How to Take Over a Train Station

ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."

Re:Decisions, decisions

[Rosco P. Coltrane]

He may as well tell us before the funny-looking folks in the white Crown Vics parked in his street come to invite him for a friendly chat...

guestBox

[Fudge.Org]

Ok.

Well, this is the product:

guestBOX [guestboxuser.com]

And... this is the company:

Atlantis Technology Corporation [atlantistech.com]

So, all that research... and it never occured to you to contact the vendor? Granted, maybe these are so plentiful some re-seller or VAR put in in there... but you didn't make mention of that line of thinking (or was this not the whole PDF?) so.... sorry, that's just sounding a little on the lame side.

Now, if they scoffed or blew you off at that point, okay maybe... but still. You knew the company from just looking at it. Did you try to contact them? I think that would be more telling than surfing through open Indexing on a web server like a kid curl'ing porn images.

Re:Such strange attitudes

[Technetium Web]

great comment! this is how i view the world

Re:who did you tell?

[captnitro]

For those who don't get the joke, look here [mit.edu].

Let me tell you the story
Of a man named Charlie
On a tragic and fateful day
He put ten cents in his pocket,
Kissed his wife and family
Went to ride on the MTA

Charlie handed in his dime
At the Kendall Square Station
And he changed for Jamaica Plain
When he got there the conductor told him,
"One more nickel."
Charlie could not get off that train.

Did he ever return,
No he never returned
And his fate is still unlearn'd
He may ride forever
'neath the streets of Boston
He's the man who never returned.

Now all night long
Charlie rides through the tunnels
Saying, "What will become of me?
Crying "How can I afford to see
My sister in Chelsea
Or my cousin in Roxbury?"

Charlie's wife goes down
To the Scollay Square station
Every day at quarter past two
And through the open window
She hands Charlie a sandwich
As the train comes rumblin' through.

As his train rolled on
underneath Greater Boston
Charlie looked around and sighed:
"Well, I'm sore and disgusted
And I'm absolutely busted;
I guess this is my last long ride."
{this entire verse was replaced by a banjo solo}

Now you citizens of Boston,
Don't you think it's a scandal
That the people have to pay and pay
Vote for Walter A. O'Brien
Fight the fare increase!
And fight the fare increase
Vote for George O'Brien!
Get poor Charlie off the MTA.

Chorus.

The song is so catchy, it's a shame the guy didn't get elected. Or maybe not, or we'd have elections with theme songs. Wait, we do. [jibjab.com] Crap.

Re:Not just wireless

[utlemming]

With a Laptop, and Knoppix and a tad bit of skill (or some really good scripts) you can really have some illicit fun. Knoppix makes it a whole lot harder to find forensic evidence in case you're caught. All you have to do is drop out the battery and then all the evidence is wiped away (save some circumstantial evidence in the form of a Knoppix cd, and a rebooting computer). If you have the scripts stored in a remote location, ie ftp, then your in for business. Since you don't have any of the stuff stored on disk, and the MAC is so easily changed, it can pretty tough to prove -- they would have to essentially follow you and collect evidence on the signal your sending out. As a previous post said, a good administrator will allow open access that is routed through a proxy server to authenticate. But then you still have problems with keeping the authentication. All I can say is that I hope that I never have to maintain a wirless network and make sure that it is secure. The headache of maintaining a 5 person WPA "protected" WiFi is enough of a headache to make my life difficult enough.

I just got a Wireless router the other day. What my room mates couldn't understand is why I locked down the router so hard. They were amazed that I had to put the WPA key on all the computers, and why I also did MAC and IP filtering. They just couldn't understand. Although it is not totally secure, hopefully it is enough to keep the dorks out and at the same time allow for wireless inconvience. The last thing that I want to worry about is some dork running around with a laptop and deciding that my internet is his internet and then doing something stupid.

Re:guestBox

[philkerr]

and it never occured to you to contact the vendor?

Whilst i can't speak for the article author, sometimes it doesn;t matter even if you do,

Just after the Google Exposes Web Surveillance Cams [slashdot.org] story a while back I came across a camera in an Airport that was wide open pointing at an area that in the UK would have you almost shot for filming.

I emailed both the airport and TSA to let them know about the security lapse, *nothing was done*. Apart from the auto 'Thanks, well be back in touch' form email I heard nothing back.

Sometimes you need to take these lapses to other outlets to make the point that a lot of times the people in charge of physical security have absolutly no clue about digital security.

So, sometimes the best way to expose this cluelessness is to make it open.

Fake journalism

[Anonymous Coward]

This guy claims that he tried to report the problem, but was fearful of the company's legal department "coming down on him". Why was he fearful? Does he believe he did something illegal? Did he do more than what he said? Did he misuse this configuration error?

Did he have no fear of the legal concequences when he published his paper without notifying the company?

This is not journalism, nor is it a childish prank. Is this guy doing some real damage just so he can have his 15 minutes of Slashdot fame?

It's one thing to find a problem and report it to both authorities and soon after publish his findings. It's another to sit on the issue and publish it without properly notifying authorities.

It's another thing to find a problem and sit on it for a day or two.

It's another thing to misuse it for a while until you're busted.

Did someone get scared, and then report it to try to cover ass with a claim of "journalism"???

DecNet requires the ability tonchange your MAC

[bluGill]

The old DecNet required that all ethernet cards have the ability to change their mac address. Part of the protocol, and you couldn't connect to DecNet unless you had the right mac address. (which was changed as part of the network protocol, you normally didn't change this manually)

Just in case a customer ever tries to use their chipset with DecNet nearly all cards allow, software to change the mac address. Since all current chips have the ability, when designing a modification to the old chip it is easier to leave that ability in than take it out.

I don't know if anyone in the world still runs DecNet, but it isn't a chance network vendors are willing to take.

Hmm

[patryn20]

Well, it is nice that this guy actually bothered to write this up, but he seems to simply be using a lot of common mistakes and guesswork. On top of that, his knoweledge of some basic concepts in hardware administration and business processes is somewhat lacking.

First, MAC address are not unique. There is no universal table of MAC's that hardware manufacturers report to. I have installed ethernet cards from the SAME manufacturer that have had the SAME MAC address while setting up machines for a client.

Second, many of these errors are not necessarily the programmers fault. They are more than likely the responsibility of management being cheap and forcing programmers to do the jobs of multiple people. IT is seperate from software development. The fact that the network and server are insecure is the IT department/person's fault. In small companies this may be the same person, but in most large corporations that is not the case. Directory listing and permissions are generally the responsibility of the server administrator.

Now, the username issues are definitely scary. Leaving test accounts open with simple passwords is just plain stupid. The company I develop software for has over fifty million dollars worth of data on their servers. We also store credit card info for clients, etc. If we used common passwords like that, we would be fired. The admin would go through the database, see the passwords, and report them to our supervisor. Say goodbye! Not to mention, test accounts on production servers are bad practice anyway. If you are making any money, you are extremely stupid not to have a seperate development environment.

In my opionion, these problems seem to be more management and implementation problems, and not so much development problems as the author seems to suggest. They are still real problems though. That customer listing one for the phone company really scares me. ::shiver:: I hope SBC in Texas doesn't have problems like that.

Re:Of Astroturf and Grandstanding

[pedantic bore]

On the internet, nobody knows you're a dog...

A quick Google turns up an interesting story from his undergraduate days [thecrimson.com] at Harvard, when he ran a web site that required that users use the same password on his web site as on their university accounts. Tsk, tsk.

Its a TRAIN STATION for crying out loud...

[MMaestro]

Not a huge fortune 500 computer company. Why WOULD you need an IT department for a train station? Sure if you're talking about Grand Central Station or some huge hub similar, but for most who cares? Most train stations have to skimp on seating, lighting, cleaning (trains in the U.S. are a pathetic sight compared to European or Japanese counterparts) and other much more important aspects over than hiring an IT professional to run a computer network thats probably smaller than one most /. readers have.

Dear guestBox employee...

[binarybum]

It's like walking up and jimmying a perfectly good lock.


huh? since when is L:P admin:admin or South:Station or wifi:wifi considered a perfectly good lock? If you believe that, I have an oragami based home-security system I would like to sell you.

This is a relatively formal security report - and I certaintly feel that I have right to know that a major wifi network that I might pay to use (with my CC# mind you) is compromised severly in security. Kudos for the publicity - he also mentions that he attempted private contact before writing this paper. Publishing this makes the purpotrater (South Station for acting under the pretention of providing a secure network) and potential victims (customers) very aware of the need to reconfigure the network.
75 out of 100 people that might have discovered this trick would have left it as "hey cool, free wifi access for me and my buds," another 20 or so out of 100 would have done much worse (we're talkin' goatse on the homepage).
At worst this was a subtle brag of "L33tness", at best a noble public security gesture.

and hey, if you lose your job at guestBox over this - I hear Diebold is looking for a few good men...

Re:That's a stupid question

[WinterpegCanuck]

"Who do think installs this stuff, the CEO, a secretary perhaps, maybe the cleaners?"

Unfortunatly, yes. At the downtown offices of one of the clients I support, one of the corner office managers setup an out-of-the-box secured Linksys so he would not have to plug in his ethernet to his laptop. It wasn't until two weeks later that I discovered the device while troubleshooting connectivity issues. Since he plugged it directly to the ethernet port in his office and the switches in this location (it is only a small sattelite office) do not discern based on mac addresses, our corporate network was exposed to all the downtown neighbours, including the local Chamber of Commerce. If I had not stumbled on it by chance, I would not have known the exposure until it was too late.

The biggest security hole in networks sits between the keyboards and chairs.

Re:Its a TRAIN STATION for crying out loud...

[Kris_J]

Gee, let's see, I would expect a train station to have an IT department because I've worked in one. I did a three month project with "Westrail", the government department that manages the trains in Western Australia. There's a big central organisation with a big IT deparment and staff go out to the various stations (easy to get to, just hop on the train) to do IT stuff. Do you really think an individual station is an isolated company?

Re:That's a stupid question

[biglig2]

Sorry, but this is incredible piffle.

I don't expect my doctor to know everything about the human body, but I'd expect him to have a certain degree of basic competence. If he asks me to remind him which is the leg and which is the arm, I'm out of there.

Connecting a wifi network in a public place to the machine you do your credit card authentication to is incredibly stupid, even without leaving default passwords in place.

BTW, do we know that it is the IT department that put this in, and not someone plugging an unoffical wifi point under their desk? I've seen people do that before.