Slashdot Mirror
How to Take Over a Train Station
ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."
News at 11.
Here :)
liqbase
Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems?
Well, would you expect railroad company employees to be any smarter about computer things than your average Joe Blow surfing the innurnet down the street?
I'd be more surprised to find open hubs around, say, Linksys buildings. But then again, only slightly more surprised, mind you.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Should you not tell anyone and get free wireless for life, or just goatse everyone?
Please remain where you are. The Department of Homeland Security has already pinpointed your location, and agents will be arriving shortly. Resistance is futile.
Disclaimer: The opinions expressed are not necessarily my own, as I've not yet had my medication today.
Summary: here's documentation of my illegal access to a system, please prosecute me, thanks.
no more running for trains - use your ipaq as a remote control for your very own train set.
and close the doors when you are all the way through
next stop: home
...icle: "Unless something is done to force accountability for wireless devices, perhaps by recording ethernet MAC addresses (which are unique and hard-coded to a physical piece of hardware)" ... uh, no they aren't. Most devices allow you to change your MAC with impunity. Others can be hacked to do so, by tweaking their firmware. MAC addresses meant something back in the day when they were hard to change (it's never been impossible) but those days are long gone.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
RTFA. He tried to contact the administrators, and was giving the cold shoulder. They even suggested reporting himself to "abuse".
Without a proper flamewar, Anonymous was undecided on what shell to run.
I recomend telling Charlie. With internet access he could start a Dot Com and finaly earn that nickle he's been needing.
All your trains are belong to us!
This person merely tried common tricks to expose the network settings. Here's a summary:
1.) Try the default login/password combination and make some educated guesses.
2.) Look at the source code of web pages.
3.) Don't be an idiot admin and leave your system wider than your momma.
Sure wifi allowed access to the start page, but the same weakness (lam0r administration) would show up on lets say a wired public terminal. Wifi just makes criminal actions so much harder to catch.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
When you can play with the real thing?
Very good article. However, one of the author's ideas for improving security doesn't actually hold water. The problem is to verify the identity of people being assigned dynamic IP addresses on a wireless network. He proposes
"... to force accountability,Actually, most network cards allow you to set the MAC address by software if the factory one isn't good for you. For example, this is needed for drop-in-replacement functionality.
He's doomed. If he or his wife can't figure out that she should bring him the nickel instead of a sandwich as the train goes by, he deserves to be stuck down there.
Besides, the election's over anyway. I don't think Riley won.
Java: the bastard demon spawn of C++ and Ada
Did you refund your friend's tickets?
Cloned foods give the statement "We had that last week!" a whole new meaning.
unless are a journalist. With patriot act, you are not allowed to expose weaknesses like this in such an irresponsible fashion.
This fella just cracked the "wireless" router put in place for patrons; he didn't break into the train station's systems. The title should be changed. Also, his writeup is well, boring (and obvious), like I found a wireless router in a similar state about a year ago in a coffee house. Unlike him, I didn't poke around, I reported the issue directly, called the programmers involved and got them a bit admonished.
At first this wasn't entirely the case. Consider, for example, copying all the files from /usr/bin to your home directory 1000 times. Back in the old days that would be enough to fill up the harddrive which would quickly stop other people from using the system. You could affect other people, the kernel didn't stop you, so it must be allowed right! Well no. You're wasting resources and being an asshole. But rather than put a sign on the wall that said "please don't waste disk space" someone decided this was a "security" issue and implemented disk quotas into the kernel. Now you can't affect other users by using up all the disk space.
Consider the "fork bomb" issue. For those who don't know, this is just like using up all the harddrive space, except instead of disk you're wasting memory. A fork bomb will quickly bring an older unix machine to its knees, and back in the days when I had the joy of sharing a unix lab with other students, a fork bomb would go off at least twice a day. Why? Cause if the kernel permitted it, it must be ok right? Now there's protections in most kernels just to detect a fork bomb and stop it.
Such a strange way of thinking. Thankfully most unix users do not try to apply this attitude to the real world. If there were to see the police or the government as some kind of kernel they might be surprised to find that they could kick over granny in the street or go ballistic with an automatic weapon. The police didn't stop me, it must be ok, right?
Just to bring this long post back on topic: just because you can take over the wireless internet of a train station, doesn't mean you should do it. It doesn't mean that it is permitted. There doesn't need to be a failsafe kernel monitoring and stopping every undesirable action that you can possibly perform. We can live with people being able to break the rules. It's called freedom.
How we know is more important than what we know.
Well, this is the product:
guestBOX
And... this is the company:
Atlantis Technology Corporation
So, all that research... and it never occured to you to contact the vendor? Granted, maybe these are so plentiful some re-seller or VAR put in in there... but you didn't make mention of that line of thinking (or was this not the whole PDF?) so.... sorry, that's just sounding a little on the lame side.
Now, if they scoffed or blew you off at that point, okay maybe... but still. You knew the company from just looking at it. Did you try to contact them? I think that would be more telling than surfing through open Indexing on a web server like a kid curl'ing porn images.
http://fudge.org
BTW, for windows, there is a great tool called MacShift that will allow you to randomize your MAC address. Just make a shortcut and run it before you connect to any wireless network, and you'll have a different one each time. No tracing there.
-molo
Using your sig line to advertise for friends is lame.
Psst. Read the article. It has zero to do with WPA or encryption. It has to do with bad programing, bad passwords, and general bad administration.
Using this, set their access to $-100 (Negative 100) per hour, so that you get money every hour instead of having to pay it. This will surely attract business to the station.
-Palal
Well, it does say he tried to contact Cincinnati Bell, but it says nothing about GuestBOX or the train people.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Sounds like a fun time. Pity I'm stuck wardriving in Redmond.
For those who don't get the joke, look here.
Let me tell you the story
Of a man named Charlie
On a tragic and fateful day
He put ten cents in his pocket,
Kissed his wife and family
Went to ride on the MTA
Charlie handed in his dime
At the Kendall Square Station
And he changed for Jamaica Plain
When he got there the conductor told him,
"One more nickel."
Charlie could not get off that train.
Did he ever return,
No he never returned
And his fate is still unlearn'd
He may ride forever
'neath the streets of Boston
He's the man who never returned.
Now all night long
Charlie rides through the tunnels
Saying, "What will become of me?
Crying "How can I afford to see
My sister in Chelsea
Or my cousin in Roxbury?"
Charlie's wife goes down
To the Scollay Square station
Every day at quarter past two
And through the open window
She hands Charlie a sandwich
As the train comes rumblin' through.
As his train rolled on
underneath Greater Boston
Charlie looked around and sighed:
"Well, I'm sore and disgusted
And I'm absolutely busted;
I guess this is my last long ride."
{this entire verse was replaced by a banjo solo}
Now you citizens of Boston,
Don't you think it's a scandal
That the people have to pay and pay
Vote for Walter A. O'Brien
Fight the fare increase!
And fight the fare increase
Vote for George O'Brien!
Get poor Charlie off the MTA.
Chorus.
The song is so catchy, it's a shame the guy didn't get elected. Or maybe not, or we'd have elections with theme songs. Wait, we do. Crap.
Maybe somebody shouldn't link to stories using document standards that commonly kill all other processes while the a single page loads and throws up a splash screen, that could of easily been put into HTML not have this problem.
Artist will always make art.
You will be caught and be fined heavily! Just ask the other teenager how fun sitting in court was. This is not to mention damage to your entire professional life (I assume it exists).
Slashdotters here might encourge you, but remember that you will be sitting in the dock alone. In other words, you will be answer for YOU. Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT.
You've swallowed the Patriot Act and OHS' line all the way, haven't you? There are such laws ... but that doesn't make them right, just or reasonable, nor does it make the story's poster a terrorist or a vandal or anything else. He's really more akin to a passerby that noticed that you had left your premises wide open, and tried to tell you about it. He apparently tried to report the security failure to the responsible parties but was brushed off. So now they are doubly responsible for having the failure in the first place, and then failing to do anything about it when informed.
... there was no lock. There may be some expectation of privacy on the part of the wireless LAN's owners ... or there may not. So let's everybody lock our own doors, secure our own LANs, and keep the handcuffs for actual crooks.
By your rather low standard of evidence, it seems, if I accidentally accessed my neighbor's unsecured wireless LAN I should be cuffed and sent to jail? Please. Let's leave the totalitarian laws for the totalitarian nations of the world, and put responsibility where it is due. And apparently he didn't pick the lock
The higher the technology, the sharper that two-edged sword.
While the use of default router passwords is of course stupid, it's important to think about what exactly this situation really is.
What the author of this white paper really accessed is the admin interface of a wireless internet service provider. With this access, he/she could steal internet service or allow others to do so, or even obtain personal customer data, includingcredit card information, and use it for his/her own gain. While these are of course Bad Things, they really come nowhere close to constituting a national security risk. An inconvenience and a violation of state and federal law, yes, but a national security risk, no.
What would change things is if it were actually possible to access _train station_ systems through the wireless network. However, these systems are not configured this way. The wireless access is provided by a 3rd party provider that handles only pay-for-service internet access. Anything related to station services or railway control would be handled by its own seperate network. The author of this white paper says nothing to indicate that it is possible to do anything that would touch train station operations or that would be of any use to terrorists in an attack on the "very important" nearby buildings.
Sounds like a whole lot of nothingness to me...
Ignoring the grandstanding title and the fact that the author astroturfed his own "article" and site, here's a quote:
A more farfetched, but very real possibility, is that computers or workers at airports and train stations also use these same networks to make everything tick. If that is the case, it might be possible for an intelligent high school student to start changing train timetables or rerouting baggage.
And his evidence for this is, what? His own personal opinion? He's been watching Hackers too much if he thinks the schedule board at South Station is networked; it's a -flip- chart (seriously, stick around for 5-10 minutes, and watch it update itself). I'd be amazed if it had anything better than a dedicated thinnet connection to an ancient PC. It's not like some kid with mad h@x0r skills is going to go bippity-boop and put up "TRAIN TO FUCKVILLE 4:20". No. That happens in Hollywood, where people "launch the genetic algorithmic viral defenses!". It does not happen in the real world.
There are a lot of cheap shots and snide remarks aimed at "The Guvmint", "The Man", etc. This guy sounds like he's about 19, not to mention he's just admitted to logging into places he knew he didn't belong AND changing settings (he changed the back, but still...) Sounds like a great federal inditement to me.
Some googling shows he's in his very early 20's(graduated from Harvard in 2004 in "3 years", which means he's maybe 21 now), runs some consulting company. Sounds like he's just out to promote his business like every other story submitter these days...
Please help metamoderate.
funny...xpdf doesn't do that on my box. Which kernel version are you running?
And why the hell should he have? This isn't his problem, or his network. I think he was being generous and responsible trying to inform any of the interested parties. And besides, given the FBI and Office of Homeland Security's utterly irrational (and often ignorant) stances on this sort of thing he would probably have found himself up on terrorist charges for what was basically a Good Samaritan action. He took a risk even trying to inform the phone company about the issue, because it's often easier to just call the FBI and shift the blame onto the individual making the report. "It wasn't us, our network is secure, he must be some kind of genius hacker like you see in the movies." And that is ridiculous, but actually fairly common.
... if your boss doesn't know about it you'll fix it quietly, especially if you have no way to tell if anything was taken. On the other hand, if upper management comes down on you, you'll try to deflect the issue to preserve your job. Besides, if the FBI wanted to play this smart, they'd have a truly anonymous hotline where these kinds of things could be reported, and then the FBI (who, after all, can do pretty much whatever it wants to nowadays) could verify the report and notify the organization responsible. Trust me: that would make that train company sit up and take notice in a way J. Random Hacker's report never would. It's gonna happen, people are going to fool around with those nifty new WiFi toys and the vast majority won't do anything to anyone. Criminalizing them isn't going to help. But it will destroy lives that really don't deserve it (if you don't believe me, ask anyone who has taken a journey through the United States Justice System. It's a different world that you're used to, innocent until proven guilty is a distant concept to those people, and even if you are ultimately proven innocent you don't come out the same person.)
... worse than useless because crooks (the bulk of whom aren't even in the U.S.) are unconcerned about them, and the honest types who happen to spot something while sitting around bored in a train station will be afraid to report it.
Imagine you're an admin and somebody reports that you left the entire network wide open, that at least thirty different businesses' private customer data is in a compromisable position, all due to your incompetence. What are you going to do? Admit it? Hardly
The fault lies with the admin of the network, and if you ignore smart users that try to help, you deserve what happens when a real criminal comes along, downloads and sells all your customers' credit card info and then trashes your network.
Fact is, laws against what this man did are useless
The higher the technology, the sharper that two-edged sword.
No, he contacted Cincinnati Bell, the ISP, because it was their programming error that caused the problem, so he says. In any event, you must live in a rather more totalitarian nation than the U.S. to make comments like that. So, we're going to lock up people who were trying to help because they're smart enough that they might someday do something bad? Or, perhaps, because they did it in a "bragging sort of way" which you personally might find offensive? Not that you know that was the case, anyway. Hell, a lot of the H1B's coming in from India should probably also be thrown in the hoosegow: some of them are damned smart and they, also, might do something bad, someday. Guilty until proven innocent, dispensing with due process ... please. We have enough of that already.
The higher the technology, the sharper that two-edged sword.
Most systems now limit the number of processes and threads on a per-user basis, meaning that your fork bomb eats up your space, but won't bring the entire system down.
The old DecNet required that all ethernet cards have the ability to change their mac address. Part of the protocol, and you couldn't connect to DecNet unless you had the right mac address. (which was changed as part of the network protocol, you normally didn't change this manually)
Just in case a customer ever tries to use their chipset with DecNet nearly all cards allow, software to change the mac address. Since all current chips have the ability, when designing a modification to the old chip it is easier to leave that ability in than take it out.
I don't know if anyone in the world still runs DecNet, but it isn't a chance network vendors are willing to take.
You know what I find creepy...not so much what this guy did, but if you look at all the posts proclaiming "This guy is a felon, lock him up" it's almost ALL done by Anonymous Cowards. Makes me wonder who all is doing it. Might just be one guy posting over and over and over, or it could be some hired hands trying to make a statement.
Either way, I'd like to see a followup to this at some point stating what happens with the guy next:
"Does he really get arrested, or is he hired on by wireless network providers? Stay tuned to find out!"
Well, it is nice that this guy actually bothered to write this up, but he seems to simply be using a lot of common mistakes and guesswork. On top of that, his knoweledge of some basic concepts in hardware administration and business processes is somewhat lacking.
First, MAC address are not unique. There is no universal table of MAC's that hardware manufacturers report to. I have installed ethernet cards from the SAME manufacturer that have had the SAME MAC address while setting up machines for a client.
Second, many of these errors are not necessarily the programmers fault. They are more than likely the responsibility of management being cheap and forcing programmers to do the jobs of multiple people. IT is seperate from software development. The fact that the network and server are insecure is the IT department/person's fault. In small companies this may be the same person, but in most large corporations that is not the case. Directory listing and permissions are generally the responsibility of the server administrator.
Now, the username issues are definitely scary. Leaving test accounts open with simple passwords is just plain stupid. The company I develop software for has over fifty million dollars worth of data on their servers. We also store credit card info for clients, etc. If we used common passwords like that, we would be fired. The admin would go through the database, see the passwords, and report them to our supervisor. Say goodbye! Not to mention, test accounts on production servers are bad practice anyway. If you are making any money, you are extremely stupid not to have a seperate development environment.
In my opionion, these problems seem to be more management and implementation problems, and not so much development problems as the author seems to suggest. They are still real problems though. That customer listing one for the phone company really scares me. ::shiver:: I hope SBC in Texas doesn't have problems like that.
Tired of free ipod spam sigs? Opt ou
Dear Department of Homeland Security,
We have recently come to our attention that you are using methods of pinpointing locations of individuals that may infringe on our "Latitude/Longetude" techniques (Patent Pending).
You are hereby ordered to cease & desist all location activity until you have properly licensed our intellectual property rights.
Yours Truly, -Microsoft Legal Team
When I was a kid, I was able to figure out the locks at North Station in Boston. For those of who who don't know, North Station is the other major train station in Boston.
Back in the 60's, when the world was a little bit more innocent, I was able to fit a master key to all of the locks in North Station, which was also Boston Garden (the arena for the Boston Celtics and the Boston Bruins).
I never used the key; in fact I threw it away once I made it. It was only a proof in concept.
The only thins I make are my wearable art (http://www.allyn.com/ and http://www.clearplastic.com/)
Locksmithing is no longer fun with all of the security paranoia. I buy my own locks to play with. The only fun thing I do in North Station anymore is to prance around in a leather juck strap and a clear plastic raincoat.
Cleara
The only way to really track people is by using a transport protocol with authentication. Somehow I don't think the world is ever going to agree on one.
-- Jack
Not a huge fortune 500 computer company. Why WOULD you need an IT department for a train station? Sure if you're talking about Grand Central Station or some huge hub similar, but for most who cares? Most train stations have to skimp on seating, lighting, cleaning (trains in the U.S. are a pathetic sight compared to European or Japanese counterparts) and other much more important aspects over than hiring an IT professional to run a computer network thats probably smaller than one most /. readers have.
Three Microsoft engineers and three Apple employees are traveling by train to a computer conference. At the station, the three Microsoft engineers each buy tickets and watch as the three Apple employees buy only a single ticket.
"How are three people going to travel on only one ticket?" asks a Microsoft engineer.
"Watch and you'll see," answers the Apple employee. They all board the train. The Microsoft engineers take their respective seats, but all three Apple employees cram into a restroom and close the door behind them. Shortly after the train has departed, the conductor comes around collecting tickets. He knocks on the restroom door and says, "Ticket, please."
The door opens just a crack and a single arm emerges with a ticket in hand. The conductor takes the ticket and moves on.
The Microsoft engineers saw this and agreed it was quite a clever idea. So after the conference, the Microsoft engineers decide to do the same on the return trip and save some money.
When they get to the station, they buy a single ticket for the return trip. To their astonishment, the Apple employees don't buy any ticket, at all.
"How are you going to travel without a ticket?" asks one perplexed Microsoft engineer.
"Watch and you'll see," answers an Apple employee.
When they board the train the three Microsoft engineers cram into a restroom and the three Apple employees cram into another one nearby. The train departs.
Shortly afterward, one of the Apple employees leaves his restroom and walks over to the restroom where the Microsoft engineers are hiding. He knocks on the door and says, "Ticket, please..."
It's like walking up and jimmying a perfectly good lock.
huh? since when is L:P admin:admin or South:Station or wifi:wifi considered a perfectly good lock? If you believe that, I have an oragami based home-security system I would like to sell you.
This is a relatively formal security report - and I certaintly feel that I have right to know that a major wifi network that I might pay to use (with my CC# mind you) is compromised severly in security. Kudos for the publicity - he also mentions that he attempted private contact before writing this paper. Publishing this makes the purpotrater (South Station for acting under the pretention of providing a secure network) and potential victims (customers) very aware of the need to reconfigure the network.
75 out of 100 people that might have discovered this trick would have left it as "hey cool, free wifi access for me and my buds," another 20 or so out of 100 would have done much worse (we're talkin' goatse on the homepage).
At worst this was a subtle brag of "L33tness", at best a noble public security gesture.
and hey, if you lose your job at guestBox over this - I hear Diebold is looking for a few good men...
ôó
The fact that he did this at a train station is totally irrelevant
Well, it does make it easier for someone to leave the scene of the crime. :)
I'm not violating a Patriot Act provision regarding giving assistance in committing crimes by suggesting people could use a TRAIN to leave the TRAIN STATION to avoid getting caught, right? ;)
Just because it CAN be done, doesn't mean it should!
And his evidence for this is, what? His own personal opinion?
While I agree with you on the fact that he's just speculating at that point, nevertheless a possibility exists for this sort of thing to happen.
Simple example: I went wardriving through town once. I found a lot of connections of course, but basically I just set the sniffer up on the laptop and drove around slowly. Later, when I got home, I checked out what I had found, and using timestamps I figured out where the different access points I had found were (I lacked a GPS then).
One of the ones I found was a drugstore. I looked at the raw trace and saw some really odd plaintext there. So I went back and left the laptop in the car while I went in and bought some stuff and took a look around.
What I found:
- Their cash registers were all wirelessly linked to some system in the back. When you scanned an item, the barcode was read, transmitted to the machine in the back, which looked up the price and spat it back to the register. Credit card authorization was handled the same way. All this was plaintext, as I looked at the data and found my credit card number as well as barcodes from the items I purchased in there. Didn't understand the formatting, but it wasn't too difficult to see my name and credit card number stand out like a shining beacon.
- Some kind of prescription transactions were wireless as well. While I didn't get a lot of data of this sort, there were packets containing various drug names, in plaintext, being sent over the air. I'd bet money that insurance information as well as whoever bought the prescription would have eventually gone out in the clear too.
The point being that security was basically non-existant for something you have a reasonable expectation of being private. I mean, when you design a wireless network to handle credit transactions, you'd think some form encryption would be pretty frickin' obvious, right? Let alone tossing somebody's prescription info out onto the airwaves.
So while he didn't state you could change the lights and has no idea if you can actually fuck with the trains, the point I think he was trying to make is that clearly security is not at the forefront of the minds of a lot of people for this sort of thing. Admittedly, my drugstore example happened a couple years back, and may have been fixed by now, but this sort of thing happens because people don't think about it being an issue. It's that part that needs to be fixed. Whether any given example can actually be compromised in a serious way is not the point.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Actually this is some very basic HTML hacking. He went to their service, which re-directs all new people to their home page. He directory surfed around the web server, and found a few dozen other sites, as well as the company's home page. He tried some very basic password combinations, (like test:test), and got control over some active sites. These sites included customer information and credit card databases.
So really, the site that served images from an unobfuscated directory allowed the person to know what to look for, the directory was fully listed in a way that directories shouldn't. The passwords were very, very insecure. This had nothing to do with wireless security, but rather web services security, and basic things for security that people don't do.
The passwords in the article, BTW, no longer function. At least, not form my remote machine. Anyone reading this from South Station wish to see if the passwords still work on-network?
The ______ Agenda
Excellent piece. Anyone who bothered to RTF(boring,pedantic,condescending)A would quickly see that the headline is a complete fiction. All the author did was exploit a hole in a for-pay Public Access WiFi network. No opportunity to route trains onto otherwise occupied platforms. No threat to a "major transportation hub."
Just some guy doing trivial guesswork to get free wireless access...that happens to be at Boston's South Station
Was writing the article his post-priori justification for the service theft ?