How to Take Over a Train Station

ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."

That's a stupid question

[Rosco+P.+Coltrane]

Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems?

Well, would you expect railroad company employees to be any smarter about computer things than your average Joe Blow surfing the innurnet down the street?

I'd be more surprised to find open hubs around, say, Linksys buildings. But then again, only slightly more surprised, mind you.

Re:That's a stupid question

[Kris_J]

WTF? I would expect the IT Department of any given company to be smarter about computer things than your average Joe Blow. Who do think installs this stuff, the CEO, a secretary perhaps, maybe the cleaners?

Re:That's a stupid question

[imogthe]

So would I. And I would expect a policeman to know the law to the lette and a doctor to know everything there is to know about the human body. I would expect the meter maids to never get a parking ticket and a chef to always make fantastic food.
But guess what? All these people are like you and me. Yes, better educated within their particular field but still as fallible(?) as any other person. A cop on the beat will not know about IP law. A doctor will have specialised in a particular field of medicine. Anyone could misjudge the meter and the guy with the hot dog stand could serve you food that will kill you.
Until recently I (kind of) had all these expectations. That changed when I started my education as a network engineer and looked into doing practice work with the university IT department. Know what? They are just regular guys. They go for a pint after work on a friday. They do normal stuff all the time and they are not ubermensch as we like to think. Not all companies can afford to employ the cream of the crop in all departments. After all, a company's main purpose is to MAKE MONEY. Everything else comes second. This includes the computers and IT infrastructure. If 10Mb ethernet can do, it will have to do and if an unsecure wi-fi access point can do, I suppose it will have to do too.

I suppose my point is that you may not be too far off saying the cleaners were involved in the IT rollout. In the real world we all wear many hats, some better fitting than others.

Re:That's a stupid question

[Kris_J]

Great logic there. "Expert X isn't perfect, therefore they're no better than the average idiot." This is just bizzare.

Re:wireless is insecure?

[krisp]

Nah, this shouldn't be news anyway. When you can get control of the arrival/departure boards and track switch control from your laptop on the wireless, then it will be news. Until then, the title is misleading!

What a waste of bandwidth

This person merely tried common tricks to expose the network settings. Here's a summary:

1.) Try the default login/password combination and make some educated guesses.

2.) Look at the source code of web pages.

3.) Don't be an idiot admin and leave your system wider than your momma.

Not just wireless

[fred911]

Sure wifi allowed access to the start page, but the same weakness (lam0r administration) would show up on lets say a wired public terminal. Wifi just makes criminal actions so much harder to catch.

Such strange attitudes

[QuantumG]

I've always found the mentality of computer security experts quite strange. It must be the effect of unix. For those who never had the experience of using a "user" account on a unix box as their sole source of computation, let me explain. Basically you're required to log into the machine. After that you can do anything you want. The unix kernel will ensure that no user can affect any other user unless that user permits it. It's this attitude of "anything that is not denied by the kernel is permitted" that I really don't get.

At first this wasn't entirely the case. Consider, for example, copying all the files from /usr/bin to your home directory 1000 times. Back in the old days that would be enough to fill up the harddrive which would quickly stop other people from using the system. You could affect other people, the kernel didn't stop you, so it must be allowed right! Well no. You're wasting resources and being an asshole. But rather than put a sign on the wall that said "please don't waste disk space" someone decided this was a "security" issue and implemented disk quotas into the kernel. Now you can't affect other users by using up all the disk space.

Consider the "fork bomb" issue. For those who don't know, this is just like using up all the harddrive space, except instead of disk you're wasting memory. A fork bomb will quickly bring an older unix machine to its knees, and back in the days when I had the joy of sharing a unix lab with other students, a fork bomb would go off at least twice a day. Why? Cause if the kernel permitted it, it must be ok right? Now there's protections in most kernels just to detect a fork bomb and stop it.

Such a strange way of thinking. Thankfully most unix users do not try to apply this attitude to the real world. If there were to see the police or the government as some kind of kernel they might be surprised to find that they could kick over granny in the street or go ballistic with an automatic weapon. The police didn't stop me, it must be ok, right?

Just to bring this long post back on topic: just because you can take over the wireless internet of a train station, doesn't mean you should do it. It doesn't mean that it is permitted. There doesn't need to be a failsafe kernel monitoring and stopping every undesirable action that you can possibly perform. We can live with people being able to break the rules. It's called freedom.

Re:Such strange attitudes

[gehrehmee]

You're missing the point.

It's not about pranks.It's not a question of what the reviewer should and shouldn't do.

It's a question of what he could do, and therefore what someone with malicious intent could do. Expecting people's actions to just natually blend into the common good is great and all, but it's simply not going to happen. There's a reason for police there's a reason for locks on doors, there's a reason for computer security, and there's a reason I don't leave my lunch out when my cat is in the room. Somebody's going to take advantage, and I'm going to get screwed.

Re:Such strange attitudes

[OG]

I find it strange that you find it strange. In the reality I inhabit, there are people all over the place who are ready to take advantage of a situation because they see fit. Not everyone has the same set of ethics you do, and it's only smart to try to protect yourself and your property. Some scientists even theorize that nature keeps a certain number of those people around to help maintain a balance. You may be ready for a utopian world, but most other people on our planet aren't.

Re:Such strange attitudes

[putaro]

The author raised good points - not only is the system insecurity a problem for the owners but also, in all likelihood, it is a problem for all of the users because if you use the system the way you're supposed to and pay with your credit card the database for the credit card is probably accessible.

Every type of security involves a series of compromises between risk and effort. Most businesses keep their cash in a cash register with someone watching it, not in an open box next to the door.

The result of people being able to "break the rules" in computer security is not freedom but chaos. Viruses, malware and spyware are all the result of other people being able to break YOUR rules in YOUR computer (well, I assume you have a rule against people doing naughty things on your machine).

Being able to break "laws" is what freedom and responsibility are about. Having mechanical enforcement of all of our laws would be called a police state. Having locks on your doors is not.

Re:Such strange attitudes

[AJWM]

Do you lock your front door? Leave your keys in the ignition? If you really don't understand the attitude, and are not merely saying that for the sake of a post, then you don't lock your front door and you do leave your car keys in the ignition (without locking the car doors).

It is certainly not permitted for random strangers to enter your house or drive your car, so why worry about locks? Leaving doors unlocked and car keys in the ignition is much more convenient.

I suspect you understand this attitude far more than you pretend. And no, the attitude of most users is not that you can do these things if it isn't physically prevented -- just as most people are basically honest and won't trespass or steal your car. It's the few assholes you have to be on guard against. Recall the price of freedom.

Re:Such strange attitudes

[StikyPad]

It's not about pranks.It's not a question of what the reviewer should and shouldn't do...There's a reason for police there's a reason for locks on doors, there's a reason for computer security, and there's a reason I don't leave my lunch out when my cat is in the room.

It's all about what you should and shouldn't do.

Understand something: Police aren't around (at least in the US) to PREVENT crime, they're there to respond after the fact. Locks don't prevent theft; they merely deter the casual person from entering a space, or making off with a bike, or a laptop, etc. Anyone who's determined to do something can usually find a way to do it.

You might be surprised to learn that most physical security isn't really about preventing unathorized access, it's about deterring people from trying. Security guards aren't some super-vigilant breed of human that can focus their attention on every detail of a situation for extended periods of time. They might be looking around with a suspicious expression (if they're really gung-ho, and not reading a magazine), but they're almost definately thinking about something unrelated.

So why do we expect better from software that's been written by people? If someone wants to gain access to a system, they will. It's all about posturing and setting up an interface with a "secure feel," just like the security gate at a building. Sure, you don't just leave the gate open and let the guard leave the station unattended, but there comes a point where you're expending more resources by keeping a facility secure than you stand to lose by having the facility compromised.

I'm not trying to make excuses for wanton disregard of basic practices.. there's no point in having a gate if you have no fence after all. But to expect any security to be bullet-proof is being unrealistic.

Re:Security Risk

[LurkerXXX]

Psst. Read the article. It has zero to do with WPA or encryption. It has to do with bad programing, bad passwords, and general bad administration.

Re:wireless is insecure?

[Colven]

I don't know, I think it's news. I create very similar sites, so hearing about things like this is extremely helpful to my practices. And it could serve as a wake-up call to others who might be slacking.

And, if their web site is that insecure, what makes you think their other systems (electronic and other) aren't similarly flawed?

Regardless, what I would really like to hear is the behind the scenes stories from all companies involved.

Tread carefully!

[bogaboga]

Tread carefully my friend! You are in the US, where frivolous law suites can be filed anytime, against anyone.

You will be caught and be fined heavily! Just ask the other teenager how fun sitting in court was. This is not to mention damage to your entire professional life (I assume it exists).

Slashdotters here might encourge you, but remember that you will be sitting in the dock alone. In other words, you will be answer for YOU. Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT.

Of Astroturf and Grandstanding

[SuperBanana]

Ignoring the grandstanding title and the fact that the author astroturfed his own "article" and site, here's a quote:

A more farfetched, but very real possibility, is that computers or workers at airports and train stations also use these same networks to make everything tick. If that is the case, it might be possible for an intelligent high school student to start changing train timetables or rerouting baggage.

And his evidence for this is, what? His own personal opinion? He's been watching Hackers too much if he thinks the schedule board at South Station is networked; it's a -flip- chart (seriously, stick around for 5-10 minutes, and watch it update itself). I'd be amazed if it had anything better than a dedicated thinnet connection to an ancient PC. It's not like some kid with mad h@x0r skills is going to go bippity-boop and put up "TRAIN TO FUCKVILLE 4:20". No. That happens in Hollywood, where people "launch the genetic algorithmic viral defenses!". It does not happen in the real world.

There are a lot of cheap shots and snide remarks aimed at "The Guvmint", "The Man", etc. This guy sounds like he's about 19, not to mention he's just admitted to logging into places he knew he didn't belong AND changing settings (he changed the back, but still...) Sounds like a great federal inditement to me.

Some googling shows he's in his very early 20's(graduated from Harvard in 2004 in "3 years", which means he's maybe 21 now), runs some consulting company. Sounds like he's just out to promote his business like every other story submitter these days...

Re:who did you tell?

[ScrewMaster]

And why the hell should he have? This isn't his problem, or his network. I think he was being generous and responsible trying to inform any of the interested parties. And besides, given the FBI and Office of Homeland Security's utterly irrational (and often ignorant) stances on this sort of thing he would probably have found himself up on terrorist charges for what was basically a Good Samaritan action. He took a risk even trying to inform the phone company about the issue, because it's often easier to just call the FBI and shift the blame onto the individual making the report. "It wasn't us, our network is secure, he must be some kind of genius hacker like you see in the movies." And that is ridiculous, but actually fairly common.

Imagine you're an admin and somebody reports that you left the entire network wide open, that at least thirty different businesses' private customer data is in a compromisable position, all due to your incompetence. What are you going to do? Admit it? Hardly ... if your boss doesn't know about it you'll fix it quietly, especially if you have no way to tell if anything was taken. On the other hand, if upper management comes down on you, you'll try to deflect the issue to preserve your job. Besides, if the FBI wanted to play this smart, they'd have a truly anonymous hotline where these kinds of things could be reported, and then the FBI (who, after all, can do pretty much whatever it wants to nowadays) could verify the report and notify the organization responsible. Trust me: that would make that train company sit up and take notice in a way J. Random Hacker's report never would. It's gonna happen, people are going to fool around with those nifty new WiFi toys and the vast majority won't do anything to anyone. Criminalizing them isn't going to help. But it will destroy lives that really don't deserve it (if you don't believe me, ask anyone who has taken a journey through the United States Justice System. It's a different world that you're used to, innocent until proven guilty is a distant concept to those people, and even if you are ultimately proven innocent you don't come out the same person.)

The fault lies with the admin of the network, and if you ignore smart users that try to help, you deserve what happens when a real criminal comes along, downloads and sells all your customers' credit card info and then trashes your network.

Fact is, laws against what this man did are useless ... worse than useless because crooks (the bulk of whom aren't even in the U.S.) are unconcerned about them, and the honest types who happen to spot something while sitting around bored in a train station will be afraid to report it.

Re:wireless is insecure?

[Talinom]

And it could serve as a wake-up call to others who might be slacking.

I wish I could believe that.

What will probably happen is they get hacked and any problems that arise will be considered a terrorist act. The company will get all sorts of sympathy from the unknowing public while the perp goes to federal "pound him in the ass" prison and owes $4 Billion in damages. The CEOs of the company will denounce the act, get fat bonuses, jump ship, and might even throw a quarter at the problem on their way out the door.

But I feel that last part is overly optimistic.

mmmkay...

[Infinityis]

You know what I find creepy...not so much what this guy did, but if you look at all the posts proclaiming "This guy is a felon, lock him up" it's almost ALL done by Anonymous Cowards. Makes me wonder who all is doing it. Might just be one guy posting over and over and over, or it could be some hired hands trying to make a statement.

Either way, I'd like to see a followup to this at some point stating what happens with the guy next:

"Does he really get arrested, or is he hired on by wireless network providers? Stay tuned to find out!"