Two Wheeled Wi-Fi Sniffing Robot

paulnuyu writes "ZDNet/MSN has an article about a robot that detects Wi-Fi vulnerabilities and intrusions. The two wheeled robot made by the Shmoo Group cruised around the DefCon convention in Vegas last Sunday, picking up telnet and POP passwords. Though still a prototype, the shipping version is projected to have autonomous steering capabilities."

Telnet and POP?

[mjmalone]

Currently, Holman said, the robot can sniff out passwords sent through protocols such as Telnet and POP

If anyone is still using plaintext to send passwords over their lan they are insane. I know there are a lot of stupid admins out there, but getting ssl and ssh installed should be a priority. Before you try and secure your wireless network segment you need to begin using secure protocols.

Re:Telnet and POP?

[lavorgeous]

I agree -- most non-geeks shouldn't have to worry about such things (and likely don't even know that they might need to).

But DefCon isn't an average-joe situation -- I'm amazed that the attendees at a conference like DefCon wouldn't know better than to wander around a conference filled with other geeks surfing/mailing/etc over WiFi without at least using SSH.

Bait, and false sense of security

[SuperBanana]

If anyone is still using plaintext to send passwords over their lan they are insane.

Did it occur to anyone that maybe those passwords were bait? No better way to catch a scriptkiddie than to make him think he's hit a goldmine. He runs home, logs into that honeypot, and the cops are on his doorstep the next day. Do not pass go, do not collect $200, 'd00d'.

I know there are a lot of stupid admins out there, but getting ssl and ssh installed should be a priority. Before you try and secure your wireless network segment you need to begin using secure protocols.

Just a sidenote, but POP itself isn't insecure auth-wise, and neither is telnet. POP3 supports APOP, which uses CRAM-MD5 to encode the password, and is rather secure. Telnet is installed on most linux systems now with kerberos support.

There's nothing particularly secure about SSL or SSH either- unless you've spent several hundred dollars on a cert(for SSL) signed by one of the major CAs, or you have your system with you, and you trust that cert. Walking up to a workstation and logging in to your webmail over https from your home box, when you see that "is this cert ok?" you really have no idea.

It's a little better for SSH- smart SSH users have a printout of their system's fingerprint so they can quickly compare the two, before clicking "yes"...but too many people just blindly click "Yes", and that's your greatest risk right there. Not to mention, that copy of putty on that innocent looking windows box could be trojaned by the last conference guest to use it...etc. etc.

Ultimately, the most secure method is having your own hardware that by mere physical availability can't be tampered with very easily. Your system already knows what SSH fingerprints to trust, it already knows what SSL certs are cool, there's no real danger of keylogging...oh, and you can set up a full-blown VPN connection so nobody can even tell what you're doing.

huh??

[iamhassi]

wireless networks aren't carpets that need constant cleaning: they don't develop vulnerabilities over time. It's either secure or it's not. Once the network is secure you don't need to keep checking if the network is secure, so what's the point of a robot that constantly checks wireless security?

Laptops change that

[billstewart]

Sure, access points don't just pop up, and if they've been secured, they'll probably stay secure. And desktop computers are relatively stable. But people get new laptops all the time, and add WiFi cards to existing laptops (especially when they're adding wifi to their home networks), and laptops get their settings messed up all the time.