How to Take Over a Train Station

ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."

Google HTML version available :)

[LiquidCoooled]

Here [google.co.uk] :)

There is one silly error in an otherwise great art

[drinkypoo]

...icle: "Unless something is done to force accountability for wireless devices, perhaps by recording ethernet MAC addresses (which are unique and hard-coded to a physical piece of hardware)" ... uh, no they aren't. Most devices allow you to change your MAC with impunity. Others can be hacked to do so, by tweaking their firmware. MAC addresses meant something back in the day when they were hard to change (it's never been impossible) but those days are long gone.

Re:who did you tell?

[mtrisk]

RTFA. He tried to contact the administrators, and was giving the cold shoulder. They even suggested reporting himself to "abuse".

Plain Text

[Anonymous Coward]

White Paper Wireless internet access has become a pervasive phenomenon in America's cities today, and there are many reasons why that is a good thing. Almost anywhere you go, whether it is a small coffee shop, or a car dealership, or an airport, or even the middle of a sidewalk, there's a good chance you'll be able to find a wireless signal, obtain an IP address, and start using the internet. As I'm writing this paper from my chair near the corner of my office in Boston's Financial District, there are six wireless networks available for my laptop computer to sign onto, two of which require no encryption whatsoever. None of them belong to my company or myself personally. One of them does belong to a company I know to be nearby, and should I choose to sign onto its network, I have full access to files on their Windows NT and Macintosh servers. Sometimes, I take this action without my even knowing it; for some reason, even though I've asked it not to, Microsoft Windows XP occasionally opts for the best wireless connection instead of my wired ethernet cable, which is faster. When this occurs, I am able to browse the inter- South : Station Aaron Greenspan Date: January 31, 2005 Topic Area: Security 1 http://www.thinkcomputer.com What is truly worrisome is what might happen if similar security issues with wireless routers really began to affect our businesses, financial institutions and our physical infrastructure: the basic framework of our society. net using the nearby company's DSL line (for which they are presumably footing the bill), but I usually cannot tell the difference. It has already been well-documented that wireless routers intended for home use are often insecure due to the fact that hapless customers tend to leave their default settings as they are. This usually means that you can sign into any home router with relatively obvious authentication information, such as the username "admin" and the password "admin." This is not always the case, of course. Depending on the manufacturer and model, the password might throw you off (some use "1234"), but it is never very hard to figure out. If for some reason you cannot guess it, a simple search on the internet for "default router passwords" will reveal a default password for every router you ever might want to know about. These pages sometimes follow the basic syntax for authentication information, which involves the username, followed by a colon, and then the password. Decoding the information is not difficult. All that's left to do for the visitor of such a page is match up the model number on the router with the one on 2 http://www.thinkcomputer.com his or her screen. The damage that can be done in this fashion is usually underestimated, for hacking often assumes the form of a chain reaction, as you will see in this paper. In other words, each time a hacker finds a password, it only makes it easier to find the next one. Once a hacker knows the password for a router, firewalls can be shut down. When those are down, ports are open, and viruses can infiltrate networks easily. Viruses often bring with them "malware:" spyware, keystroke loggers, data loss, and a plethora of other technical problems. Based on observations at Think, almost all Windows- based desktop computers in use today are afflicted by at least one of the aforementioned problems. An incredible amount of the spam we receive in our inboxes comes from our nextdoor neighbors, who do not even know that they are sending it. Misconfigured routers are somewhere along the beginning of the chain. It is worrisome to think what might happen if these kinds of security issues really began to affect our businesses, financial institutions and our physical infrastructure: the basic framework of our society. It is worrisome only because it is already happening. South Station is a major transportation hub in downtown Boston, Massachusetts. It serves thousands of passengers and commuters each day, who travel by rail on A

accountability?

[l2718]

Very good article. However, one of the author's ideas for improving security doesn't actually hold water. The problem is to verify the identity of people being assigned dynamic IP addresses on a wireless network. He proposes

"... to force accountability, ... by recording MAC addresses (which are unique and hard-coded to a physical piece of hardware)"

Actually, most network cards allow you to set the MAC address by software if the factory one isn't good for you. For example, this is needed for drop-in-replacement functionality.

misleading title and rather arrogant, IMHO

[Anonymous Coward]

This fella just cracked the "wireless" router put in place for patrons; he didn't break into the train station's systems. The title should be changed. Also, his writeup is well, boring (and obvious), like I found a wireless router in a similar state about a year ago in a coffee house. Unlike him, I didn't poke around, I reported the issue directly, called the programmers involved and got them a bit admonished.

Re:There is one silly error in an otherwise great

[molo]

BTW, for windows, there is a great tool called MacShift [washington.edu] that will allow you to randomize your MAC address. Just make a shortcut and run it before you connect to any wireless network, and you'll have a different one each time. No tracing there.

-molo

Re:who did you tell?

[Saeed al-Sahaf]

Well, it does say he tried to contact Cincinnati Bell, but it says nothing about GuestBOX or the train people.

Re:accountability?

[l2718]

By the way, instructions on how to change your MAC address on various operating systems may be found in the wikipedia [wikipedia.org] .

Re:Of Astroturf and Grandstanding

[Anonymous Coward]

Actually, it's a computerized flip chart. If you walk out onto the train platforms, they have TV screens displaying the same information, which are synchronized with Back Bay Station. (North Station also has TV screens, but they use a totally different system. Go figure.)

That said, your point is right, and it's too bad, if not entirely unexpected, that this guy has too much of an ego. Of course, it would also help if timothy read articles before posting.

Re:Fork bombs

[Silent_Fire]

Most systems now limit the number of processes and threads on a per-user basis, meaning that your fork bomb eats up your space, but won't bring the entire system down.

Re:There is one silly error in an otherwise great

[Black Acid]

Your MAC address is (well SHOULD be) "unique and hard-coded to a physical piece of hardware". It is physically tied to your NIC, and you can not change it. What you can do however is change how it is represented in software, so that the other party never sees your actual physical MAC address, but the idea that you can actually change your MAC address is just plain wrong. Feel free to try, change the MAC, then switch the NIC to another machine and see if it retains the original or altered address.

Of course, it all depends on the NIC, but I was able to flash my Orinoco wireless card's firmware, successfully changing its MAC address. My address was retained under Linux and Windows, so I assume it was physically changed. (I also was able to upgrade the Orinoco from Silver to Gold encryption, US to Japan frequencies, and change the serial number). Its true that most people who change the MAC really only change it in software, but its definitely possible to change it in hardware as well. Not that there is any reason to...

Re:That's a stupid question

[timeOday]

They wouldn't let just anybody in the control room at Paddington station in London, would they?

This is irrelevant. Nobody took over a train station; the story title is a lie. All they did was circumvent the payment system for wifi internet access and avoid paying an hourly fee for internet access. The fact that this was at a train station has nothing to do with the story, except making it read better.

MAC addresses are not immutable!

[Jack Greenbaum]

The end of the article suggests that recording MAC addresses is a way to track users on the internet, the author implies they cannot be forged. Hah! Ethernet and wifi devices have to store their MAC address somewhere, and that somewhere when power is on is in a register that is almost always writable by a device driver. Furthermore, since MAC addresses only stay on the physical subnet, there is no was to identify the MAC address from the other side of a router.

The only way to really track people is by using a transport protocol with authentication. Somehow I don't think the world is ever going to agree on one.

-- Jack

Evidence? Who needs it?

[Otto]

And his evidence for this is, what? His own personal opinion?

While I agree with you on the fact that he's just speculating at that point, nevertheless a possibility exists for this sort of thing to happen.

Simple example: I went wardriving through town once. I found a lot of connections of course, but basically I just set the sniffer up on the laptop and drove around slowly. Later, when I got home, I checked out what I had found, and using timestamps I figured out where the different access points I had found were (I lacked a GPS then).

One of the ones I found was a drugstore. I looked at the raw trace and saw some really odd plaintext there. So I went back and left the laptop in the car while I went in and bought some stuff and took a look around.

What I found:
- Their cash registers were all wirelessly linked to some system in the back. When you scanned an item, the barcode was read, transmitted to the machine in the back, which looked up the price and spat it back to the register. Credit card authorization was handled the same way. All this was plaintext, as I looked at the data and found my credit card number as well as barcodes from the items I purchased in there. Didn't understand the formatting, but it wasn't too difficult to see my name and credit card number stand out like a shining beacon.
- Some kind of prescription transactions were wireless as well. While I didn't get a lot of data of this sort, there were packets containing various drug names, in plaintext, being sent over the air. I'd bet money that insurance information as well as whoever bought the prescription would have eventually gone out in the clear too.

The point being that security was basically non-existant for something you have a reasonable expectation of being private. I mean, when you design a wireless network to handle credit transactions, you'd think some form encryption would be pretty frickin' obvious, right? Let alone tossing somebody's prescription info out onto the airwaves.

So while he didn't state you could change the lights and has no idea if you can actually fuck with the trains, the point I think he was trying to make is that clearly security is not at the forefront of the minds of a lot of people for this sort of thing. Admittedly, my drugstore example happened a couple years back, and may have been fixed by now, but this sort of thing happens because people don't think about it being an issue. It's that part that needs to be fixed. Whether any given example can actually be compromised in a serious way is not the point.

Not wireless

[cgenman]

Actually this is some very basic HTML hacking. He went to their service, which re-directs all new people to their home page. He directory surfed around the web server, and found a few dozen other sites, as well as the company's home page. He tried some very basic password combinations, (like test:test), and got control over some active sites. These sites included customer information and credit card databases.

So really, the site that served images from an unobfuscated directory allowed the person to know what to look for, the directory was fully listed in a way that directories shouldn't. The passwords were very, very insecure. This had nothing to do with wireless security, but rather web services security, and basic things for security that people don't do.

The passwords in the article, BTW, no longer function. At least, not form my remote machine. Anyone reading this from South Station wish to see if the passwords still work on-network?

Re:DecNet requires the ability tonchange your MAC

[Anonymous Coward]

Actually this is true only for DecNET Phase IV. The current version is DecNET Phase V and it does not change MAC addresses at all, except if Phase IV compartibility mode enabled.

Re:wireless is insecure?

[aborchers]

Why is that modded redundant? The guy has a point, and I can't see it made elsewhere, so how can it be redundant?

I believe the moderator's assumption is that people reading the thread are familiar with Slashdot memes and mythology, and is pointing out that this post could have been autogenerated down to the "pound him in the pass" prison cliche. A post doesn't have to be in the same thread to be redundant, as witnessed by thousands of "in Soviet Russia" posts...

On the other hand, both of us justly deserve to be moderated off-topic for having this exchange. :-)

Re:Illegal access

[oasisbob]

It's like the the people who abused the ATMs in New York after 9/11. When they made the first withdrawal and saw that their balance didn't decline, they should have called the bank and reported it. Nothing gave them the right to keep making withdrawals. If I leave me door unlocked, it may make me an idiot, but it doesn't give some dude the right to come in to my house, and take something and walk out the door, even if you come right back in and put it back.

More information on post 9/11 ATM Withdrawls [latefinal.com]
Press Release from the DAs office [manhattanda.org]

Fairly interesting story -- one that I hadn't heard before.

article full of lies and FUD

[Anonymous Coward]

Many parts of this article are simply lies and show that the author does not even understand the principles of wireless networking and the fact that everyone is responsible for his own network but he thinks he can write about it. This is ridiculous and another example of an idiot who has no clue spreading FUD and scaring people in order to make a few bucks. This is very irresponsible and counterproductive to the work of thousands of volunteers who are donating their time and equipment to build urgently needed open community wireless networks.

Slashdot bought out by Fox ?

[sjf]

Excellent piece. Anyone who bothered to RTF(boring,pedantic,condescending)A would quickly see that the headline is a complete fiction. All the author did was exploit a hole in a for-pay Public Access WiFi network. No opportunity to route trains onto otherwise occupied platforms. No threat to a "major transportation hub."

Just some guy doing trivial guesswork to get free wireless access...that happens to be at Boston's South Station

Was writing the article his post-priori justification for the service theft ?

Re:That's a stupid question

[coreymichaelbarr]

In some places, especially smaller businesses, it is the secretary or office manager that also handles the IT. Usually that means buying computers from Dell when the time comes, or calling the outside IT vendor to troubleshoot the e-mail. But not always -- I work in a highrise building and I would be the one to either work with a vendor to set up a Wifi hotspot in the building, or to do it myself. Either way, I would have to use my limited knowledge to either do it or to double-check the work of the vendors.

How did I end up with this? Well, it's simply because as the office manager guy, I happen to know more about computers than the people that know more about the plumbing/HVAC/etc. in the building. That doesn't automatically make me an expert. And even if I outsourced it to a vendor, it doesn't mean they'd deliver a solution where I could verify its security via obscure exploits that I don't know how to use.