Hacking the Friendly Skies DC214 - April 2006 Simple Nomad nomad mobile research centre

Hello… SN is with NMRC SN is with Vernier Networks SN is jaded and bitter

Disclaimer: Why Not T Disclaimer: Why Not To Do This Legalities We have a bad enough reputation anyway

Agenda Background Attacking Collected data Conclusion Additional In-flight Fun The Future

Background

How This Started Weather delays Cancelled flights Layovers Gadgets and toys Idle hands

There Is No In-Flight HotSpot Why are SSIDs called linksys, dlink, tmobile, hpsetup, 2wire etc showing up where they are clearly not? Can I talk to these devices? Can I attack these devices?

Airline Background 10,000 foot rule on using approved electronics No approved electronic devices during takeoff/landing for one simple reason – to keep your row clear in the event of an emergency This is the same reason you have to stow your tray tables and put your seat back in its full upright position

Attacking

Second Warning Don’t do this shit If you must, do it in the terminal –During delays, there is more opportunity

Contributing Factors Laptops with built-in WiFi Excellent Windows wireless integration Connectivity friendliness of Windows in general

IPv4 Link-Local Addresses RFC 3927 – “Dynamic Configuration of IPv4 Link-Local Addresses” If DHCP fails to provide an IP address, interfaces with Link-Local configurations will auto-assign an address in the /16 range Link-Local is on by default on all interfaces on all Windows platforms, including wireless interfaces

Microsoft Implementation of RFC 3927 Example here is XP Start -> Connect To -> Show all connections Right click on wireless connection Internet Protocol (TCP/IP) -> Properties Two things to look for (and they are the default) –General -> Obtain an IP address automatically is checked –Alternate Configuration -> Automatic private IP address is checked These two together help spell disaster Details of Microsoft’s implementation under the covers are in RFC 3927 in appendix A.4

The Magically Appearing SSID User boots up laptop Wireless is enabled Ethernet is disconnected, a (short) timeout occurs Wireless is enabled, tries to find “default” SSID Default SSID is not found, no DHCP server answers, Link-Local is used IP address is assigned from /16 range per RFC 3330, this is APIPA (Automatic Private IP Address) Built-in laptop becomes an ad-hoc network using “default” SSID PC now says it is “tmobile” or “linksys” or “dlink”, and broadcasts its SSID as such How?

Magically Appearing Networks Users boot up laptops The first one up becomes the potential “SSID leader” As additional laptops come up and can’t find their default (re: last) SSID to connect to, they may or may not connect Windows stores all SSIDs you have connected to in Registry If you have the SSID leader’s beaconing SSID in your Registry, you could connect Even if you don’t, if only one SSID around, you could also connect Wee, automagic little clusterfuck of targetry goodness Multiple SSID leaders can emerge, hours of attack fun!

Warning From RFC 3927 From RFC 3927, section 5, paragraph 3: NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security. Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions. Failure to implement appropriate security measures could expose users to considerable risks.

Authors of RFC 3927 Oops! Network Working Group S. Cheshire Request for Comments: 3927 Apple Computer Category: Standards Track B. Aboba Microsoft Corporation E. Guttman Sun Microsystems March 2005

Attack Time Attach to that “tmobile” Ad-hoc Peer-to-Peer network If Windows, make sure YOU have Alternate Configuration hard-wired to a /16 address If Unix, assign yourself a /16 address Get victim laptop’s IP address –ARP for it, sniff (it is Windows, it will eventually chat NetBIOS to you), etc Ping it, you may have to set up a default route on Unix Nmap, Nessus, dsniff, Cain & Abel, Metasploit Framework, etc etc ()wnage, biatch

Attack Time on Short Flights Configure a DHCP server on your laptop Attach to that “tmobile” Ad-hoc Peer-to-Peer network Give victim his laptop’s IP address –APIPA/Link-Local systems will periodically check for a DHCP server Nmap, Nessus, dsniff, Cain & Abel, Metasploit Framework, etc etc Quicker ()wnage, biatch

Attack Time Using KARMA Run KARMA on your laptop KARMA answers all SSID requests saying “yes, I really am that SSID you’re looking for” Conceivably every laptop on the plane (or terminal, or commuter train) could be compromised Thorough ()wnage KARMA by Dino and K2 -

Don’t Forget To Sniff SMB traffic including cached creds etc

Evil Fake AP Do “recon” with laptop, PDA etc in terminal waiting for flight Determine most popular SSID Set up fake AP with that SSID Offer up a DNS server Resolve EVERYTHING to your address Hello LM/NTLM hashes

Add Honeypot Technology Sniff for probes to IMAP/POP3 –Remember, you DNS server will say you are that server Run Honeypot mail server Accept (and log) every user and password

Idle Hands Change background image Find pr0n on target, make that the background image –You’re backdoored the system, literally Launch MP3s with Parental Advisory lyrics –Rap, death metal, industrial (make a political statement) –Launch when cluebag goes to the lavatory for maximum effect Launch MP3 real loud that says, “wow this porn is hot!” and then launch hot.avi,.mpg, or.wmv Launch MP3 that says, “how much for a lavatory quickie, bitch?” during the drink service Install a server and serve up pr0n to the rest of the aircraft –Repeat earlier bullet item on multiple machines Cover your tracks! Upload your tools, attack other machines, then attack your own machine (plausible deniability)

Collected Data

Atlanta, GA Midweek Largest city in the region, lots of businesses Weather delay, sat on tarmac in DFW ½ mile from terminal for 1 hour while thunderstorm passed MD80 aircraft, half full flight, 8 laptops out and running 2 ad-hoc networks 3 live targets, 2 Windows XP, 1 Windows 2000 –Windows XP fully patched with firewalling –Windows 2000 vulnerable to MS05-039

Charlotte, NC Midweek Heavy banking/insurance town Weather delay, target-rich environment in Charlotte (dozens of ad-hoc networks) at the gate before flight MD80 aircraft, full flight, 12 laptops out and running 5(!) ad-hoc networks 5 live targets, 2 Windows XP, 1 Windows 2003, 2 Windows 2000 –Only Windows 2003 fully patched with firewall –Rest vulnerable to MS and/or MS05-039

ToorCon 7 Return Flight, Monday Morning In terminal, very few laptops out (it was fucking 6am), only 1 ad-hoc network named tmobile 757 aircraft, full flight, 22 laptops out and running 1 ad-hoc network formed named additional nodes had attached to it (apparently clueless they had done so) 3 live targets - 2 Windows XP, 1 Windows 2000 –Windows 2000 vulnerable to MS Dlink technician (no I am not making this up, overheard him talking) –Windows XP Pro, vulnerable to MS –Windows XP at SP1, vulnerable to MS This guy was across the aisle, VP of a physical security company, w00t!

SJC - DFW, Tuesday Afternoon In terminal, 5 laptops out, 3 ad-hoc networks, 1 named linksys MD80 aircraft, half-full flight, 14 laptops out and running 4 ad-hoc networks named MSFTWAN, GoldenTree, Fly Aloha, and orange Orange had WEP turned on (?) 4 live targets – 2 Windows XP Pro, 2 Windows 2000 –Windows XP Pro firewalled, probably SP2 (orange), fingerprinted using visual reconnaissance –Windows XP SP0 or SP1, patched up but 2 open shares (one had pr0n) –Both Windows 2000 vulnerable to MS –1 Windows 2000 had a web server running MSFTWAN? Certainly not….

Best Target Locations Airline Flyx0r clubs, but this is regular laptop-to- laptop hacking Business commuter flights –Early Monday flights are best –Major business hauls Eg LGA – DCA, EWR – BOS, ORD – LAX, HOU – ATL especially in and out of high tech areas –Get a seat near front part of coach Road warriors request these seats in advance to get off the plane quicker Aircraft with limited power outlets usually have outlets there Better able to visually shoulder-surf during recon phase, helps with OS detection Flights with lower passenger loads will have road warriers in First Class due to upgrades

Contributing Factors Bad weather/delays means increased laptop usage in terminal –Rain dance or l33t weather-controlling satellite ownage can help you Certain airports have no wireless –Charlotte, NC for example –Virtually all non-WEP/WPA SSIDs are ad-hoc

Conclusions

Why This Happens Configuration for talking to infrastructure, no problems Once you can’t find infrastructure linksys or tmobile, you will attach to ad-hoc versions if available From this point on you will auto-assign an ad-hoc network with that SSID –It is a configuration “virus”, currently operating in the wild

What’s Bad Alternate Configuration on wireless –Turn off your wireless, bad monkey, no banana –It should be off unless really needed Works wherever sheeple laptop users gather and there is no wireless (hotels and convention centers without available wireless, commuter trains, etc)

What’s Good Easy workarounds –Turn off your wireless connection when not in use (duh) –Set your wireless to only talk to infrastructure networks (advanced settings) –Personal firewalls will help, and on XP SP1 or later make sure the firewall is on –WEP on an adhoc network is possible Per the Microsoft Security Response Center, patches will be included in the next service pack releases to prevent the auto-advertising of adhoc networks –In spite of lame nature of attack (and it is pretty lame), Microsoft took it seriously

Quick WiFi Detection for Passengers and Flight Crews Digital Hotspotter (<$100) will detect signal strength, show SSID, encryption or not, and channel Kensington WiFi Finder Plus (<$30) will detect the presence of WiFi and Bluetooth

Additional In-Flight Fun

In-Flight Phones Verizon Airfone (formerly GTE Airfone) –On most major airlines (not AA though) –Hours of dialing random 3-digit numbers to see where you get to –14.4k modem –Expensive to use With a Verizon Wireless account, it is $10 a month plus $0.10 a minute, otherwise $0.69 a minute

In-Flight Internet JetConnect –A part of Verizon Airphone –Seen on Delta, US Airways, United, Continental, a few others –Features include IM and –Use your own IM service and “tunnel” access for SSH etc

The Future

FCC vs. FAA FCC says cell phone/wifi is ready for use on planes FAA has still not approved the technology Without push from the airlines, the FAA is unlikely to budge soon AA, United, and Delta were ready to start the push for pico cell-based cellular service on airplanes in 2001 –Unfortunately 9/11 happened and they all lost money, and the technology is very expensive Watch the cellphone usage issue for planes (1/5 the cost to implement), wifi will follow Last “cellular interference” study to be concluded in 2006

Flying With Big Brother DHS and DOJ both want the ban on cellphone/wifi on planes to remain in effect If implemented, DHS and DOJ want the ability to monitor ALL traffic –Prevent cabin-to-cabin/air-to-ground/air-to-air terrorist coordination This added measure would increase the cost of implementing the infrastructure immensely

Inflight Broadband Basics Available now on limited flights –Non-US carriers –Overseas flights only Typically private class C for passengers Uses a combination of satellites and 5 ground locations to move packets back and forth Approximately $30 USD for unlimited usage during a 6+ hour flight

Inflight Broadband Adopters Three Vendors –Connexion, Tenzing (SMS, only), and Sky Way Various airlines are involved –British Airways –Japan Airlines –Lufthansa –SAS –Singapore Airlines –Nippon Airways –Southeast Airlines –Executive Charter

Inflight Broadband Issues Expensive to implement (roughly $400k per plane) –US-based airlines are not buying it Currently little to no security implemented –Security solutions cost extra, and the airlines aren’t buying it Disputable legality of in-flight air-to-air or air-to-ground hacking –Attacker in 15A, victim in 17D – mid-Pacific/Atlantic and who is to blame? –You are over international waters, no clear jurisdiction –Think “cruise ship enters international waters, the casino now legally opens” –Does this apply to laptop-to-laptop hacking mid-flight?

Additional Inflight Issues Windows CE 2003 and Boeing Aircraft –As we speak Boeing is disabling Bluetooth, which was enabled by default –No I am not kidding, Windows CE WTF!? Bluetooth??!? Windows CE!!?! –Can you say “backdoor” so ground personnel can land a hijacked plane via AutoLand and/or RoboLander? Imagine a terrorist with a Bluetooth gun aimed at a plane after take-off Imagine an instruction of “please go to feet in 15 minutes kthxbye” Have a safe next flight!

Thanks

FIN, Biatchez Images © 2005, 2006 NMRC Thanks to NMRC folks for feedback Photo session by Duy Nguyen and Amy Lee Muir Art Manipulation by Weasel NMRC Fetish Model – Bethany