Transcript PPT - DC214
Hacking the Friendly Skies
DC214 - April 2006
Simple Nomad
nomad mobile research centre
Hello…
• SN is with NMRC
• SN is with Vernier Networks
• SN is jaded and bitter
Disclaimer: Why Not To Do This
• Legalities
• We have a bad enough reputation anyway
Agenda
•
•
•
•
•
•
Background
Attacking
Collected data
Conclusion
Additional In-flight Fun
The Future
Background
How This Started
•
•
•
•
•
Weather delays
Cancelled flights
Layovers
Gadgets and toys
Idle hands
There Is No In-Flight HotSpot
• Why are SSIDs called linksys, dlink, tmobile,
hpsetup, 2wire etc showing up where they are
clearly not?
• Can I talk to these devices?
• Can I attack these devices?
Airline Background
• 10,000 foot rule on using approved electronics
• No approved electronic devices during
takeoff/landing for one simple reason – to keep
your row clear in the event of an emergency
• This is the same reason you have to stow your
tray tables and put your seat back in its full
upright position
Attacking
Second Warning
• Don’t do this shit
• If you must, do it in the terminal
– During delays, there is more opportunity
Contributing Factors
• Laptops with built-in WiFi
• Excellent Windows wireless integration
• Connectivity friendliness of Windows in general
IPv4 Link-Local Addresses
• RFC 3927 – “Dynamic Configuration of IPv4
Link-Local Addresses”
• If DHCP fails to provide an IP address, interfaces
with Link-Local configurations will auto-assign an
address in the 169.254.0.0/16 range
• Link-Local is on by default on all interfaces on all
Windows platforms, including wireless interfaces
Microsoft Implementation of
RFC 3927
•
•
•
•
•
Example here is XP
Start -> Connect To -> Show all connections
Right click on wireless connection
Internet Protocol (TCP/IP) -> Properties
Two things to look for (and they are the default)
– General -> Obtain an IP address automatically is checked
– Alternate Configuration -> Automatic private IP address is
checked
• These two together help spell disaster
• Details of Microsoft’s implementation under the covers
are in RFC 3927 in appendix A.4
The Magically Appearing SSID
•
•
•
•
•
•
•
•
•
User boots up laptop
Wireless is enabled
Ethernet is disconnected, a (short) timeout occurs
Wireless is enabled, tries to find “default” SSID
Default SSID is not found, no DHCP server answers, Link-Local
is used
IP address is assigned from 169.254.0.0/16 range per RFC 3330,
this is APIPA (Automatic Private IP Address)
Built-in laptop becomes an ad-hoc network using “default” SSID
PC now says it is “tmobile” or “linksys” or “dlink”, and broadcasts
its SSID as such
How?
Magically Appearing Networks
• Users boot up laptops
• The first one up becomes the potential “SSID leader”
• As additional laptops come up and can’t find their
default (re: last) SSID to connect to, they may or may
not connect
• Windows stores all SSIDs you have connected to in
Registry
• If you have the SSID leader’s beaconing SSID in your
Registry, you could connect
• Even if you don’t, if only one SSID around, you could
also connect
• Wee, automagic little clusterfuck of targetry goodness
• Multiple SSID leaders can emerge, hours of attack fun!
Warning From RFC 3927
• From RFC 3927, section 5, paragraph 3:
NOTE: There are certain kinds of local links, such as
wireless LANs, that provide no physical security. Because
of the existence of these links it would be very unwise for
an implementer to assume that when a device is
communicating only on the local link it can dispense with
normal security precautions. Failure to implement
appropriate security measures could expose users to
considerable risks.
Authors of RFC 3927
Network Working Group
Request for Comments: 3927
Category: Standards Track
S. Cheshire
Apple Computer
B. Aboba
Microsoft Corporation
E. Guttman
Sun Microsystems
March 2005
Oops!
Attack Time
• Attach to that “tmobile” Ad-hoc Peer-to-Peer network
• If Windows, make sure YOU have Alternate Configuration
hard-wired to a 169.254.0.0/16 address
• If Unix, assign yourself a 169.254.0.0/16 address
• Get victim laptop’s IP address
– ARP for it, sniff (it is Windows, it will eventually chat NetBIOS to
you), etc
• Ping it, you may have to set up a default route on Unix
• Nmap, Nessus, dsniff, Cain & Abel, Metasploit
Framework, etc etc
• ()wnage, biatch
Attack Time on Short Flights
• Configure a DHCP server on your laptop
• Attach to that “tmobile” Ad-hoc Peer-to-Peer
network
• Give victim his laptop’s IP address
– APIPA/Link-Local systems will periodically check for a
DHCP server
• Nmap, Nessus, dsniff, Cain & Abel, Metasploit
Framework, etc etc
• Quicker ()wnage, biatch
Attack Time Using KARMA
• Run KARMA on your laptop
• KARMA answers all SSID requests saying “yes, I
really am that SSID you’re looking for”
• Conceivably every laptop on the plane (or
terminal, or commuter train) could be
compromised
• Thorough ()wnage
KARMA by Dino and K2 http://www.theta44.org/karma/
Don’t Forget To Sniff
• SMB traffic including cached creds etc
Evil Fake AP
• Do “recon” with laptop, PDA etc in terminal
waiting for flight
• Determine most popular SSID
• Set up fake AP with that SSID
• Offer up a DNS server
• Resolve EVERYTHING to your address
• Hello LM/NTLM hashes
Add Honeypot Technology
• Sniff for probes to IMAP/POP3
– Remember, you DNS server will say you are that
server
• Run Honeypot mail server
• Accept (and log) every user and password
Idle Hands
• Change background image
• Find pr0n on target, make that the background image
– You’re backdoored the system, literally
• Launch MP3s with Parental Advisory lyrics
– Rap, death metal, industrial (make a political statement)
– Launch when cluebag goes to the lavatory for maximum effect
• Launch MP3 real loud that says, “wow this porn is hot!” and then
launch hot .avi, .mpg, or .wmv
• Launch MP3 that says, “how much for a lavatory quickie, bitch?”
during the drink service
• Install a server and serve up pr0n to the rest of the aircraft
– Repeat earlier bullet item on multiple machines
• Cover your tracks! Upload your tools, attack other machines, then
attack your own machine (plausible deniability)
Collected Data
Atlanta, GA Midweek
• Largest city in the region, lots of businesses
• Weather delay, sat on tarmac in DFW ½ mile from
terminal for 1 hour while thunderstorm passed
• MD80 aircraft, half full flight, 8 laptops out and running
• 2 ad-hoc networks
• 3 live targets, 2 Windows XP, 1 Windows 2000
– Windows XP fully patched with firewalling
– Windows 2000 vulnerable to MS05-039
Charlotte, NC Midweek
• Heavy banking/insurance town
• Weather delay, target-rich environment in Charlotte
(dozens of ad-hoc networks) at the gate before flight
• MD80 aircraft, full flight, 12 laptops out and running
• 5(!) ad-hoc networks
• 5 live targets, 2 Windows XP, 1 Windows 2003, 2
Windows 2000
– Only Windows 2003 fully patched with firewall
– Rest vulnerable to MS05-017 and/or MS05-039
ToorCon 7 Return Flight,
Monday Morning
• In terminal, very few laptops out (it was fucking 6am),
only 1 ad-hoc network named tmobile
• 757 aircraft, full flight, 22 laptops out and running
• 1 ad-hoc network formed named 249143
• 2 additional nodes had attached to it (apparently clueless
they had done so)
• 3 live targets - 2 Windows XP, 1 Windows 2000
– Windows 2000 vulnerable to MS05-039
• Dlink technician (no I am not making this up, overheard him talking)
– Windows XP Pro, vulnerable to MS05-017
– Windows XP at SP1, vulnerable to MS05-017
• This guy was across the aisle, VP of a physical security company,
w00t!
SJC - DFW, Tuesday Afternoon
• In terminal, 5 laptops out, 3 ad-hoc networks, 1 named
linksys
• MD80 aircraft, half-full flight, 14 laptops out and running
• 4 ad-hoc networks named MSFTWAN, GoldenTree, Fly
Aloha, and orange
• Orange had WEP turned on (?)
• 4 live targets – 2 Windows XP Pro, 2 Windows 2000
– Windows XP Pro firewalled, probably SP2 (orange), fingerprinted
using visual reconnaissance
– Windows XP SP0 or SP1, patched up but 2 open shares (one
had pr0n)
– Both Windows 2000 vulnerable to MS05-039
– 1 Windows 2000 had a web server running
• MSFTWAN? Certainly not….
Best Target Locations
• Airline 31337 Flyx0r clubs, but this is regular laptop-tolaptop hacking
• Business commuter flights
– Early Monday flights are best
– Major business hauls
• Eg LGA – DCA, EWR – BOS, ORD – LAX, HOU – ATL especially in
and out of high tech areas
– Get a seat near front part of coach
• Road warriors request these seats in advance to get off the plane
quicker
• Aircraft with limited power outlets usually have outlets there
• Better able to visually shoulder-surf during recon phase, helps with
OS detection
• Flights with lower passenger loads will have road warriers in First
Class due to upgrades
Contributing Factors
• Bad weather/delays means increased laptop
usage in terminal
– Rain dance or l33t weather-controlling satellite
ownage can help you
• Certain airports have no wireless
– Charlotte, NC for example
– Virtually all non-WEP/WPA SSIDs are ad-hoc
Conclusions
Why This Happens
• Configuration for talking to infrastructure, no problems
• Once you can’t find infrastructure linksys or tmobile, you
will attach to ad-hoc versions if available
• From this point on you will auto-assign an ad-hoc
network with that SSID
– It is a configuration “virus”, currently operating in the wild
What’s Bad
• Alternate Configuration on wireless
– Turn off your wireless, bad monkey, no banana
– It should be off unless really needed
• Works wherever sheeple laptop users gather and there is
no wireless (hotels and convention centers without
available wireless, commuter trains, etc)
What’s Good
• Easy workarounds
– Turn off your wireless connection when not in use (duh)
– Set your wireless to only talk to infrastructure networks
(advanced settings)
– Personal firewalls will help, and on XP SP1 or later make sure the
firewall is on
– WEP on an adhoc network is possible
• Per the Microsoft Security Response Center, patches will
be included in the next service pack releases to prevent
the auto-advertising of adhoc networks
– In spite of lame nature of attack (and it is pretty lame), Microsoft
took it seriously
Quick WiFi Detection for
Passengers and Flight Crews
• Digital Hotspotter (<$100) will detect signal
strength, show SSID, encryption or not, and
channel
• Kensington WiFi Finder Plus (<$30) will detect
the presence of WiFi and Bluetooth
Additional In-Flight Fun
In-Flight Phones
• Verizon Airfone (formerly GTE Airfone)
– On most major airlines (not AA though)
– Hours of dialing random 3-digit numbers to
see where you get to
– 14.4k modem
– Expensive to use
• With a Verizon Wireless account, it is $10 a month
plus $0.10 a minute, otherwise $0.69 a minute
In-Flight Internet
• JetConnect
– A part of Verizon Airphone
– Seen on Delta, US Airways, United,
Continental, a few others
– Features include IM and email
– Use your own IM service and “tunnel” access
for SSH etc
The Future
FCC vs. FAA
• FCC says cell phone/wifi is ready for use on planes
• FAA has still not approved the technology
• Without push from the airlines, the FAA is unlikely to
budge soon
• AA, United, and Delta were ready to start the push for
pico cell-based cellular service on airplanes in 2001
– Unfortunately 9/11 happened and they all lost money, and the
technology is very expensive
• Watch the cellphone usage issue for planes (1/5 the cost
to implement), wifi will follow
• Last “cellular interference” study to be concluded in 2006
Flying With Big Brother
• DHS and DOJ both want the ban on cellphone/wifi on
planes to remain in effect
• If implemented, DHS and DOJ want the ability to monitor
ALL traffic
– Prevent cabin-to-cabin/air-to-ground/air-to-air terrorist
coordination
• This added measure would increase the cost of
implementing the infrastructure immensely
Inflight Broadband Basics
• Available now on limited flights
– Non-US carriers
– Overseas flights only
• Typically private class C for passengers
• Uses a combination of satellites and 5 ground locations
to move packets back and forth
• Approximately $30 USD for unlimited usage during a 6+
hour flight
Inflight Broadband Adopters
• Three Vendors
– Connexion, Tenzing (SMS, email only), and Sky Way
• Various airlines are involved
–
–
–
–
–
–
–
–
British Airways
Japan Airlines
Lufthansa
SAS
Singapore Airlines
Nippon Airways
Southeast Airlines
Executive Charter
Inflight Broadband Issues
• Expensive to implement (roughly $400k per plane)
– US-based airlines are not buying it
• Currently little to no security implemented
– Security solutions cost extra, and the airlines aren’t buying it
• Disputable legality of in-flight air-to-air or air-to-ground
hacking
– Attacker in 15A, victim in 17D – mid-Pacific/Atlantic and who is to
blame?
– You are over international waters, no clear jurisdiction
– Think “cruise ship enters international waters, the casino now
legally opens”
– Does this apply to laptop-to-laptop hacking mid-flight?
Additional Inflight Issues
• Windows CE 2003 and Boeing Aircraft
– As we speak Boeing is disabling Bluetooth, which was enabled
by default
– No I am not kidding, Windows CE
• WTF!? Bluetooth??!? Windows CE!!?!
– Can you say “backdoor” so ground personnel can land a hijacked
plane via AutoLand and/or RoboLander?
• Imagine a terrorist with a Bluetooth gun aimed at a plane
after take-off
• Imagine an instruction of “please go to -2000 feet in 15
minutes kthxbye”
• Have a safe next flight!
Thanks
FIN, Biatchez
Thanks to NMRC folks for feedback
Photo session by Duy Nguyen and Amy
Lee Muir
Art Manipulation by Weasel
NMRC Fetish Model – Bethany
Images © 2005, 2006
NMRC www.nmrc.org