Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre
Hello… • SN is with NMRC • SN is with Vernier Networks • SN is jaded and bitter
Disclaimer: Why Not To Do This • Legalities • We have a bad enough reputation anyway
Agenda • Background • Attacking • Collected data • Conclusion • The Future • BTW, Bluetooth is not really covered, and is its own unholy monster
How This Started • Weather delays • Cancelled flights • Layovers • Gadgets and toys • Idle hands
There Is No In-Flight HotSpot • Why are SSIDs called linksys, dlink, tmobile, hpsetup, 2wire etc showing up where they are clearly not? • Can I talk to these devices? • Can I attack these devices?
Airline Background • 10,000 foot rule on using approved electronics • No approved electronic devices during takeoff/landing for one simple reason – to keep your row clear in the event of an emergency • This is the same reason you have to stow your tray tables and put your seat back in its full upright position
Second Warning • Don’t do this shit • If you must, do it in the terminal • During delays, there is more opportunity
Contributing Factors • Laptops with built-in WiFi • Excellent Windows wireless integration • Connectivity friendliness of Windows in general
IPv4 Link-Local Addresses • RFC 3927 – “Dynamic Configuration of IPv4 Link-Local Addresses” • If DHCP fails to provide an IP address, interfaces with Link-Local configurations will auto-assign an address in the 169.254.0.0/16 range • Link-Local is on by default on all interfaces on all Windows platforms, including wireless interfaces
Microsoft Implementation of RFC 3927 • Example here is XP • Start -> Connect To -> Show all connections • Right click on wireless connection • Internet Protocol (TCP/IP) -> Properties • Two things to look for (and they are the default) • General -> Obtain an IP address automatically is checked • Alternate Configuration -> Automatic private IP address is checked • These two together help spell disaster • Details of Microsoft’s implementation under the covers are in RFC 3927 in appendix A.4
The Magically Appearing SSID • User boots up laptop • Wireless is enabled • Ethernet is disconnected, a (short) timeout occurs • Wireless is enabled, tries to find “default” SSID • Default SSID is not found, no DHCP server answers, Link-Local is used • IP address is assigned from 169.254.0.0/16 range per RFC 3330, this is APIPA (Automatic Private IP Address) • Built-in laptop becomes an ad-hoc network using “default” SSID • PC now says it is “tmobile” or “linksys” or “dlink”, and broadcasts its SSID as such • How?
Magically Appearing Networks • Users boot up laptops • The first one up becomes the potential “SSID leader” • As additional laptops come up and can’t find their default (re: last) SSID to connect to, they may or may not connect • Windows stores all SSIDs you have connected to in Registry • If you have the SSID leader’s beaconing SSID in your Registry, you could connect • Even if you don’t, if only one SSID around, you could also connect • Wee, automagic little clusterfuck of targetry goodness • Multiple SSID leaders can emerge, hours of attack fun!
Warning From RFC 3927 • From RFC 3927, section 5, paragraph 3: NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security. Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions. Failure to implement appropriate security measures could expose users to considerable risks.
Authors of RFC 3927 Oops! Network Working Group S. Cheshire Request for Comments: 3927 Apple Computer Category: Standards Track B. Aboba Microsoft Corporation E. Guttman Sun Microsystems March 2005
Attack Time • Attach to that “tmobile” Ad-hoc Peer-to-Peer network • If Windows, make sure YOU have Alternate Configuration hard-wired to a 169.254.0.0/16 address • If Unix, assign yourself a 169.254.0.0/16 address • Get victim laptop’s IP address • ARP for it, sniff (it is Windows, it will eventually chat NetBIOS to you), etc • Ping it, you may have to set up a default route on Unix • Nmap, Nessus, dsniff, Cain & Abel, Metasploit Framework, etc etc • ()wnage, biatch
Attack Time on Short Flights • Configure a DHCP server on your laptop • Attach to that “tmobile” Ad-hoc Peer-to-Peer network • Give victim his laptop’s IP address • APIPA/Link-Local systems will periodically check for a DHCP server • Nmap, Nessus, dsniff, Cain & Abel, Metasploit Framework, etc etc • Quicker ()wnage, biatch
Attack Time Using KARMA • Run KARMA on your laptop • KARMA answers all SSID requests saying “yes, I really am that SSID you’re looking for” • Conceivably every laptop on the plane (or terminal, or commuter train) could be compromised • Thorough ()wnage KARMA by Dino and K2 - http://www.theta44.org/karma/
Don’t Forget To Sniff • SMB traffic including cached creds etc
Evil Fake AP • Do “recon” with laptop, PDA etc in terminal waiting for flight • Determine most popular SSID • Set up fake AP with that SSID • Offer up a DNS server • Resolve EVERYTHING to your address • Hello LM/NTLM hashes
Add Honeypot Technology • Sniff for probes to IMAP/POP3 • Remember, you DNS server will say you are that server • Run Honeypot mail server • Accept (and log) every user and password
Idle Hands • Change background image • Find pr0n on target, make that the background image • You’re backdoored the system, literally • Launch MP3s with Parental Advisory lyrics • Rap, death metal, industrial (make a political statement) • Launch when cluebag goes to the lavatory for maximum effect • Launch MP3 real loud that says, “wow this porn is hot!” and then launch hot .avi, .mpg, or .wmv • Launch MP3 that says, “how much for a lavatory quickie, bitch?” during the drink service • Install a server and serve up pr0n to the rest of the aircraft • Repeat earlier bullet item on multiple machines • Cover your tracks! Upload your tools, attack other machines, then attack your own machine (plausible deniability)
Atlanta, GA Midweek • Largest city in the region, lots of businesses • Weather delay, sat on tarmac in DFW ½ mile from terminal for 1 hour while thunderstorm passed • MD80 aircraft, half full flight, 8 laptops out and running • 2 ad-hoc networks • 3 live targets, 2 Windows XP, 1 Windows 2000 • Windows XP fully patched with firewalling • Windows 2000 vulnerable to MS05-039
Charlotte, NC Midweek • Heavy banking/insurance town • Weather delay, target-rich environment in Charlotte (dozens of ad-hoc networks) at the gate before flight • MD80 aircraft, full flight, 12 laptops out and running • 5(!) ad-hoc networks • 5 live targets, 2 Windows XP, 1 Windows 2003, 2 Windows 2000 • Only Windows 2003 fully patched with firewall • Rest vulnerable to MS05-017 and/or MS05-039
ToorCon 7 Return Flight, Monday Morning • In terminal, very few laptops out (it was fucking 6am), only 1 ad-hoc network named tmobile • 757 aircraft, full flight, 22 laptops out and running • 1 ad-hoc network formed named 249143 • 2 additional nodes had attached to it (apparently clueless they had done so) • 3 live targets - 2 Windows XP, 1 Windows 2000 • Windows 2000 vulnerable to MS05-039 • Dlink technician (no I am not making this up, overheard him talking) • Windows XP Pro, vulnerable to MS05-017 • Windows XP at SP1, vulnerable to MS05-017 • This guy was across the aisle, VP of a physical security company, w00t!
SJC - DFW, Tuesday Afternoon • In terminal, 5 laptops out, 3 ad-hoc networks, 1 named linksys • MD80 aircraft, half-full flight, 14 laptops out and running • 4 ad-hoc networks named MSFTWAN, GoldenTree, Fly Aloha, and orange • Orange had WEP turned on (?) • 4 live targets – 2 Windows XP Pro, 2 Windows 2000 • Windows XP Pro firewalled, probably SP2 (orange), fingerprinted using visual reconnaissance • Windows XP SP0 or SP1, patched up but 2 open shares (one had pr0n) • Both Windows 2000 vulnerable to MS05-039 • 1 Windows 2000 had a web server running • MSFTWAN? Certainly not….
Best Target Locations • Airline 31337 Flyx0r clubs, but this is regular laptop-to-laptop hacking • Business commuter flights • Early Monday flights are best • Major business hauls • Eg LGA – DCA, EWR – BOS, ORD – LAX, HOU – ATL especially in and out of high tech areas • Get a seat near front part of coach • Road warriors request these seats in advance to get off the plane quicker • Aircraft with limited power outlets usually have outlets there • Better able to visually shoulder-surf during recon phase, helps with OS detection • Flights with lower passenger loads will have road warriers in First Class due to upgrades
Contributing Factors • Bad weather/delays means increased laptop usage in terminal • Rain dance or l33t weather-controlling satellite ownage can help you • Certain airports have no wireless • Charlotte, NC for example • Virtually all non-WEP/WPA SSIDs are ad-hoc
Why This Happens • Configuration for talking to infrastructure, no problems • Once you can’t find infrastructure linksys or tmobile, you will attach to ad-hoc versions if available • From this point on you will auto-assign an ad-hoc network with that SSID • It is a configuration “virus”, currently operating in the wild
What’s Bad • Alternate Configuration on wireless • Turn off your wireless, bad monkey, no banana • It should be off unless really needed • Works wherever sheeple laptop users gather and there is no wireless (hotels and convention centers without available wireless, commuter trains, etc)
What’s Good • Easy workarounds • Turn off your wireless connection when not in use (duh) • Set your wireless to only talk to infrastructure networks (advanced settings) • Personal firewalls will help, and on XP SP1 or later make sure the firewall is on • WEP on an adhoc network is possible • Per the Microsoft Security Response Center, patches will be included in the next service pack releases to prevent the auto-advertising of adhoc networks • In spite of lame nature of attack (and it is pretty lame), Microsoft took it seriously
Quick WiFi Detection for Passengers and Flight Crews • Digital Hotspotter (<$100) will detect signal strength, show SSID, encryption or not, and channel • Kensington WiFi Finder Plus (<$30) will detect the presence of WiFi and Bluetooth
FCC vs. FAA • FCC says cell phone/wifi is ready for use on planes • FAA has still not approved the technology • Without push from the airlines, the FAA is unlikely to budge soon • AA, United, and Delta were ready to start the push for pico cell-based cellular service on airplanes in 2001 • Unfortunately 9/11 happened and they all lost money, and the technology is very expensive • Watch the cellphone usage issue for planes (1/5 the cost to implement), wifi will follow • Last “cellular interference” study to concluded in 2006
Flying With Big Brother • DHS and DOJ both want the ban on cellphone/wifi on planes to remain in effect • If implemented, DHS and DOJ want the ability to monitor ALL traffic • Prevent cabin-to-cabin/air-to-ground/air-to-air terrorist coordination • This added measure would increase the cost of implementing the infrastructure immensely
Inflight Broadband Basics • Available now on limited flights • Non-US carriers • Overseas flights only • Typically private class C for passengers • Uses a combination of satellites and 5 ground locations to move packets back and forth • Approximately $30 USD for unlimited usage during a 6+ hour flight
Inflight Broadband Adopters • Three Vendors • Connexion, Tenzing (SMS, email only), and Sky Way • Various airlines are involved • British Airways • Japan Airlines • Lufthansa • SAS • Singapore Airlines • Nippon Airways • Southeast Airlines • Executive Charter
Inflight Broadband Issues • Expensive to implement (roughly $400k per plane) • US-based airlines are not buying it • Currently little to no security implemented • Security solutions cost extra, and the airlines aren’t buying it • Disputable legality of in-flight air-to-air or air-to-ground hacking • Attacker in 15A, victim in 17D – mid-Pacific/Atlantic and who is to blame? • You are over international waters, no clear jurisdiction • Think “cruise ship enters international waters, the casino now legally opens” • Does this apply to laptop-to-laptop hacking mid-flight?
Additional Inflight Issues • Windows CE 2003 and Boeing Aircraft • As we speak Boeing is disabling Bluetooth, which was enabled by default • No I am not kidding, Windows CE • WTF!? Bluetooth??!? Windows CE!!?! • Can you say “backdoor” so ground personnel can land a hijacked plane via AutoLand and/or RoboLander? • Imagine a terrorist with a Bluetooth gun aimed at a plane after take-off • Imagine an instruction of “please go to -2000 feet in 15 minutes kthxbye” • BTW have a safe flight home from ShmooCon!
Thanks to NMRC folks for feedback Photo session by Duy Nguyen and Amy Lee Muir Art Manipulation by Weasel NMRC Fetish Model – Bethany FIN, Biatchez Images © 2005, 2006 NMRC www.nmrc.org