Hacking the friendly skies
Download
1 / 45

Hacking the Friendly Skies - PowerPoint PPT Presentation


  • 252 Views
  • Updated On :

Hacking the Friendly Skies. ShmooCon - Jan 2006 Simple Nomad n omad m obile r esearch c entre. Hello…. SN is with NMRC SN is with Vernier Networks SN is jaded and bitter. Disclaimer: Why Not T o Do This. Legalities We have a bad enough reputation anyway. Agenda. Background

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Hacking the Friendly Skies' - Angelica


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hacking the friendly skies l.jpg
Hacking the Friendly Skies

ShmooCon - Jan 2006

Simple Nomad

nomad mobile research centre


Hello l.jpg
Hello…

  • SN is with NMRC

  • SN is with Vernier Networks

  • SN is jaded and bitter


Disclaimer why not t o do this l.jpg
Disclaimer: Why Not To Do This

  • Legalities

  • We have a bad enough reputation anyway


Agenda l.jpg
Agenda

  • Background

  • Attacking

  • Collected data

  • Conclusion

  • The Future

  • BTW, Bluetooth is not really covered, and is its own unholy monster



How this started l.jpg
How This Started

  • Weather delays

  • Cancelled flights

  • Layovers

  • Gadgets and toys

  • Idle hands


There is no in flight hotspot l.jpg
There Is No In-Flight HotSpot

  • Why are SSIDs called linksys, dlink, tmobile, hpsetup, 2wire etc showing up where they are clearly not?

  • Can I talk to these devices?

  • Can I attack these devices?


Airline background l.jpg
Airline Background

  • 10,000 foot rule on using approved electronics

  • No approved electronic devices during takeoff/landing for one simple reason – to keep your row clear in the event of an emergency

  • This is the same reason you have to stow your tray tables and put your seat back in its full upright position



Second warning l.jpg
Second Warning

  • Don’t do this shit

  • If you must, do it in the terminal

    • During delays, there is more opportunity


Contributing factors l.jpg
Contributing Factors

  • Laptops with built-in WiFi

  • Excellent Windows wireless integration

  • Connectivity friendliness of Windows in general


Ipv4 link local addresses l.jpg
IPv4 Link-Local Addresses

  • RFC 3927 – “Dynamic Configuration of IPv4 Link-Local Addresses”

  • If DHCP fails to provide an IP address, interfaces with Link-Local configurations will auto-assign an address in the 169.254.0.0/16 range

  • Link-Local is on by default on all interfaces on all Windows platforms, including wireless interfaces


Microsoft implementation of rfc 3927 l.jpg
Microsoft Implementation of RFC 3927

  • Example here is XP

  • Start -> Connect To -> Show all connections

  • Right click on wireless connection

  • Internet Protocol (TCP/IP) -> Properties

  • Two things to look for (and they are the default)

    • General -> Obtain an IP address automatically is checked

    • Alternate Configuration -> Automatic private IP address is checked

  • These two together help spell disaster

  • Details of Microsoft’s implementation under the covers are in RFC 3927 in appendix A.4


The magically appearing ssid l.jpg
The Magically Appearing SSID

  • User boots up laptop

  • Wireless is enabled

  • Ethernet is disconnected, a (short) timeout occurs

  • Wireless is enabled, tries to find “default” SSID

  • Default SSID is not found, no DHCP server answers, Link-Local is used

  • IP address is assigned from 169.254.0.0/16 range per RFC 3330, this is APIPA (Automatic Private IP Address)

  • Built-in laptop becomes an ad-hoc network using “default” SSID

  • PC now says it is “tmobile” or “linksys” or “dlink”, and broadcasts its SSID as such

  • How?


Magically appearing networks l.jpg
Magically Appearing Networks

  • Users boot up laptops

  • The first one up becomes the potential “SSID leader”

  • As additional laptops come up and can’t find their default (re: last) SSID to connect to, they may or may not connect

  • Windows stores all SSIDs you have connected to in Registry

  • If you have the SSID leader’s beaconing SSID in your Registry, you could connect

  • Even if you don’t, if only one SSID around, you could also connect

  • Wee, automagic little clusterfuck of targetry goodness

  • Multiple SSID leaders can emerge, hours of attack fun!


Warning from rfc 3927 l.jpg
Warning From RFC 3927

  • From RFC 3927, section 5, paragraph 3:

NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security. Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions. Failure to implement appropriate security measures could expose users to considerable risks.


Authors of rfc 3927 l.jpg
Authors of RFC 3927

Oops!

Network Working Group S. Cheshire

Request for Comments: 3927 Apple Computer

Category: Standards Track B. Aboba

Microsoft Corporation

E. Guttman

Sun Microsystems

March 2005


Attack time l.jpg
Attack Time

  • Attach to that “tmobile” Ad-hoc Peer-to-Peer network

  • If Windows, make sure YOU have Alternate Configuration hard-wired to a 169.254.0.0/16 address

  • If Unix, assign yourself a 169.254.0.0/16 address

  • Get victim laptop’s IP address

    • ARP for it, sniff (it is Windows, it will eventually chat NetBIOS to you), etc

  • Ping it, you may have to set up a default route on Unix

  • Nmap, Nessus, dsniff, Cain & Abel, Metasploit Framework, etc etc

  • ()wnage, biatch


Attack time on short flights l.jpg
Attack Time on Short Flights

  • Configure a DHCP server on your laptop

  • Attach to that “tmobile” Ad-hoc Peer-to-Peer network

  • Give victim his laptop’s IP address

    • APIPA/Link-Local systems will periodically check for a DHCP server

  • Nmap, Nessus, dsniff, Cain & Abel, Metasploit Framework, etc etc

  • Quicker ()wnage, biatch


Attack time using karma l.jpg
Attack Time Using KARMA

  • Run KARMA on your laptop

  • KARMA answers all SSID requests saying “yes, I really am that SSID you’re looking for”

  • Conceivably every laptop on the plane (or terminal, or commuter train) could be compromised

  • Thorough ()wnage

    KARMA by Dino and K2 - http://www.theta44.org/karma/


Don t forget to sniff l.jpg
Don’t Forget To Sniff

  • SMB traffic including cached creds etc


Evil fake ap l.jpg
Evil Fake AP

  • Do “recon” with laptop, PDA etc in terminal waiting for flight

  • Determine most popular SSID

  • Set up fake AP with that SSID

  • Offer up a DNS server

  • Resolve EVERYTHING to your address

  • Hello LM/NTLM hashes


Add honeypot technology l.jpg
Add Honeypot Technology

  • Sniff for probes to IMAP/POP3

    • Remember, you DNS server will say you are that server

  • Run Honeypot mail server

  • Accept (and log) every user and password


Idle hands l.jpg
Idle Hands

  • Change background image

  • Find pr0n on target, make that the background image

    • You’re backdoored the system, literally

  • Launch MP3s with Parental Advisory lyrics

    • Rap, death metal, industrial (make a political statement)

    • Launch when cluebag goes to the lavatory for maximum effect

  • Launch MP3 real loud that says, “wow this porn is hot!” and then launch hot .avi, .mpg, or .wmv

  • Launch MP3 that says, “how much for a lavatory quickie, bitch?” during the drink service

  • Install a server and serve up pr0n to the rest of the aircraft

    • Repeat earlier bullet item on multiple machines

  • Cover your tracks! Upload your tools, attack other machines, then attack your own machine (plausible deniability)



Atlanta ga midweek l.jpg
Atlanta, GA Midweek

  • Largest city in the region, lots of businesses

  • Weather delay, sat on tarmac in DFW ½ mile from terminal for 1 hour while thunderstorm passed

  • MD80 aircraft, half full flight, 8 laptops out and running

  • 2 ad-hoc networks

  • 3 live targets, 2 Windows XP, 1 Windows 2000

    • Windows XP fully patched with firewalling

    • Windows 2000 vulnerable to MS05-039


Charlotte nc midweek l.jpg
Charlotte, NC Midweek

  • Heavy banking/insurance town

  • Weather delay, target-rich environment in Charlotte (dozens of ad-hoc networks) at the gate before flight

  • MD80 aircraft, full flight, 12 laptops out and running

  • 5(!) ad-hoc networks

  • 5 live targets, 2 Windows XP, 1 Windows 2003, 2 Windows 2000

    • Only Windows 2003 fully patched with firewall

    • Rest vulnerable to MS05-017 and/or MS05-039


Toorcon 7 return flight monday morning l.jpg
ToorCon 7 Return Flight, Monday Morning

  • In terminal, very few laptops out (it was fucking 6am), only 1 ad-hoc network named tmobile

  • 757 aircraft, full flight, 22 laptops out and running

  • 1 ad-hoc network formed named 249143

  • 2 additional nodes had attached to it (apparently clueless they had done so)

  • 3 live targets - 2 Windows XP, 1 Windows 2000

    • Windows 2000 vulnerable to MS05-039

      • Dlink technician (no I am not making this up, overheard him talking)

    • Windows XP Pro, vulnerable to MS05-017

    • Windows XP at SP1, vulnerable to MS05-017

      • This guy was across the aisle, VP of a physical security company, w00t!


Sjc dfw tuesday afternoon l.jpg
SJC - DFW, Tuesday Afternoon

  • In terminal, 5 laptops out, 3 ad-hoc networks, 1 named linksys

  • MD80 aircraft, half-full flight, 14 laptops out and running

  • 4 ad-hoc networks named MSFTWAN, GoldenTree, Fly Aloha, and orange

  • Orange had WEP turned on (?)

  • 4 live targets – 2 Windows XP Pro, 2 Windows 2000

    • Windows XP Pro firewalled, probably SP2 (orange), fingerprinted using visual reconnaissance

    • Windows XP SP0 or SP1, patched up but 2 open shares (one had pr0n)

    • Both Windows 2000 vulnerable to MS05-039

    • 1 Windows 2000 had a web server running

  • MSFTWAN? Certainly not….


Best target locations l.jpg
Best Target Locations

  • Airline 31337 Flyx0r clubs, but this is regular laptop-to-laptop hacking

  • Business commuter flights

    • Early Monday flights are best

    • Major business hauls

      • Eg LGA – DCA, EWR – BOS, ORD – LAX, HOU – ATL especially in and out of high tech areas

    • Get a seat near front part of coach

      • Road warriors request these seats in advance to get off the plane quicker

      • Aircraft with limited power outlets usually have outlets there

      • Better able to visually shoulder-surf during recon phase, helps with OS detection

      • Flights with lower passenger loads will have road warriers in First Class due to upgrades


Contributing factors31 l.jpg
Contributing Factors

  • Bad weather/delays means increased laptop usage in terminal

    • Rain dance or l33t weather-controlling satellite ownage can help you

  • Certain airports have no wireless

    • Charlotte, NC for example

    • Virtually all non-WEP/WPA SSIDs are ad-hoc



Why this happens l.jpg
Why This Happens

  • Configuration for talking to infrastructure, no problems

  • Once you can’t find infrastructure linksys or tmobile, you will attach to ad-hoc versions if available

  • From this point on you will auto-assign an ad-hoc network with that SSID

    • It is a configuration “virus”, currently operating in the wild


What s bad l.jpg
What’s Bad

  • Alternate Configuration on wireless

    • Turn off your wireless, bad monkey, no banana

    • It should be off unless really needed

  • Works wherever sheeple laptop users gather and there is no wireless (hotels and convention centers without available wireless, commuter trains, etc)


What s good l.jpg
What’s Good

  • Easy workarounds

    • Turn off your wireless connection when not in use (duh)

    • Set your wireless to only talk to infrastructure networks (advanced settings)

    • Personal firewalls will help, and on XP SP1 or later make sure the firewall is on

    • WEP on an adhoc network is possible

  • Per the Microsoft Security Response Center, patches will be included in the next service pack releases to prevent the auto-advertising of adhoc networks

    • In spite of lame nature of attack (and it is pretty lame), Microsoft took it seriously


Quick wifi detection for passengers and flight crews l.jpg
Quick WiFi Detection for Passengers and Flight Crews

  • Digital Hotspotter (<$100) will detect signal strength, show SSID, encryption or not, and channel

  • Kensington WiFi Finder Plus (<$30) will detect the presence of WiFi and Bluetooth



Fcc vs faa l.jpg
FCC vs. FAA

  • FCC says cell phone/wifi is ready for use on planes

  • FAA has still not approved the technology

  • Without push from the airlines, the FAA is unlikely to budge soon

  • AA, United, and Delta were ready to start the push for pico cell-based cellular service on airplanes in 2001

    • Unfortunately 9/11 happened and they all lost money, and the technology is very expensive

  • Watch the cellphone usage issue for planes (1/5 the cost to implement), wifi will follow

  • Last “cellular interference” study to concluded in 2006


Flying with big brother l.jpg
Flying With Big Brother

  • DHS and DOJ both want the ban on cellphone/wifi on planes to remain in effect

  • If implemented, DHS and DOJ want the ability to monitor ALL traffic

    • Prevent cabin-to-cabin/air-to-ground/air-to-air terrorist coordination

  • This added measure would increase the cost of implementing the infrastructure immensely


Inflight broadband basics l.jpg
Inflight Broadband Basics

  • Available now on limited flights

    • Non-US carriers

    • Overseas flights only

  • Typically private class C for passengers

  • Uses a combination of satellites and 5 ground locations to move packets back and forth

  • Approximately $30 USD for unlimited usage during a 6+ hour flight


Inflight broadband adopters l.jpg
Inflight Broadband Adopters

  • Three Vendors

    • Connexion, Tenzing (SMS, email only), and Sky Way

  • Various airlines are involved

    • British Airways

    • Japan Airlines

    • Lufthansa

    • SAS

    • Singapore Airlines

    • Nippon Airways

    • Southeast Airlines

    • Executive Charter


Inflight broadband issues l.jpg
Inflight Broadband Issues

  • Expensive to implement (roughly $400k per plane)

    • US-based airlines are not buying it

  • Currently little to no security implemented

    • Security solutions cost extra, and the airlines aren’t buying it

  • Disputable legality of in-flight air-to-air or air-to-ground hacking

    • Attacker in 15A, victim in 17D – mid-Pacific/Atlantic and who is to blame?

    • You are over international waters, no clear jurisdiction

    • Think “cruise ship enters international waters, the casino now legally opens”

    • Does this apply to laptop-to-laptop hacking mid-flight?


Additional inflight issues l.jpg
Additional Inflight Issues

  • Windows CE 2003 and Boeing Aircraft

    • As we speak Boeing is disabling Bluetooth, which was enabled by default

    • No I am not kidding, Windows CE

  • WTF!? Bluetooth??!? Windows CE!!?!

    • Can you say “backdoor” so ground personnel can land a hijacked plane via AutoLand and/or RoboLander?

  • Imagine a terrorist with a Bluetooth gun aimed at a plane after take-off

  • Imagine an instruction of “please go to -2000 feet in 15 minutes kthxbye”

  • BTW have a safe flight home from ShmooCon!



Fin biatchez l.jpg

Thanks to NMRC folks for feedback

Photo session by Duy Nguyen and Amy Lee Muir

Art Manipulation by Weasel

NMRC Fetish Model – Bethany

FIN, Biatchez

Images © 2005, 2006 NMRC www.nmrc.org