Priveon Labs Security Blog

On a recent flight, I was standing outside the gate waiting to board and was approached by a worker offering free in-flight WiFi. This got me thinking about all of the conversations I had over the years with various CxO and Directors regarding wireless security and data-leakage. In many cases, organizations have done a 'fairly-good' job securing their wireless infrastructure BUT quite often, the PCs are allowed to connect to any network they want. As a matter of fact, it can sometimes be difficult in some cases to stop a computer from detecting and auto-connecting to a WiFi network particularly if it is broadcasting the SSID and using no authentication or encryption as in coffee shops, restaurants, hotels, and yes… airplanes.

Now, let's think about airplanes and WiFi. Users, especially on business commuter routes, often use their laptop, cell phone, and other devices like PSP game systems. All of these devices could be WiFi enabled and in many cases auto-connect to the in-flight Wifi network. This typically occurs without the users knowledge. The users may not even realize they are connected, they may opt to connect and use the service, or they may connect, review the terms and cost of service and shutdown the browser leaving up the WiFi connection. The problem here is that we need to ask ourselves what is leaking. Remember, WiFi unencrypted is basically a hub. Things like sniffing (packet capture), MiTM attacks, directed hacking, spoofing, etc are all very easily done in this scenario.

So, what may be leaking? Let's consider a few items:

• User name and password for a web service (Twitter, Financial accounts, shopping site, etc)
• Credit card or other data if unsecured or MiTM attack is occurring
• FTP, Telnet, VNC, etc sessions
• DNS/WINS/HTTP/POP/etc requests for unavailable internal corporate services and applications
• Passwords on clear transmissions (often same password and account everywhere so can be leveraged for secure site access once obtained)
• Not to mention the system is online and exposed to other potentially malicious systems

In a recent data capture file (pcap) provided to me from a flight taken in the US, several items were gleaned. Some of the info is easily visible using a tool like TCPDUMP and/or WireShark to interpret the data capture and filter the results. Additionally, WireSharks ability to Follow a TCP Stream for sessions can quickly put together HTTP, TELNET, etc sessions for easy reading. Beyond those tools, you can also use something like Chaosreader (a freely downloadable perl-script) to perform file carving on the pcap file. This script is capable of carving up the pcap into smaller session based data including the ability to extract and provide images, telnet sessions, VNC sessions via replay, etc to the user. Think of the potential impact this could have on your corporate security.

This is really no different than what is possible at any other hotspot except for the possibility that business travelers can be targeted via common commuter flights and routes.
Something to think about. As a concusion to this blog entry, I will provide the following 'scrubbed' data obtained from the capture file: