Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Take Over a Train Station

Posted by timothy on from the just-add-colons dept.

ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."

7 of 356 comments (clear)

  1. Google HTML version available :) by LiquidCoooled · · Score: 5, Informative

    Here :)

    --
    liqbase :: faster than paper
  2. There is one silly error in an otherwise great art by drinkypoo · · Score: 5, Informative

    ...icle: "Unless something is done to force accountability for wireless devices, perhaps by recording ethernet MAC addresses (which are unique and hard-coded to a physical piece of hardware)" ... uh, no they aren't. Most devices allow you to change your MAC with impunity. Others can be hacked to do so, by tweaking their firmware. MAC addresses meant something back in the day when they were hard to change (it's never been impossible) but those days are long gone.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Re:There is one silly error in an otherwise great by molo · · Score: 5, Informative

    BTW, for windows, there is a great tool called MacShift that will allow you to randomize your MAC address. Just make a shortcut and run it before you connect to any wireless network, and you'll have a different one each time. No tracing there.

    -molo

    --
    Using your sig line to advertise for friends is lame.
  4. Re:accountability? by l2718 · · Score: 5, Informative

    By the way, instructions on how to change your MAC address on various operating systems may be found in the wikipedia .

  5. Re:There is one silly error in an otherwise great by Black+Acid · · Score: 5, Informative
    Your MAC address is (well SHOULD be) "unique and hard-coded to a physical piece of hardware". It is physically tied to your NIC, and you can not change it. What you can do however is change how it is represented in software, so that the other party never sees your actual physical MAC address, but the idea that you can actually change your MAC address is just plain wrong. Feel free to try, change the MAC, then switch the NIC to another machine and see if it retains the original or altered address.
    Of course, it all depends on the NIC, but I was able to flash my Orinoco wireless card's firmware, successfully changing its MAC address. My address was retained under Linux and Windows, so I assume it was physically changed. (I also was able to upgrade the Orinoco from Silver to Gold encryption, US to Japan frequencies, and change the serial number). Its true that most people who change the MAC really only change it in software, but its definitely possible to change it in hardware as well. Not that there is any reason to...
    --
    Tired of free ipod spam sigs? Opt ou
  6. Re:That's a stupid question by timeOday · · Score: 5, Informative
    They wouldn't let just anybody in the control room at Paddington station in London, would they?
    This is irrelevant. Nobody took over a train station; the story title is a lie. All they did was circumvent the payment system for wifi internet access and avoid paying an hourly fee for internet access. The fact that this was at a train station has nothing to do with the story, except making it read better.
  7. Not wireless by cgenman · · Score: 5, Informative

    Actually this is some very basic HTML hacking. He went to their service, which re-directs all new people to their home page. He directory surfed around the web server, and found a few dozen other sites, as well as the company's home page. He tried some very basic password combinations, (like test:test), and got control over some active sites. These sites included customer information and credit card databases.

    So really, the site that served images from an unobfuscated directory allowed the person to know what to look for, the directory was fully listed in a way that directories shouldn't. The passwords were very, very insecure. This had nothing to do with wireless security, but rather web services security, and basic things for security that people don't do.

    The passwords in the article, BTW, no longer function. At least, not form my remote machine. Anyone reading this from South Station wish to see if the passwords still work on-network?

    --
    The ______ Agenda