Wednesday, February 21, 2007

Auditing Wi-Fi Areas.

I've always been curious about the kind of security applied in “Hot Spots” or “Wi-Fi Areas”. These are places where you can access the Internet on pre-paid time. I'm not even going to talk about securing the client's activities and data or providing any kind of anonymity. I was really keen on finding what means such providers have deployed to make sure no unauthorized personnel has access (aka people who haven't paid for their time). So today was my lucky day. While waiting for a flight at Athens International Airport I had the chance to test their Wireless Internet Access Service. Apparently they don't use any kind of encryption on their Access Points. That means anyone can connect to it and receive an IP Address through DHCP (Dynamic Host Configuration Protocol). That's good right? These guys want even the least tech savvy user to be their client. As soon as you try to access your first web site (I'm guessing they offer HTTP only), you are redirected (through a transparent proxy) to a login screen and asked for a PIN which can be found on the back of pre-paid cards. When you enter a valid PIN, (I'm guessing) your IP and/or MAC Address are recorded and their firewall let's you out (or your proxy fetches stuff for your or something like that). So, that's how it works.

Let's say I am a bad guy, well not a bad guy – just a guy who doesn't want to pay. I would go and sit next to a guy who is already surfing, sniff the unencrypted air to easily discover the legit user's IP and MAC Addresses. (Of course I could also sniff sensitive information such as his passwords or e-mails but that's another story.) After that would I configure my own wireless card to use the exact same information (hence masquerading my self as the legit user) and I'm in! That's it! I wouldn't even have to try to find holes in their firewall or crack their infrastructure or brute force PINs. Pretty easy huh? Well, it is.

Then I tried to understand it. First of all their administrator has applied no access control mechanisms to the Access Point because that would require a significant trade-off. It would require every user to know how to configure his wireless device to conform with those security systems (e.g. MAC Filtering, Hidden ESSID, WEP, WPA). This could scare away potential customers who just don't get along with computers very well and the CEOs don't want that. So no “frustrating” security measures.

OK so a lot of people can get it for free. We know it and they know it. Although at first it may seem that a bandwidth piggyback is so cool and let's you surf for free, it actually works in their favor. How?

First of all, including the piggybackers, more people will appear using their Wi-Fi Areas. And, as we all know, people tend to imitate other people's behavior. So if you have a wireless-capable device and see other people using such service you will also feel the urge to use it. So there you have, indirect advertisement! Moreover, people able to perform such stunt will be so proud of themselves that will tell their friends about it. And when their friends try to do it for themselves they may fail but they were expecting Internet Access on the spot so it is very likely they will actually pay for the service after all. Extending that, there will be a time the original hacker won't be able to find victims to take advantage of but going online from the airport may already have become a habit to him or somehing he relies on so even he may purchase credits for the service. Also, if you come to think about it, they providers aren't losing that much. Most users (even unauthorized ones) are there to catch a flight so under normal circumstances that won't take more than a couple of hours. It's not like they are stealing bandwidth for days or so.

To sum up, what is advertised and offered, is Internet Access to counteract those long waiting hours or allow one urgent e-mail to be sent or a short chat to be conducted. In other words it addresses the need for communication, something people are always willing to pay (a lot) for. The generics of this, who pays for it, who doesn't, how secure and reliable it is, are not considered (although they should be) important both by the provider and the majority of users so everyone is happy at the end of the day.