Re: wireless woes in the triangle and beyond!

[Mark Rowe <mark () whatnot demon co uk>]

The Best Buy POS vulnerabilities reminded me of something I looked at in
the UK about five years ago. It was a retail application that used a
wireless system to perform credit authorisation requests. 

> From memory it was an APACS systems that used a wireless X.25 network
(Paknet). From what I could see the application sent all the card data
in the clear to the radio PAD (modem). Unfortunately this was deemed out
of scope of the review and it was just raised as an area for further
investigation. I never had chance to investigate this further :(

Has anybody else looked at this or does anyone know anymore about the
system?

In article <Pine.GSO.4.43.0205282136480.12563-100000 () tundra winternet co
m>, Ron DuFresne <dufresne () winternet com> writes
>                   There Are No More Secrets
>
>                       Ron DuFresne <c> 2002
>
> A few weeks ago Best Buy was embarrassed throughout the country with the
> finding that it was using POS <point of sales> cash registers that worked
> with wireless technology to cash various customers out when making
> purchases.  What was so humiliating for them was the discovery that these
> POS systems had been installed and implimented without any sense of
> security.  There was no encryption enabled with these devices so they
> transmitted customer information via the airwaves to anyone that wished to
> capture it with the various techniques many people are now employing to
> "map" wireless networks and security issues.  This customer information
> included credit card information.  Nasty hackers could indeed use this
> information for various fradulent activities.  This breach of customer
> privacy was deemed serious enough when it became highly visualized via the
> vuln-dev mailing list, maintained by Blue Boar, off securityfocus.com.
> The flurry of correspondence on this list resulted in the media picking up
> the information and running with it also.
>
> http://www.msnbc.com/news/746380.asp
>
> This ended up by prompting Best Buy to make changes to the cashiering
> systems as was noted in their response to one of the lists posters that
> apparently made direct contact with Best Buy management:
>
>
>
> Thank you for contacting Best Buy's corporate headquarters
> with your concerns.  Regarding this issue, Best Buy has
> deactivated our temporary wireless cash registers that
> transmit information via LAN connections.
> These registers are not Best Buy's main register terminals
> and represent a small percentage of the transactions
> processed within our stores.  Please be assured that
> customer privacy is of the utmost importance to Best Buy and
> we will further investigate this matter.
>
> We do appreciate your taking the time to share your concerns
> with us.
>
> Respectfully,
> Alex Reynolds
> Contact Center Escalations
> Best Buy Enterprise Customer Care
>
>
>
> Now, it had been suggested in the vuln-dev mailing list that Best Buy was
> a single example, and just the tip of the iceberg, as anyone looking into
> the issues of wireless implimentations and issues via their own sniffing
> and the various wireless mapping projects accross the US have laid bare.
>
>
> http://sysinfo.com/wire1.html
>
>
> The above paper cites some wireless mapping work in the NC Research
> Triangle Park area by local resident Alan Clegg, with direct links to his
> mapping efforts.  Recently Mr. Clegg contacted this author via e-mail
> concerning another thread in the firewalls security mailing list hosted by
> gnac.net, on another wireless related topic, to let us know that in the
> RTP area, he had mapped both Petsmart and CVS Pharmacies using wireless
> technolgies without any encryption enabled.  Whih starts to expose more of
> the proposed iceberg syndrome to light.  Granted, WEP, Wired Equivalent
> Privacy, is not the best, it can be broken, but, it takes far more effort
> then clear text flowing through the airwaves avialable to anyone with a
> few hundred dollars worth of equipment to pick it up like one might grab
> police calls with a scanner.  If wireless is going to be used, it should
> at least function in the most secure manner avaailable, anything less
> demonstrates not only a lack of understanding, but, in cases like these a
> complete failure of corporate institutions to take even minimal care with
> the private information of their customers.  Petsmart, following along the
> heels of the embarassment and humiliation of Best buy in letting credit
> card information flow freely into the airwaves is bad enough, but, CVS
> Pharmacies, soon to be tasked with HIPPA <Health Insurance Portability
> and Accountability Act> compliance early next Spring demonstrates at the
> best careless indifference to those they are serving.  The Standards for
> Privacy of Individually Identifiable Health Information are designed to
> help guarantee privacy and confidentiality of patient medical and
> insurance information.  Those who miss the deadline for compliance face
> steep fines and Federal criminal penalties.  The glaring exposure of
> customer information by companies and health related organizations like
> CVS Pharmacies is a glaring deficiency and total disregard of very
> sensitive customer information.  And yet the iceberg of such negligence
> in wireless rollouts is still but a shadow of the issue of private and
> finacial information leakage many are suffering already, without much
> awareness of the fact.
>
>
> http://www.symbol.com/news/pressreleases/pr_foodndrug_cvs.html
>
>
> The various vendors marketing wireless toys are not blameless either.  In
> fact a large burden of the blame for leakage of information and the
> vulnerable systems being pushed into place by companies like Best Buy and
> Petsmart, as well as CVS and others relates to how they distribute their
> wares.  They do so with the most insecure "plug and pray" configurations
> possible, most often with documentation about how to try and secure these
> toys burried deep in their distribution media.  Until vedors take some
> sense of responsibility and force their customers to shoot themselves in
> the foot, rather then pushing out products that are configured in a manner
> whence their customers are shot in the head from the point of
> installation, we will continue to have some very exploitable setups by the
> less clued network folks these vendors are making their money from.
>
>
>
> Additionally see, note the terms 'opt' when they document configuration
> issues at the site, as well as targeted customer categories listed, then
> wonder where *your* private information might be leaking from:
>
>
> http://www.symbol.com/products/wireless/wireless_sp24_11mbps.html
>
>
> ...
> AP 41X1 Access Point Series
>
> It's known as the intelligent access point. Built beyond defined
> standards, the AP 41X1 integrates features only possible from
> the wireless engineering experts at Symbol. Advanced algorithms
> prioritize data, voice and multimedia transmission for uninterrupted,
> quality service. An embedded HTTP server allows administrators to use any
> Web browser to monitor performance, change configuration, and run
> diagnostics on any AP 41X1 from anywhere on the network. Antenna options
> provide maximum range and throughput to support application
> requirements with coverage up to 300 ft./90 m indoors and 1500 ft./460 m
> outdoors and will support up to 256 clients as well as Simple Network
> Management Protocol (SNMP).
>
> ...
> WEP Encryption for High-Speed Security Wired Equivalent Privacy (WEP)
> encryption combined with access control lists and domain identification
> features provide powerful user authentication and data encryption and
> decryption capabilities for data security. Wireless clients may also
> opt to use 128-bit encryption keys and the RC4 algorithm to further
> encrypt the wireless portion of data transmission.
> ...
>
>
>                   Retail
>
>
>                    Healthcare
>
>
>                    Hospitality
>
>
>                    Education and Corporate Training
>
>
>                    Manufacturing
>
>
>                    Government
>
>
>                    More Flexible Office and Public Space Environments
>
>
>
>
>
>       Thanks;
>
>               To Alan Clegg for the mapping info and heads up to these
>               sites, as well as their wireless vendors.

-- 
Mark Rowe
IT Security Consultant
PenTest Limited

Office  +44 (0)1565 830990
Fax     +44 (0)1565 830889
Mobile  +44 (0)7813 803929

mark.rowe () pentest-limited com

www.pentest-limited.com