Brandt Krueger

Freelance Technical Meeting and Event Production, Education, Speaking, and Consulting. Geek Dad, Husband

Consultant, Meeting and Event Technology
Owner, Event Technology Consulting
Instructor, Event Leadership Institute
Cohost, #EventIcons - Where the icons of the event industry meet

Filtering by Tag: hacking

Serious Vulnerability Discovered in Popular Hotel/Venue WiFi Router

It doesn't have a sexy name like HeartBleed, RowHammer, or even POODLE, but security company Cylance announced last week that it had discovered an incredibly serious vulnerability in the ANTLabs InnGate Internet gateway device. If you’re a frequent traveler, as many event professionals are, chances are you’ve been connected to one of these devices. They’re popular with hotels, convention centers, and other places where temporary internet access is offered, chiefly because they offer the ability to tie the billing for that access to a specific room number or account. Some of the other features of the device includes express checkout and viewing of guest folio charges.

Photo: ANTLabs

Photo: ANTLabs

The vulnerability, which offers a “complete compromise of the vulnerable system” is apparently trivial to exploit, allowing relatively unsophisticated attackers to gather any and all plain text communication sent through the device, including unencrypted websites (no locky-lock on the web address, no https), and virtually all email sent through email applications such as Outlook. More advanced attackers would have “seemingly no limit to what they could do” including potentially intercepting even HTTPS encrypted web pages (like banks or Gmail), stealing usernames and passwords, adding malware to software downloads, or much, much worse.

Put simply, when we’re connected to a hotel or venue WiFi, literally every bit of information we send and receive is going through their infrastructure. What happens when that infrastructure can be compromised at it’s very basic levels? Anything an attacker wants.

More than just sniffing your Internet

This particular exploit isn’t just limited to hotel guests Internet browsing, however. One of the selling points of the InnGate is that it can connect to a location’s PMS (Property Management System). A PMS can contain a tremendous amount of data including guest bookings and information, on-property sales, sales and marketing information- even HR and payroll, depending on the system. What’s even scarier, is that a PMS can in turn connect to other systems, such as “central reservation systems and revenue or yield management systems, front office, back office, point of sale, door-locking, housekeeping optimization, pay-TV, energy management, payment card authorization and channel management systems.” (Source:Wikipedia) Likewise, according to Cylance, if that PMS controls multiple locations, the attackers “could potentially leverage that access to infect the other branches of an organization.”

Scared the bejeebers out of you? It probably should. This one was pretty bad. Over 270 instances of this particular device were publicly accessible, and exploitable, via the Internet. The hotels and venues involved ran the gamut, and were not restricted to any brand, star rating, or price, and were spread out all over the world. They also ranged from “places we’ve never heard of to places that cost more per night than most apartments cost to rent for a month”, according to Cylance.

One can’t read about this exploit and not think back to a few months ago when Kaspersky revealed that high-end business travelers had been targeted for years by a group that it dubbed DarkHotel. There was plenty of evidence that the group had state-level tools at their disposal, but this new exploit has some wondering if perhaps it’s been much easier to target and attack hotel guests than anyone previously thought.

The good news is that ANTLabs immediately leapt into action as soon as the vulnerability was reported to them, getting a patch ready and releasing it in just over a month. Cylance noted that it’s “not often that vulnerability reporting goes smoothly and ultimately resulted in a timely patch from the vendor.” Cylance is also working to notify the hotels and venues that it identified as being vulnerable.

So what do we do?

I’ve been telling people for some time now that the vast majority of hotel WiFi networks are not secured properly, referring to the fact that the network itself doesn’t have a password. Sadly, I had no idea that this level of attack was even possible. When you can infiltrate a gateway device this deeply, it’s pretty scary. There are a few things we can all do to help make the bad guy’s jobs more difficult, though:

Hotels and Venues:

  • Make sure your network devices are checked regularly to see if there are any updates available, and if you use ANTLabs InnGates, FOR THE LOVE OF GOD GO MAKE SURE THEY GET UPDATED RIGHT FLIPPING NOW.
  • Secure your WiFi routers with a password. Yes it wouldn’t have helped in this case, but that doesn’t mean you shouldn’t do it. And you should.
  • Of course, you could also make WiFI free, in which case a lot of this integration with PMSs would no longer be necessary, and things would be, more or less, just as secure as our personal and business WiFi routers. Or at least less of a target. Just sayin'.

Individual guests:

  • Don’t do anything on public/hotel/venue WiFi that you wouldn’t want the ENTIRE WORLD to know. While HTTPS connections to banks, Gmail, and other encrypted sites should be safe, this exploit shows that might not necessarily be the case. While we all have to use these networks from time to time, try to restrict your traffic to as few sites as possible, and to avoid anything relating to financial data, company secrets, or other, er… sites… that you might not… er… want folks to find out you visit.
  • If at all possible, when on these networks, use a VPN. A VPN is a Virtual Private Network, and it acts like a secure, encrypted tunnel for your Internet access. The reason this type of vulnerability works is because it’s intercepting your traffic right there in the hotel as you surf around the net. With a VPN, your data goes through the encrypted data tunnel to your office, or other location, before it goes out onto the Internet- so all the venue WiFi sees is noise.

Stay safe out there people…

References:
Cylance - http://blog.cylance.com/spear-team-cve-2015-0932
DarkHotel - http://www.wired.com/2014/11/darkhotel-malware/
WikiPedia PMS - http://en.wikipedia.org/wiki/Property_management_system
ANTLabs InnGate - http://www.antlabs.com/index.php?option=com_content&view=article&id=69&Itemid=88
ANTLabs InnGate Patch - http://www.antlabs.com/index.php?option=com_content&view=article&id=195:rsync-remote-file-system-access-vulnerability-cve-2015-0932&catid=54:advisories&Itemid=133

Special thanks to Steve Gibson for reporting on this on his Security Now netcast:
http://twit.tv/show/security-now/501

Enable On-Screen Android Navigation Buttons on the Galaxy S3 (Requires Root)

On Screen Navigation on S3

***UPDATE*** If you're using the latest builds of CyanogenMod, you don't need to do this! Just go to Settings, Buttons, and check the "Enable on-screen nav bar" box. Et voila!

OK, this is one that's fun to try.  You'll either:

  1. Love it -or-
  2. Hate it

I know it might seem redundant with the hardware softkeys on the the Galaxy S3, but I really like this mod and it's one of the first things I do after flashing a new rom.  The S3 has plenty of screen real estate to handle it, and I find it a much faster way of navigating around the phone, with faster access to app switching and Google Now.  Also, frequently while trying to reach down to the "Back" hardware button with my left hand, the phone feels like it's going to shoot out of my hand like a bar of soap.

To enable the on-screen navigation buttons:

Use a file explorer (like Root Explorer) to navigate to

/system/build.prop

and open the file with a text editor.  Add the line

qemu.hw.mainkeys=0

at the end of the file.  Save and close.  Reboot.  Done

That's it!

Be advised, there a are a few apps that don't behave well with the keys, such as the camera.  For some reason (probably because it's a stock app) instead of resizing, it partially covers up some of the controls.  Still completely usable though.

For extra credit, you might try one of these other mods...

Disable the softkeys: Navigate to

/system/usr/keylayout/sec_touchkey.kl

and open the file with a text editor. You will a giant list of key numbers and what they do.  Try to find these...

key 172    HOME key 158    BACK key 139    MENU

Add a # before any key you don't wan't to use anymore.  Save and reboot.

Thanks to jastonas over on XDA for the post!

Prevent the "HOME" key from waking your phone up: Personally, I like to keep the softkeys engaged.  I do still use them from time to time, such as when you can't find the freaking "MENU" key on a poorly designed app.  But, in a completely made up statistic, I have found that accidental pocket-engagement of the "HOME" key is responsible for 80% of battery loss.

Navigate to

system/usr/keylayout/sec_keys.kl

and open the file with a text editor. You will see this...

key 115    VOLUME_UP           WAKE key 114    VOLUME_DOWN     WAKE key 172    HOME                     WAKE key 116    POWER                   WAKE

Just delete the word "WAKE" from the "HOME" key (or more if you like, but be careful you still need a way to wake your phone!!!).  Save and reboot.

Thanks to Eric over on Galaxy S3 Forums for the post!

That's all there is to it!  So now that the S4 is coming out, is anyone getting antsy to trade in their S3?  Personally over a year in I'm still happy as a clam...

WiFi Security Alert- "WiFi Protected Setup" Security Flaw

The Dlink DIR 601 Wireless Router: One of the millions of routers with WiFi Protected Setup This is a legitimate and serious security alert regarding WiFi access.  Apartment-dwellers, businesses in strip malls, hotels, and convention centers all should be advised.  Basically if your WiFi signal reaches to a point where someone could park for a while (less than 24 hours), you are likely vulnerable to having someone hack into your WiFi network, even if it is secured.  This could be, for example, an apartment next door, a lounge in your building, a nearby parking lot, or a car parked on the street if your signal reaches that far.

As usual, making things simple makes them less secure. There is a convenient "feature" of almost all WiFi access points built in the last few years that allows you to connect a device to your network (such as a Windows 7 computer, a cell phone, a printer, etc.) by pressing a button or clicking a dialog box and then entering a short 8 digit pin stamped on a label on the WiFi device.  This is known as "WiFi Protected Setup".

It turns out that the pin can be cracked and give a hacker access to your network in less than 24 hours (sometimes only a couple of hours) of brute force attacking because of a really stupid way that the password is sent/received between the two devices.  Once unencrypted access to your network is gained, the attacker can (at best) use your internet connection and (at worst) sit quietly and watch all of your internet traffic.

If you're comfortable configuring your wireless router, poke around in the settings and look for something called "WiFi protected setup".

THIS IS ENABLED BY DEFAULT.  If you uncheck this "feature" you should be protected from this type of attack until your manufacturer can push out an update.  Check your WiFi router's manufacturer's website frequently over the next couple months to look for an update for your device.

If you want to learn about this in great detail, I highly recommend this podcast, Security Now! with Steve Gibson and Leo Laporte:

http://twit.tv/show/security-now/335

For more general info, just search for "wifi protected setup flaw" on your search engine of choice.

Please feel free to pass this on to anyone you may know with WiFi access points in their home or office.