Security issues identified with some hotel Wi-Fi

davej

At least someone in the media is questioning it:

Hotel wifi issue is nothing to shout about

davej

DublinWriter

mrdarrenm wrote: »

They don't need to 'break' ssl, just to do the man in the middle and some other trickery.

I can't see that working in a situation where a user is using a wireless connection already provided by the hotel. The DNS server will be assigned to the client when get their dynamic IP address via DHCP.

Unless the hacker is posing as a 'free network' where users join, thinking that it belongs to the hotel/cafe, and when they go to, say 'www.aib.ie' the hacker has configured their own Wifi Network and DNS server to issue them with the IP address of their 'man-in-the-middle' network service.

srsly78

davej wrote: »

At least someone in the media is questioning it:

Hotel wifi issue is nothing to shout about

davej

Wow someone just got pwned by the Irish Times, don't see that too often.

Blowfish

DublinWriter wrote: »

I can't see that working in a situation where a user is using a wireless connection already provided by the hotel. The DNS server will be assigned to the client when get their dynamic IP address via DHCP.

That's pretty irrelevant if it's a MiTM situation as DNS requests are sent in plaintext so can easily be modified on route.

Naturally though this will still be obvious to aware users due to the lack of SSL or fake cert, but unfortunately it's something that most users are still clueless about and as previously mentioned the article didn't even point out even this pretty simple way to mitigate against it.

moc moc a moc

mambo wrote: »

Well said. Also where does that "70%" claim come from? It all reminds me of the famous sexed up WMD "dodgy dossier" a bit.

It's absolute ****e. Pure (overblown) conjecture.

Lads, this guy is a CEO, not a techie. Take all he's said so far with a pinch of salt. I'm not saying there isn't a danger, but it's not quite as scandalous as this guy is pumping it up to be.

DublinWriter wrote: »

The DNS server will be assigned to the client when get their dynamic IP address via DHCP.

ARP spoofing is trivial. DHCP interception isn't difficult either, for that matter.

timmywex

A ridiculous non story that's got so much attention - the PR company worked wonders, fair play to them!

Without them releasing detailed information - which i doubt they will there's two possibilities.

1) They sniffed the network for packets (completely trivial task that anyone can do in a few seconds), looked at the packets, people logged into non SSL sites using the same credentials they use for SSL sites. Boom, these guys got Facebook passwords - It's a crafty way of wording it - they didn't steal facebook passwords, people just reuse passwords themselves (amazes me when people use the same passwords on silly sites as they do for email/facebook, but i suppose this is the security world we live in)

2) Anything else they did is illegal, anything more advanced or any compromises of any end user computers - which i do doubt they did.

Very grey area to be doing stuff without any authorisation like this, I certainly wouldn't be advertising myself doing it, ethically questionable as well.

dun79

It's very easy to do on any wireless network that your connected to. All you need is an android and an app called dSploit

Ctrl Alt Del

timmywex wrote: »

A ridiculous non story that's got so much attention - the PR company worked wonders, fair play to them!

Without them releasing detailed information - which i doubt they will there's two possibilities.

1) They sniffed the network for packets (completely trivial task that anyone can do in a few seconds), looked at the packets, people logged into non SSL sites using the same credentials they use for SSL sites. Boom, these guys got Facebook passwords - It's a crafty way of wording it - they didn't steal facebook passwords, people just reuse passwords themselves (amazes me when people use the same passwords on silly sites as they do for email/facebook, but i suppose this is the security world we live in)

2) Anything else they did is illegal, anything more advanced or any compromises of any end user computers - which i do doubt they did.

Very grey area to be doing stuff without any authorisation like this, I certainly wouldn't be advertising myself doing it, ethically questionable as well.

Sorry to quote you here,but i just want to go one step further with your point:

If they were hacking on to one of my client' hotels fine,happy day.The hotel's guests are informed that they are connecting to internet via a open public WiFi network when they get the wifi login details from reception,therefore to be aware of any consequence as a result of that.
BUT,hacking on to hotel WiFi,stealing the end user's information ,holding it on their laptop as plain text and /or encrypted for an unknown period of time (maybe today as well) and contact the hotel to inform them about the illegality...that will generate a visit to Hotel's Solicitor and bring them in Court !

That's my one byte reply to this action...and...still can't understand why they went public !

dalta5billion

Ctrl Alt Del wrote: »

That's my one byte reply to this action...

k

Ctrl Alt Del

Hi,

Just had an argument with someone here, few days ago.
I don't want to attract attention or even less, i don't have the resources and marketing material available that the company have...

What is the difference between "testing" the network sitting outside the hotel's WIFI/LAN as a white hat hacker AND sitting inside the hotel's network, as a guest wearing a hat !??

I mean, i guess it is the same level of security inside or outside, except that inside you're giving access to the hotel's WiFI (and as far as I know some routers do not have WiFI isolation)

Looking forward to your consideration.

Regards

28064212

Ctrl Alt Del wrote: »

AND sitting inside the hotel's network, as a guest wearing a hat !??

Chances are, as a guest, you've signed a contract with conditions, one of which probably details what you are allowed do on their network

Ctrl Alt Del

28064212 wrote: »

Chances are, as a guest, you've signed a contract with conditions, one of which probably details what you are allowed do on their network

The only "contract" I am aware of, in order to avail of free internet access over the hotel guest WiFi (with the key provided by staff) is ... to pay for the coffee !

Been in few hotels myself and the WiFi key is located inside the Welcome Pack, in the room ! I can use it or not.
And i'm not even sure that they are obliged to keep a traffic log for the WiFi guests !!

gizmo555

Ctrl Alt Del wrote: »

And i'm not even sure that they are obliged to keep a traffic log for the WiFi guests !!

In theory, they are obliged under the Communication (Retention of Data) Act 2011 to do so and to make information available to the Gardai, Revenue or Defence Forces on receipt of a valid request from a duly authorised officer.

In practice, I doubt if the vast majority of pubs, hotels, etc which offer WiFi are even aware of this requirement.

Khannie

Does anyone know if the punters in the OP ever came out with the details of their exploit?

Ctrl Alt Del

I can't comment on the company's updates...we are in same business and without all the technical data is very hard to pronounce a conclusion.

Been to a training session some time ago and we've talked about this situation. There were a person that highly took part of the company rationale of the attack that I wanted to ask if he works for it.

I'm surprised that no hotels published anything related to the i call it "attack" OR techies working for hotels haven't reacted positive or negative to this test.
I guess...the techies giving IT support to those hotels may be fired by now and replaced by the "company" staff ?


And to keep it positive and constructive, let's give some free advice to the hotels and challenge the company tests .
Based on industry standards, legislation and your experience... what is in your opinion, the most realistic secure setup, configuration and running ,from business, IT and financial aspects of a hotel wireless network, covering LAN / WAN / WiFi !?

A typical hotel in the City, surrounded by other public / private buildings, streets and individuals.
Standard internet access, public IP address.
With and without the shared wifi key provided by staff at reception.
Protection against for an unknown typical user with a laptop doing daily routine, reading news, emails and maybe VPN in to office network.
Other type of user is with any type of mobile devices.

The "testing user" could be a white hat or a black hat, so we can discuss both types of protection and attacks.

Scenario could be done on existing WiFi networks running on a standard, no-name company and adding "wish list" of functions to the network devices.
Or, scenario on a brand new spanky WiFi network, open budget.

All opinions will be taken as they are, free of charge and on public based with no liabilities attracted...

The winner, a free coffee in one of the hotels.

Let's have fun...

JimmyCrackCorn

I have a "friend", he on any stays in a hotels makes a point not to pay exorbitant charges for internets.

So much so the friend took the paranoid leap of mac address spoofing/cloning etc to ensure he looked like a cable box.

One day bob copied and pasted the wrong mac address from an nmap sweep. It happened to be a central router and knocked out half the hotels internets...

But my friend often on business travels see the following.

-Sql injection in login screens for wifi/admin panels
-Corporate network and public wifi are the same network.
-No isolation of clients
-RDP/VNC servers
-The cable multiplexers are often Ip based and streams can be grabbed.
-Loads of un-patched machines XP/NT


That's not even the client attacks which have been both known and solutions proposed for many years ago....

I and ill ask bob but im sure he still haven't seen a hotel use Eap/Radius authentication...