery. Look up a tool called sslstrip, it can allow you to do this very easily and the site will have an explanation by a guy called Moxie Marlinspike who wrote it. Basically the attacking machine initiates the ssl connection. Because it is one way SSL (no client side certs) this is fine as the server won't have verification of correct user, only vice versa.

So the html which is encrypted by this valid ssl session is passed from the man in the middle attacker back to victim in cleartext html. There won't be an ssl lock icon for the end user but most people won't notice. Credentials are captured in the middle before being passed in to the attackers valid ssl connection. Don't know if I'm explaining well, could do with a diagram. Anyway, this is more than likely what they did.

There's also other attacks like dns cache poisoning. Few options really. I haven't seen the story but sounds like nothing new about hotels; same as cafes, airport, anywhere. Unless there's more to it than it sounds.

srsly78

SSLstrip literally just replaces https with http. It won't work on stuff that forcibly requires https.

The man in the middle attack on ssl is also detected, and results in a big "this certificate cannot be trusted" warning. If you see this (I see it a lot in work), that's because your corporate/dodgy network is likely doing it. If you don't see it in work, then either A: they have preloaded trusted company/dodgy certs on your box or B: they aren't snooping on you.

All these SSL "vulnerabilities" are overly alarmist, and some are even "working as designed" (as happens when your corporate box has the mitm certs preloaded). As others have said, if SSL was really hacked it would be big news.

timetogo

mrdarrenm wrote: »

Unless there's more to it than it sounds.

I'd say it's a press release by a newish company to drum up business. They'll probably get some business out of it.
The real story is how they got it onto RTE Radio in a prime time slot. Can you pay RTE for that type of coverage? The interviewer was really milking the "can see bank account and credit card details".
There wasn't one mention of anybody paying attention to their HTTPS logo on every browser (Chrome even throws me up a big red screen when it doesn't like the security settings).

h57xiucj2z946q

Secure pages should also use https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Security

mambo

They should have submitted their claims for some sort of peer review before going to the media with them. And the media ought to be sceptical about claims like this if they haven't been peer reviewed to some extent, and the people making the claims haven't published fuller details for those who understand this sort of thing to go over with a fine tooth comb.

Still waiting to see any fine detail from the company making these claims. All very vague and sensationalistic so far! The longer this goes on, the more it looks like they are just hyping up the dangers to get some free publicity.

There's the makings of a story here if some security-aware blogger would like to run with it.

Permabear

This post has been deleted.

mambo

Well said. Also where does that "70%" claim come from? It all reminds me of the famous sexed up WMD "dodgy dossier" a bit.

Stuxnet

Time I thought my 5 year old how to use WireShark !

Khannie

Just listened to this now.

mambo wrote: »

It's strange the guy would go on Morning Ireland, etc. claiming they could easily access, say, people's online banking information

Yeah, he was asked a very specific question on online banking and implied that he had no bother accessing it.

Bollox.

davej

At least someone in the media is questioning it:

Hotel wifi issue is nothing to shout about

davej

DublinWriter

mrdarrenm wrote: »

They don't need to 'break' ssl, just to do the man in the middle and some other trickery.

I can't see that working in a situation where a user is using a wireless connection already provided by the hotel. The DNS server will be assigned to the client when get their dynamic IP address via DHCP.

Unless the hacker is posing as a 'free network' where users join, thinking that it belongs to the hotel/cafe, and when they go to, say 'www.aib.ie' the hacker has configured their own Wifi Network and DNS server to issue them with the IP address of their 'man-in-the-middle' network service.

srsly78

davej wrote: »

At least someone in the media is questioning it:

Hotel wifi issue is nothing to shout about

davej

Wow someone just got pwned by the Irish Times, don't see that too often.

Blowfish

DublinWriter wrote: »

I can't see that working in a situation where a user is using a wireless connection already provided by the hotel. The DNS server will be assigned to the client when get their dynamic IP address via DHCP.

That's pretty irrelevant if it's a MiTM situation as DNS requests are sent in plaintext so can easily be modified on route.

Naturally though this will still be obvious to aware users due to the lack of SSL or fake cert, but unfortunately it's something that most users are still clueless about and as previously mentioned the article didn't even point out even this pretty simple way to mitigate against it.

moc moc a moc

mambo wrote: »

Well said. Also where does that "70%" claim come from? It all reminds me of the famous sexed up WMD "dodgy dossier" a bit.

It's absolute ****e. Pure (overblown) conjecture.

Lads, this guy is a CEO, not a techie. Take all he's said so far with a pinch of salt. I'm not saying there isn't a danger, but it's not quite as scandalous as this guy is pumping it up to be.

DublinWriter wrote: »

The DNS server will be assigned to the client when get their dynamic IP address via DHCP.

ARP spoofing is trivial. DHCP interception isn't difficult either, for that matter.

timmywex

A ridiculous non story that's got so much attention - the PR company worked wonders, fair play to them!

Without them releasing detailed information - which i doubt they will there's two possibilities.

1) They sniffed the network for packets (completely trivial task that anyone can do in a few seconds), looked at the packets, people logged into non SSL sites using the same credentials they use for SSL sites. Boom, these guys got Facebook passwords - It's a crafty way of wording it - they didn't steal facebook passwords, people just reuse passwords themselves (amazes me when people use the same passwords on silly sites as they do for email/facebook, but i suppose this is the security world we live in)

2) Anything else they did is illegal, anything more advanced or any compromises of any end user computers - which i do doubt they did.

Very grey area to be doing stuff without any authorisation like this, I certainly wouldn't be advertising myself doing it, ethically questionable as well.

dun79

It's very easy to do on any wireless network that your connected to. All you need is an android and an app called dSploit

Ctrl Alt Del

timmywex wrote: »

A ridiculous non story that's got so much attention - the PR company worked wonders, fair play to them!

Without them releasing detailed information - which i doubt they will there's two possibilities.

1) They sniffed the network for packets (completely trivial task that anyone can do in a few seconds), looked at the packets, people logged into non SSL sites using the same credentials they use for SSL sites. Boom, these guys got Facebook passwords - It's a crafty way of wording it - they didn't steal facebook passwords, people just reuse passwords themselves (amazes me when people use the same passwords on silly sites as they do for email/facebook, but i suppose this is the security world we live in)

2) Anything else they did is illegal, anything more advanced or any compromises of any end user computers - which i do doubt they did.

Very grey area to be doing stuff without any authorisation like this, I certainly wouldn't be advertising myself doing it, ethically questionable as well.

Sorry to quote you here,but i just want to go one step further with your point:

If they were hacking on to one of my client' hotels fine,happy day.The hotel's guests are informed that they are connecting to internet via a open public WiFi network when they get the wifi login details from reception,therefore to be aware of any consequence as a result of that.
BUT,hacking on to hotel WiFi,stealing the end user's information ,holding it on their laptop as plain text and /or encrypted for an unknown period of time (maybe today as well) and contact the hotel to inform them about the illegality...that will generate a visit to Hotel's Solicitor and bring them in Court !

That's my one byte reply to this action...and...still can't understand why they went public !

dalta5billion

Ctrl Alt Del wrote: »

That's my one byte reply to this action...

k

Ctrl Alt Del

Hi,

Just had an argument with someone here, few days ago.
I don't want to attract attention or even less, i don't have the resources and marketing material available that the company have...

What is the difference between "testing" the network sitting outside the hotel's WIFI/LAN as a white hat hacker AND sitting inside the hotel's network, as a guest wearing a hat !??

I mean, i guess it is the same level of security inside or outside, except that inside you're giving access to the hotel's WiFI (and as far as I know some routers do not have WiFI isolation)

Looking forward to your consideration.

Regards

28064212

Ctrl Alt Del wrote: »

AND sitting inside the hotel's network, as a guest wearing a hat !??

Chances are, as a guest, you've signed a contract with conditions, one of which probably details what you are allowed do on their network

Ctrl Alt Del

28064212 wrote: »

Chances are, as a guest, you've signed a contract with conditions, one of which probably details what you are allowed do on their network

The only "contract" I am aware of, in order to avail of free internet access over the hotel guest WiFi (with the key provided by staff) is ... to pay for the coffee !

Been in few hotels myself and the WiFi key is located inside the Welcome Pack, in the room ! I can use it or not.
And i'm not even sure that they are obliged to keep a traffic log for the WiFi guests !!

gizmo555

Ctrl Alt Del wrote: »

And i'm not even sure that they are obliged to keep a traffic log for the WiFi guests !!

In theory, they are obliged under the Communication (Retention of Data) Act 2011 to do so and to make information available to the Gardai, Revenue or Defence Forces on receipt of a valid request from a duly authorised officer.

In practice, I doubt if the vast majority of pubs, hotels, etc which offer WiFi are even aware of this requirement.

Khannie

Does anyone know if the punters in the OP ever came out with the details of their exploit?

Ctrl Alt Del

I can't comment on the company's updates...we are in same business and without all the technical data is very hard to pronounce a conclusion.

Been to a training session some time ago and we've talked about this situation. There were a person that highly took part of the company rationale of the attack that I wanted to ask if he works for it.

I'm surprised that no hotels published anything related to the i call it "attack" OR techies working for hotels haven't reacted positive or negative to this test.
I guess...the techies giving IT support to those hotels may be fired by now and replaced by the "company" staff ?


And to keep it positive and constructive, let's give some free advice to the hotels and challenge the company tests .
Based on industry standards, legislation and your experience... what is in your opinion, the most realistic secure setup, configuration and running ,from business, IT and financial aspects of a hotel wireless network, covering LAN / WAN / WiFi !?

A typical hotel in the City, surrounded by other public / private buildings, streets and individuals.
Standard internet access, public IP address.
With and without the shared wifi key provided by staff at reception.
Protection against for an unknown typical user with a laptop doing daily routine, reading news, emails and maybe VPN in to office network.
Other type of user is with any type of mobile devices.

The "testing user" could be a white hat or a black hat, so we can discuss both types of protection and attacks.

Scenario could be done on existing WiFi networks running on a standard, no-name company and adding "wish list" of functions to the network devices.
Or, scenario on a brand new spanky WiFi network, open budget.

All opinions will be taken as they are, free of charge and on public based with no liabilities attracted...

The winner, a free coffee in one of the hotels.

Let's have fun...

JimmyCrackCorn

I have a "friend", he on any stays in a hotels makes a point not to pay exorbitant charges for internets.

So much so the friend took the paranoid leap of mac address spoofing/cloning etc to ensure he looked like a cable box.

One day bob copied and pasted the wrong mac address from an nmap sweep. It happened to be a central router and knocked out half the hotels internets...

But my friend often on business travels see the following.

-Sql injection in login screens for wifi/admin panels
-Corporate network and public wifi are the same network.
-No isolation of clients
-RDP/VNC servers
-The cable multiplexers are often Ip based and streams can be grabbed.
-Loads of un-patched machines XP/NT


That's not even the client attacks which have been both known and solutions proposed for many years ago....

I and ill ask bob but im sure he still haven't seen a hotel use Eap/Radius authentication...