Wireless networks/Default Admin username security problem in Croatia
There are two quite common practices used in Croatia that have left huge
number of users wide open to attacks. I presume that, if you look around,
you might find one or both in your general vicinity.
First one is the fact that computer "manufacturers" in Croatia always chose
one of dozen default usernames while installing Microsoft Windows for
their customers. They rarely, if at all, change the username, so lot of
people get their boxes with the same Administrator login. To make things
worse, all of those accounts have blank password, and automatic log-in so
the end user doesn't have to think about it. Real plug-and-play
technology, isn't it?
Note that some of them ship Linux as well, and the same story goes for the
root user, making Linux box just as secure as it's Windows neighbor. While
we might think that Linux box will either be replaced with pirated Windows
installation or have an user that know a little bit about security, we
just don't know how many open Linux boxes there are. But, given the
growing popularity of Linux among ordinary people, it is wise to presume
that this might not be an insignificant number.
Windows users en-masse don't care about the security stuff, they just power
up the computer and start working. So we have a whole lot of Windows boxes
and probably a big pile of Linux boxes really easy prey for 0wn4ge.
There's no easy remedy for that - "manufacturers" don't really care about
this, so it is up to the end user to protect herself. And we all know that
everyone is security aware, don't we?
Second problem is that largest Croatian telecom company, T-Com (used to be
Croatian Telecom until our politicians sold majority of shares to Deutsche
Telekom), is advertising their aDSL/WiFi combo, in fact an ordinary DSL
line with wireless router at the user's premises.
The trouble here is that T-Com does nothing more than to connect the
hardware and make sure it is working, leaving end-user with a wireless
network that happily broadcasts over an unsecured channel.
Now, let's put these two together: we have a whole lot of users in Croatia
that bought their PC from a "manufacturer", never bothered to change
administrator password let alone the username, hooked on wireless network
that is both unencrypted and open to access to anyone who is in radio
range and knows the mysteriously secret default SSID "ConnectionPoint"
that is being broadcasted by hundreds of AP-s just in capital city of
Zagreb.
So, what we have here is a lot of clueless people that might have problem
with any or all of these:
- anyone in range can connect to the WiFi network and surf (probably
unnoticed), to the very surprise of the poor user who get's the DSL bill
at the end of the month (and our DSL rates are HUGE) - affects both
Windows and Linux users because it's got nothing to do with PC, but with
AP;
- since there's just a dozen of default administrator usernames and none of
them has a password associated with it, it is a child's play to hook on
the wireless network and connect to user's computer (that DOES include
Linux guys who didn't bother to change password) and wreak havoc - steal
banking info, stored PINs and passwords, delete or modify data, etc. -
affects both Windows and Linux;
- intruder can inject a virus on user's computer, effectively hiding his
point of entry - the one that goes to jail would be poor uneducated user -
affects Windows and theoretically Linux as well, given the number of Linux
viruses spotted in the wild (but does make an excellent petri dish for
Linux viruses, due to the fact that it is so easy to get root
permissions);
- intruder can use the network or computer to spam around, to his own
enjoyment and the horror and huge DSL bill of the user; oh, and wrath of
the spammed will be felt by the user, of course... :-) - affects Windows
and Linux;
- last, but not least, it is possible to war-drive around and seed clients
to be used as DDoS drones later. In fact, it can be scripted, so you just
have to drive around, and the script will discover the network, log on it,
try all of those dozen default administrator usernames for you and if
successful, seed the drone then go on searching for next victim.
In that case, user might never discover that he's hosting a parasite -
affects mostly Windows but Linux is not invulnerable to this neither.
We have released a security advisory (18.1.2005.) regarding this issues, as
well as step-by-step description on how to protect yourself by changing
administrator password and securing WiFi network.
http://www.opsus.hr/index.php?folder=69&article=78
We have sent a message to Croatian "Office for e-Croatia" as well, for this
vulnerabilities might severely interfere with their project of having
100.000 broadband users in Croatia by the end of this year (note: Croatia
has just about 4.5 million citizens and transition - anyone who is living
in a country in transition will understand my point). So far we haven't
heard back from them.
T-Com has issued a warning to all their WiFi customers at the beginning of
February as well, providing them with the advisory on how to protect their
network
http://www.t-com.hr/privatni/internet/pristup/wlan/sigurnost.asp#
that looks a lot like our own advisory.
However, their advisory is slightly flawed - their advice is to let AP get
all the MAC addresses it can see, while our advice is to enter MAC
addresses one by one, for if you use the automatic collection and there's
already someone piggybacked on your network, and you don't really know
what you're doing (we're talking about Hrvoje Average here, remember), it
is easy to enter attacker's MAC address in a list as well. Taking the PC
Card out of it's slot and reading the MAC address from the back of the
card is more work, but much much more secure in this case. Not to mention
that ordinary household will have just one or two computers.
One note: T-Com does provide end user with a manual for their WiFi network
that has all this security staff inside, but their mistake was to count on
end-user to take care of security, which is, as you all know, a dream.
It is hard to find a remedy in this case. It is almost impossible to force
"manufacturers" to stop using the same administrator login/blank password
in production because it takes a little bit longer to put up a computer
and might increase problem with the customers who forget their passwords,
so it cuts into their profit margin.
It might be possible for T-Com to take more care about security while
installing WiFi hardware for the end user (and we did advice Office for
e-Croatia to try to push T-Com to do security for the end-user), but this
cuts into their profit margin as well, but since they earn about
1.000.000$ each day from their GSM service (honestly!), a few thousand
bucks more spent on having end-user secured immediately after the
installation of WiFi hardware is both good for the company image (they
should really work on it, given their popularity) and is of extreme
importance for growing IT infrastructure in Croatia.
The last option is to have people educated. The government is doing
something about it, but it is too little, too late. We're still struggling
with having majority of people understand why they get all sorts of adware
and dialers, this might be overkill for them. However, the only real
solution is to educate people. Slim chances.
--
Radoslav Dejanović
Operacijski sustavi d.o.o.
http://www.opsus.hr