OWI - Yet Another Anonymous Point Of Attack

Fri, 04 Jul 2008 09:35:41 GMT

About a month ago I traveled by train for a pre-sales meeting with a prospective customer. The trip was about two hours long, which would usually mean that it'd be boring. In this case it was different though: I was surprised with free OWI (Onboard Wireless Internet) on the train!

Simply connect to the available open (no encryption) wireless access point and you will be redirected to a login portal, aka captive portal. Just like any hotspot you find at coffee shops such as Starbucks. However, I was very pleased to find out that users could login as a guest which means that all passengers could go online without paying any additional fee!

Just to make things clear, going online as a guest was a legitimate form of access provided, as opposed to bypassing the security of the captive portal. _NO_ illegal cracking (i.e.: SQL injection without permission) was done whatsoever!

Kudos to the train company that provides the service! The connection wasn't super fast, but fast enough to be able to check my email, read the news, update my RSS feeds, chat with my buddies, etc ... It was quite reliable though, which is a big plus as I hate being disconnected while I'm on-line (it reminds me of the old days of dial-up Internet access).

A bit of enumeration 101 led me to learn that:

  • I was connected to to Sweden via a VPN link (mentioned in the whois records of the NATed IP address which you can obtain on many sites)
  • The service provider is a Swedish company called Icomera AB
  • The data is transferred wirelessly via 3G and satellite connections
  • All the train coaches are connected to each other in a Onboard Wireless Network (OWN) which is based on Wi-Fi

From a security point of view, this technology adds another "anonymous" point of attack to the already-large list. I say "anonymous" (within quotation marks) because there is no such thing as truly anonymous connectivity. However, one thing is true: if the bad guy knows what he is doing, it becomes unfeasible to track the point of attack and the attacker's identity. i.e.: it's not worth starting an investigation if the committed crime didn't lead to a serious profit loss.

From the top of my head, these are some anonymous points of attack that come to mind:

  • unprotected (i.e.: no encryption) or crackable (i.e.: WEP) wireless access points: these could belong either to a home internet user, or a company
  • public hotspots where guest access is allowed on purpose. i..e: hotspots at airports which do not require to purchase time when going online. So there is no need to provide personal details and credit card details for registering a user account
  • prepaid SIM cards: in many places like Europe it's possible to buy pre-paid SIM cards without providing any personal identification. When combined with buying a mobile/cellphone from a second-hand items shop it becomes even harder to trace the identity of the attacker (but NOT the location as it can be triangulated in the cells architecture)
  • misconfigured proxies (HTTP and SOCKS): they would allow anyone to connect via them without username or password. Although some proxies give away the attacker's IP address within HTTP headers (i.e.: X-Forwarded-For), there are plenty of sites that check for proxy-added headers that give away the original source IP address
  • compromised hosts: we all are familiar with crackers bouncing their connections via compromised hosts (commonly owned via drive-by downloads attacks and browser exploits)
  • backdoor/exposed dial-in modems: yes, this is very old school (i.e.: wardialing), but there is still some room for exploitation out there. By the way, Wargames 2 (the Dead Code) sucks really bad! (no joke)

Although there are tons of ways for attackers to hide their location and identity, somehow I find OWI more scary than most of them. It's scary because the attacker is always on the move, which might make tracking his location more difficult due to time correlation issues when comparing logs.

I know what you're thinking: how is this different to the attacker using a stolen 3G Internet card? After all, using a 3G card would also allow the attacker to be constantly changing his geographical location (i.e.: by being inside a moving vehicle). Well, that's a good point. However, in the case of using OWI the attacker doesn't need to steal any equipment.

If you think that being on a fast train won't make tracking the location of the bad guy when a break-in occurs hard enough, how about doing it on a plane at 800 kmph? Yes, that's right: free Onboard Wireless Internet aka In-flight wireless internet access, will most likely become very common in the future, which adds another anonymous point of attack to our list. Oh dear, remote Internet break-ins from planes, that's gonna be fun!

On --> Onboard Wireless Internet.

Where -->1. You have open access points.
           -->2. You connect and your browser redirects to a login page.

if -->1.Use something like airodump-ng, and search for MAC  clients associated to the access point.
   -->2. Select of of the MACs and clone it to your interface.
   -->3. Try one dhcp client.
   -->4. If there is no dhcp, just try to snif something and setup right ip config. 

them --> This may grant you access ??
Indeed all these anonymous attack points will become an issue. Hotels that offer free WiFi to clients are also just as good. I am staying at a nice hotel in Brussels (there is a NATO conference btw right now) with a nice open and free WiFi that can even be accessed by the guests of the next door competition hotel. It something ever happens the farthest it can be traced would be to say the hotel, train, plane, etc. The level of granularity that the free provider uses from then on (be able to distinguish that the specific connection belongs to the passenger in place X or Y or to hotel guest in room 333) will not help much either as we come to the same situation as a home open wireless network. A paradise of anonimity for the new shool ever travelling hacker.
Security-threw-identity doesn't work. Even if you could remove all anonymous access you would do more harm than good. Journalism needs anonymity for example. And anonymous access on planes? C'mon you need fake passports to get on anonymously and if it gets tracked to the plane there is no way to escape.
I don't think this is that much of an issue. Most of these Open Hot-Spots only allow http/https/smtps/imap/im traffic. I know http/https are more than enough for a lot of attacks but even if you identify the source of an attack trough these protocols you might just end up seeing a TOR exit node, so i can't imagine why this is such a serious issue. At least for OWI you might have some actual data to tie to the attacker: credit card purchase of train tickets or, even better, a flight passenger list. Frankly the only alternative to this issue, as far as i can see, is a total lack of anonymity and i don't find that very comforting.
You left out, the trains login portal actually tells you to log in as "guest". It did the last time I was on the train from KingsCross to Peterborough. Your right the implementation is from a Swedish firm, but your missing out talking about the routing in depth (network mapping skills) and their interesting proxy provider. What about the GPS????
Sandro GauciSandro Gauci
I see it differently. The speed at which the attacker is traveling doesn't really matter. I think that if the attacker is on a train or a plane, then the destination is a known and static one. Once he or she is off the plane or train, that's where he/she can be caught by the local police / mafia / whatever. Of course, unless the attacker hijacks the plane or train. But we're not talking about terrorist plots here.. I hope :)
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
@bluebirch: who needs a fake passport when you're on a plane with more than 500 passengers. The question is: which passenger committed the crime? That's the challenge. But then again, I'm not saying it's impossible to catch the bad guy on the plane. Your point of more than valid. @Marchiner: this is pagvac, notice the author at bottom :). I'm aware of MAC cloning for using commercial APs for free. Once you login with a registered account that has Internet time, the system simply identifies you based on your MAC address which can be cloned both on Win and *nix. The only problem with MAC cloning for free Internet access is that you don't want to clone the MAC address of a user that is currently online as it corrupts the network traffic. So Ideally you want to collect a list of MAC addresses of users who have online access, and only clone a given MAC address while its respective user is NOT online. I've also researched alternative ways (different MAC cloning) to get free Internet at hotels which I presented at a Defcon meeting in London. Perhaps I should upload the slides to GNUCITIZEN!
I agree with Adrian. It becomes significantly harder to track the real location where an attack is launched from. If the attacker is not sloppy and has some basic knowledge regarding IT (some of them don't) then s/he can hide her/his tracks to the extend that is no longer feasible to launch a pursuit. Think of FON.
Hi Adrian, sorry for calling yoy... "pdp".. credits for "pagvac"."Pdp" its a nice guy, but no credits for him now! I just sow the mistake minutes after posting... But so... Let's came back to the topic... "I've also researched alternative ways (different MAC cloning) to get free Internet at hotels which I presented at a Defcon meeting in London. Perhaps I should upload the slides to GNUCITIZEN!" Please... post your presentation.. as it possible! I live to far away from London, so it's hard watch this things. Thank god... Internet exists! :D Continue .... This week i had a conversation with some people that represent companies like "3com" and deploy corporative wireless. So... something like: Wireless Switch + 802.1x + radius... and blah blah blah! Someone there said about some changes on XP SP3 and Win Vista. Where 802.1x will become first than layer 2... but i don't knows if this is true.. i didn't research anything about it yet. But i will do soon. If this is right, "MAC cloning is out" i believe. Do you know something about it "pagvac" not "pdp"? :D
I'm not sure I see much difference from any other wireless hotspot. I don't think I've ever used one that would have been able to find me had I been nearby and doing something naughty. And even if I felt like someone may be watching, I can just up and move. And I have yet to see or even hear of any wireless/hotspot implementation that has resident geeks or IT at hand enough to do anything about whatever I do. I don't see this as much different from how things were in 2003, but I admit as access becomes more ubiquitous and free, the capability to track malicious activity to a physical person becomes a more apparent challenge.
Why should anonymously be a bad thing? It's a bit the standard argument if you have nothing to hide you should not fear the new anti-privacy laws and procedures. Their can be many reasons to be anonymous with out being hacking, cracker or terrorist.