Wireless insecurity

Our flight home from SANE 2006 was delayed for nearly two hours. Of course. So we had ample time in Schiphol airport to do nothing.

There was good wireless coverage by Attingo, but of course you had to pay to go anywhere on that network. I did have a look however, and found that you could ping everyone else on the network and the IPs were all public in the 212.123.203/24 range. I ran tcpdump for just over 8 minutes. The harvest was only a single POP3 password, which was less than I had anticipated:

15:41:56.576060 IP 212.123.203.XXX.2944 > XXX.XXX.XXX.XXX.110: P 34:50(16) ack 57 win 17464
    0x0000:  0050 e801 73b8 0015 0005 c9c5 0800 4500  .P..s.........E.
    0x0010:  0038 e983 4000 8006 4c70 d47b cb7b 448e  .8..@...Lp.{.{D.
    0x0020:  e046 0b80 006e c19c aab8 f24b 4815 5018  .F...n.....KH.P.
    0x0030:  4438 4e72 0000 5041 5353 20XX XXXX XXXX  D8Nr..PASS.XXXXX
    0x0040:  XXXX XXXX XXXX 0d0a                      XXXXXX..

The X'es marks and masks the spots of interest.

I could deduce a lot more from that capture about this person: name, hotmail address, another address that the person sent mail to, language etc., and of course the POP3 account name and password (which was really weak at that). It's a good starting point to compromise this persons workplace and/or identity.

It's really bad, and I'm pretty sure most business people that use the wireless access at airports don't realize that it really isn't enough to just encrypt HTTP traffic, they need encryption on everything. Use a VPN or something, then at least the most dangerous part—the public wireless part—of the route will be encrypted. And it's the thankless task of sysadmins to set this up for management everywhere. Private users are left out in the cold by vendors, and they generally don't have the necessary understanding or a sysadmin to help them.

Having spent quite some time in the last few days on the wireless network at SANE 2006 with nearly completely unfiltered public IPs (both IPv4 and IPv6) via DHCP—where people definitely sniff traffic—I've been pretty paranoid about always using encryption of some sort as soon as it wasn't just simple web-surfing without logins. It was satisfying to see that I really didn't need to modify my behavior, I encrypt all logins over the net, including both sending and receiving mail via gmail. Everyone should do it that way. I could have used VPN too, but that was unnecessary in my case, and it's also not the right solution.

Everything sent over the network in cleartext should be assumed sniffed by someone. But you know that already.

End of public service announcement.