Monday, September 15th, 2008
Dark Reading recently had an interesting article related to the security of Hotel networks; you can find the article I’m talking about here.
As I read the article… I couldn’t help but smile… the article made it seem like Hotels have horribly insecure networks! The truth is, THEY DO…along with airports, coffee shops, bookstores and pretty much ANY PLACE that offers up connectivity!
Some people fail to understand that when you join ANY network, you’re trusting that everyone on the network is playing nicely. Many of the protocols that enable our network connectivity WERE NOT DESIGNED TO SECURELY SUPPORT THE SCENARIOS WE DEMAND TODAY. Take for example, Address Resolution Protocol (ARP). ARP is the one protocol that really makes me paranoid. The details of how ARP works and how it can be used to do evil is way beyond the scope of this post, but you find some good information here, here, and here.
The ARP abuses I’m most interested in are ARP Poisoning attacks. These attacks basically allow me to Man-in-the-Middle (MITM) network connections, typically from a victim’s machine to their gateway. Now ARP poisoning attacks have one MAJOR drawback (from an attacker standpoint), they typically require the victim to be on the same network as the attacker (in layman’s terms). Ask yourself this question…. why would I ever join an un-trusted network and possibly subject myself to such attacks?
Surprisingly, people join un-trusted networks all time. If you’ve ever associated to a wireless access point at a coffee shop, hotel, bookstore, or an airport…. you’ve joined an un-trusted network… IT’S THAT SIMPLE. Just because the SSID and the welcome page has a familiar name/logo that you trust, THAT DOESNT MEAN THAT YOU CAN TRUST EVERYONE ELSE CONNECTED TO THAT NETWORK, and if you can’t trust everyone connected to the network, then you’ve got yourself an un-trusted network. Now, MITM on “secure” connections (SSL aka HTTPS) usually causes a warning to appear (every major browser has this protection mechanism in place), and while I haven’t seen any studies on click through rate, I would guess that it’s pretty high.
Airports are a PRIME target for MITM, as they are typically filled with people using the available wireless access points to do business. Many of these people are not technically savvy and more importantly, THEY ARE IN A HURRY, which brings them to push past warning message after warning message in order to “get this out before my plane leaves!” If someone wanted to harvest a TON of sensitive information (creds to banking accounts, usernames, passwords, emails… everything you can possibly imagine), all they would have to do is connect to the airport wireless network, ARP poison every host they see… and let the creds roll in. It’s that simple… trust me… I’ve seen it firsthand… I can guarantee that you’ll have someone’s creds within 5 minutes…
Security pros will argue, “you can use a VPN” and they are right. If you are a corporate user, you shouldn’t even THINK about sending anything through an external, un-trusted network unless it’s through the VPN… but what about the home user? What about mom and pop, traveling on vacation… where is their VPN? Judging from the success of these attacks, even if a stern warning is presented, many users just ignore the warnings and continue on their merry way. Scores of software will silently ignore certificate warnings, happily passing information onto a suspect host. Besides, those warnings are only displayed when encryption is in play, so that unsuspecting user that is browsing their webmail over HTTP gets their session stolen without warning. It’s truly amazing how noisy our computers have become, spitting out all sorts of info… trusting that everyone else on the network is playing nicely.
Let’s say you understand the risks of MITM and you have to email something out before your plane leaves. You attempt to connect to your VPN server and you see a certificate warning. You suspect that someone may have an MITM against you using ARP Poisoning… what can you do to protect yourself and still get the email out?