Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Take Over a Train Station

Posted by timothy on from the just-add-colons dept.

ThinkComp writes "Everyone knows that home wireless networks are insecure, but who would expect a major transportation hub to be vulnerable to the same problems? Well, waiting for my friend's train at South Station in Boston, MA, I happened to notice that it was possible to take control of the entire station's wireless network, including its home page and authorization method (free wireless, anyone?)--and those of thirty other businesses throughout Massachusetts, thanks to a few coding errors on the part of the wireless company with which South Station contracted."

23 of 356 comments (clear)

  1. wireless is insecure? by Anonymous Coward · · Score: 5, Funny

    News at 11.

    1. Re:wireless is insecure? by krisp · · Score: 5, Insightful

      Nah, this shouldn't be news anyway. When you can get control of the arrival/departure boards and track switch control from your laptop on the wireless, then it will be news. Until then, the title is misleading!

    2. Re:wireless is insecure? by Colven · · Score: 5, Insightful

      I don't know, I think it's news. I create very similar sites, so hearing about things like this is extremely helpful to my practices. And it could serve as a wake-up call to others who might be slacking.

      And, if their web site is that insecure, what makes you think their other systems (electronic and other) aren't similarly flawed?

      Regardless, what I would really like to hear is the behind the scenes stories from all companies involved.

      --
      expletives welcomed
    3. Re:wireless is insecure? by Talinom · · Score: 5, Insightful

      And it could serve as a wake-up call to others who might be slacking.

      I wish I could believe that.

      What will probably happen is they get hacked and any problems that arise will be considered a terrorist act. The company will get all sorts of sympathy from the unknowing public while the perp goes to federal "pound him in the ass" prison and owes $4 Billion in damages. The CEOs of the company will denounce the act, get fat bonuses, jump ship, and might even throw a quarter at the problem on their way out the door.

      But I feel that last part is overly optimistic.

      --
      "Giving money and power to governments is like giving whiskey and car keys to teenage boys." - P.J. O'Rourke
  2. Google HTML version available :) by LiquidCoooled · · Score: 5, Informative

    Here :)

    --
    liqbase :: faster than paper
  3. Illegal access by bloo9298 · · Score: 5, Funny

    Summary: here's documentation of my illegal access to a system, please prosecute me, thanks.

  4. hold that thought by silid · · Score: 5, Funny

    no more running for trains - use your ipaq as a remote control for your very own train set.
    and close the doors when you are all the way through

    next stop: home

  5. There is one silly error in an otherwise great art by drinkypoo · · Score: 5, Informative

    ...icle: "Unless something is done to force accountability for wireless devices, perhaps by recording ethernet MAC addresses (which are unique and hard-coded to a physical piece of hardware)" ... uh, no they aren't. Most devices allow you to change your MAC with impunity. Others can be hacked to do so, by tweaking their firmware. MAC addresses meant something back in the day when they were hard to change (it's never been impossible) but those days are long gone.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Re:who did you tell? by AndyL · · Score: 5, Funny

    I recomend telling Charlie. With internet access he could start a Dot Com and finaly earn that nickle he's been needing.

  7. obligatory reply by Anonymous Coward · · Score: 5, Funny

    All your trains are belong to us!

  8. What a waste of bandwidth by Anonymous Coward · · Score: 5, Insightful

    This person merely tried common tricks to expose the network settings. Here's a summary:

    1.) Try the default login/password combination and make some educated guesses.

    2.) Look at the source code of web pages.

    3.) Don't be an idiot admin and leave your system wider than your momma.

  9. Why play with HO scale? by vudufixit · · Score: 5, Funny

    When you can play with the real thing?

  10. Well? by NoseBag · · Score: 5, Funny

    Did you refund your friend's tickets?

    --
    Cloned foods give the statement "We had that last week!" a whole new meaning.
  11. Such strange attitudes by QuantumG · · Score: 5, Insightful
    I've always found the mentality of computer security experts quite strange. It must be the effect of unix. For those who never had the experience of using a "user" account on a unix box as their sole source of computation, let me explain. Basically you're required to log into the machine. After that you can do anything you want. The unix kernel will ensure that no user can affect any other user unless that user permits it. It's this attitude of "anything that is not denied by the kernel is permitted" that I really don't get.

    At first this wasn't entirely the case. Consider, for example, copying all the files from /usr/bin to your home directory 1000 times. Back in the old days that would be enough to fill up the harddrive which would quickly stop other people from using the system. You could affect other people, the kernel didn't stop you, so it must be allowed right! Well no. You're wasting resources and being an asshole. But rather than put a sign on the wall that said "please don't waste disk space" someone decided this was a "security" issue and implemented disk quotas into the kernel. Now you can't affect other users by using up all the disk space.

    Consider the "fork bomb" issue. For those who don't know, this is just like using up all the harddrive space, except instead of disk you're wasting memory. A fork bomb will quickly bring an older unix machine to its knees, and back in the days when I had the joy of sharing a unix lab with other students, a fork bomb would go off at least twice a day. Why? Cause if the kernel permitted it, it must be ok right? Now there's protections in most kernels just to detect a fork bomb and stop it.

    Such a strange way of thinking. Thankfully most unix users do not try to apply this attitude to the real world. If there were to see the police or the government as some kind of kernel they might be surprised to find that they could kick over granny in the street or go ballistic with an automatic weapon. The police didn't stop me, it must be ok, right?

    Just to bring this long post back on topic: just because you can take over the wireless internet of a train station, doesn't mean you should do it. It doesn't mean that it is permitted. There doesn't need to be a failsafe kernel monitoring and stopping every undesirable action that you can possibly perform. We can live with people being able to break the rules. It's called freedom.

    --
    How we know is more important than what we know.
  12. Re:There is one silly error in an otherwise great by molo · · Score: 5, Informative

    BTW, for windows, there is a great tool called MacShift that will allow you to randomize your MAC address. Just make a shortcut and run it before you connect to any wireless network, and you'll have a different one each time. No tracing there.

    -molo

    --
    Using your sig line to advertise for friends is lame.
  13. Re:accountability? by l2718 · · Score: 5, Informative

    By the way, instructions on how to change your MAC address on various operating systems may be found in the wikipedia .

  14. Re:Not just wireless by utlemming · · Score: 5, Interesting
    With a Laptop, and Knoppix and a tad bit of skill (or some really good scripts) you can really have some illicit fun. Knoppix makes it a whole lot harder to find forensic evidence in case you're caught. All you have to do is drop out the battery and then all the evidence is wiped away (save some circumstantial evidence in the form of a Knoppix cd, and a rebooting computer). If you have the scripts stored in a remote location, ie ftp, then your in for business. Since you don't have any of the stuff stored on disk, and the MAC is so easily changed, it can pretty tough to prove -- they would have to essentially follow you and collect evidence on the signal your sending out. As a previous post said, a good administrator will allow open access that is routed through a proxy server to authenticate. But then you still have problems with keeping the authentication. All I can say is that I hope that I never have to maintain a wirless network and make sure that it is secure. The headache of maintaining a 5 person WPA "protected" WiFi is enough of a headache to make my life difficult enough.

    I just got a Wireless router the other day. What my room mates couldn't understand is why I locked down the router so hard. They were amazed that I had to put the WPA key on all the computers, and why I also did MAC and IP filtering. They just couldn't understand. Although it is not totally secure, hopefully it is enough to keep the dorks out and at the same time allow for wireless inconvience. The last thing that I want to worry about is some dork running around with a laptop and deciding that my internet is his internet and then doing something stupid.

    --
    The views expressed are mine own and do not express the views of my employer.
  15. Of Astroturf and Grandstanding by SuperBanana · · Score: 5, Insightful

    Ignoring the grandstanding title and the fact that the author astroturfed his own "article" and site, here's a quote:

    A more farfetched, but very real possibility, is that computers or workers at airports and train stations also use these same networks to make everything tick. If that is the case, it might be possible for an intelligent high school student to start changing train timetables or rerouting baggage.

    And his evidence for this is, what? His own personal opinion? He's been watching Hackers too much if he thinks the schedule board at South Station is networked; it's a -flip- chart (seriously, stick around for 5-10 minutes, and watch it update itself). I'd be amazed if it had anything better than a dedicated thinnet connection to an ancient PC. It's not like some kid with mad h@x0r skills is going to go bippity-boop and put up "TRAIN TO FUCKVILLE 4:20". No. That happens in Hollywood, where people "launch the genetic algorithmic viral defenses!". It does not happen in the real world.

    There are a lot of cheap shots and snide remarks aimed at "The Guvmint", "The Man", etc. This guy sounds like he's about 19, not to mention he's just admitted to logging into places he knew he didn't belong AND changing settings (he changed the back, but still...) Sounds like a great federal inditement to me.

    Some googling shows he's in his very early 20's(graduated from Harvard in 2004 in "3 years", which means he's maybe 21 now), runs some consulting company. Sounds like he's just out to promote his business like every other story submitter these days...

    --
    Please help metamoderate.
  16. Hmm by patryn20 · · Score: 5, Interesting

    Well, it is nice that this guy actually bothered to write this up, but he seems to simply be using a lot of common mistakes and guesswork. On top of that, his knoweledge of some basic concepts in hardware administration and business processes is somewhat lacking.

    First, MAC address are not unique. There is no universal table of MAC's that hardware manufacturers report to. I have installed ethernet cards from the SAME manufacturer that have had the SAME MAC address while setting up machines for a client.

    Second, many of these errors are not necessarily the programmers fault. They are more than likely the responsibility of management being cheap and forcing programmers to do the jobs of multiple people. IT is seperate from software development. The fact that the network and server are insecure is the IT department/person's fault. In small companies this may be the same person, but in most large corporations that is not the case. Directory listing and permissions are generally the responsibility of the server administrator.

    Now, the username issues are definitely scary. Leaving test accounts open with simple passwords is just plain stupid. The company I develop software for has over fifty million dollars worth of data on their servers. We also store credit card info for clients, etc. If we used common passwords like that, we would be fired. The admin would go through the database, see the passwords, and report them to our supervisor. Say goodbye! Not to mention, test accounts on production servers are bad practice anyway. If you are making any money, you are extremely stupid not to have a seperate development environment.

    In my opionion, these problems seem to be more management and implementation problems, and not so much development problems as the author seems to suggest. They are still real problems though. That customer listing one for the phone company really scares me. ::shiver:: I hope SBC in Texas doesn't have problems like that.

  17. Re:There is one silly error in an otherwise great by Black+Acid · · Score: 5, Informative
    Your MAC address is (well SHOULD be) "unique and hard-coded to a physical piece of hardware". It is physically tied to your NIC, and you can not change it. What you can do however is change how it is represented in software, so that the other party never sees your actual physical MAC address, but the idea that you can actually change your MAC address is just plain wrong. Feel free to try, change the MAC, then switch the NIC to another machine and see if it retains the original or altered address.
    Of course, it all depends on the NIC, but I was able to flash my Orinoco wireless card's firmware, successfully changing its MAC address. My address was retained under Linux and Windows, so I assume it was physically changed. (I also was able to upgrade the Orinoco from Silver to Gold encryption, US to Japan frequencies, and change the serial number). Its true that most people who change the MAC really only change it in software, but its definitely possible to change it in hardware as well. Not that there is any reason to...
    --
    Tired of free ipod spam sigs? Opt ou
  18. No they aren't by JumperCable · · Score: 5, Funny

    Dear Department of Homeland Security,
    We have recently come to our attention that you are using methods of pinpointing locations of individuals that may infringe on our "Latitude/Longetude" techniques (Patent Pending).

    You are hereby ordered to cease & desist all location activity until you have properly licensed our intellectual property rights.

    Yours Truly, -Microsoft Legal Team

  19. Re:That's a stupid question by timeOday · · Score: 5, Informative
    They wouldn't let just anybody in the control room at Paddington station in London, would they?
    This is irrelevant. Nobody took over a train station; the story title is a lie. All they did was circumvent the payment system for wifi internet access and avoid paying an hourly fee for internet access. The fact that this was at a train station has nothing to do with the story, except making it read better.
  20. Not wireless by cgenman · · Score: 5, Informative

    Actually this is some very basic HTML hacking. He went to their service, which re-directs all new people to their home page. He directory surfed around the web server, and found a few dozen other sites, as well as the company's home page. He tried some very basic password combinations, (like test:test), and got control over some active sites. These sites included customer information and credit card databases.

    So really, the site that served images from an unobfuscated directory allowed the person to know what to look for, the directory was fully listed in a way that directories shouldn't. The passwords were very, very insecure. This had nothing to do with wireless security, but rather web services security, and basic things for security that people don't do.

    The passwords in the article, BTW, no longer function. At least, not form my remote machine. Anyone reading this from South Station wish to see if the passwords still work on-network?

    --
    The ______ Agenda