Wireless internet hotspots are a bit of an obsession for me at the moment, since almost everywhere I go, my iBook goes too. I've got into the habit of, whenever I sit down in a café or pub or whatever, I bring the iBook out just in case there's an access point somewhere nearby.
Access points seem to be big business. Or, rather, they seem to be hopelessly small revenue streams controlled by big businesses, and I never actually see anyone using them. It must be true, because
tcpdump tells me so.
This is highly annoying. The network is there, but I can't use it. Not unless I pay for it, and I'm not going to bloody well pay for it. Firstly, they charge far too much, and I've already paid for my internet access thank you very much. Admittedly that little bit of cable is at home, and I didn't bring the cable modem with me. The point still stands: I'm not going to pay for access twice.
Secondly, and I feel this is the most important point, the charging models are all wrong. I'd even go as far as to say 'insane'. Take this Starbucks T-Mobile hot spot, for example. For an hour's access, they'll charge me £5.50. That, my friends, is insane. Firstly, it's an insane amount of money for an hour of access, with of course no quality of service guarantees. Particularly if you consider how absolutely minimal the actual cost of providing this service is. Secondly, I see few enough access points to know that if I happen to buy a day's worth of internet access from one of these providers, I'm basically going to have to stay in the same place all day. I know of one other T-Mobile hotspot in the city, and that's also a Starbucks. I'm not going to spend all day in Starbucks, damnit. The same applies for every other access provider, just with slightly different café names.
The only time that anyone gets it 'right', IMHO, is the Jolly Judge, where they happen to have broadband for their own purposes, and have opened up the network for free to customers or anyone walking by. The access is free, the beer cheap, and the atmosphere friendly and comfortable. Offer me that, Starbucks, and I might come in here more often.
But a random thought crossed my mind the other day, pondering on the security of WEP and the signup methods for these services.
If you've never been through the process, you probably don't know what's involved in signing up for wireless access with a hotspot provider, so I'll go over it briefly.
The first thing to note is that the network always runs 'open', with no access restrictions on joining, and no encryption, so Random Joe User can log in to the network and begin signing himself up over the network. Starting up his web browser, the access provider will redirect http requests for any address to their own signup server, and Joe then signs up by entering his credit card details over https.
Since it's an open network, Random J03 H4xxx0r can snoop on any network activity using a packet sniffer. Of course, this doesn't let them steal your credit card number because that information is encrypted since the data is transferred via https. No opportunity for stealing credit card details there.
But a thoroughly evil thought crossed my mind. There's at least another way to steal credit card numbers using wi-fi. Almost completely untraceable, and I'm surprised nobody's tried this before. Or rather, that I haven't heard of anyone trying it before.
Any 802.11 interface can broadcast as a network. Setting up the basic IT infrastructure for one of these wireless network access providers isn't at all challenging; a little simple IP filtering is all that's needed to do the redirect-to-signup-server trick. The practical upshot of this is that it's remarkably easy to pretend to be a signup server for a wireless access service. Hell, my iBook could do it easily...
- One laptop with 802.11 interface
- Web server such as Apache (or IIS if you're unfortunate enough to be running Windows)
- packet filtering software (BSD's
ipfw, for example...)
- Complete dumps of the web pages for the server signup process for a respected hotspot access provider.
- Just enough script-kiddie-fu to log credit card numbers from an SSL form request.
Method (without going into too much detail... I don't want people actually trying this):
- Set up the wireless interface as a network master, open network with an SSID similar to the one your hotspot provider has.
- set up ipfw to redirect any port-80 activity to your machine's IP.
- set up your default page to look like the signup server.
- set up your credit-card-logging script to give something reassuring like 'The network is currently suffering technical problems. Your credit card has not been charged.'
- Wedge laptop open running in your rucksack
- Go for coffee, preferably somewhere busy, without wireless access, and full of yuppies.
Obviously, this is evil and illegal, but that doesn't usually stop people. Particularly when it's completely untraceble. The only way that it could be traced is if someone happens to log your MAC address, and someone knows who that MAC address belongs to.
Makes you think, doesn't it?