January, 2008
Updated with new stats May, 2008
Layout updated July, 2008.
Preamble
Reason
Method
General audit observations
Wireless Results
Exemplar Data
Full wireless stats
Wireless Conclusions
Bluetooth
Bluetooth Observations
Bluetooth Device Listing
Conclusion
So, about a year ago, TJX corp. announced that unknown persons had entered their corporate network and had made off with at least 45.7 million credit card numbers, half a million drivers license numbers, and untold amounts of their customers personal information. The estimated cost of the breach is in the range of hundreds of millions of US dollars. It is believed that part of the initial access was gained through a poorly secured wireless access point in St. Paul, Minn.
With all the press coverage of the breach and the personal experiences of those who's numbers were pilfered (credit checks, new cards issued, etc) as well as the sheer financial harm to the company from bad press, should be enough to get the attention of even the most Luddite of CEO's and store owners.
With the holiday season around me and the rampant orgy of consumer spending that was occurring nearby at one of the worlds largest shopping malls, I took it upon myself to conduct my own study of retail, and consumer wireless security during the busiest shopping time of the year. My target was West Edmonton Mall, one of the largest retail malls in the world.
This report details my methods and results. Information that directly identifies weak static targets will be withheld or scrubbed out of respect and to give retailers a chance to secure themselves. This report was also sent to mall administration 1 week before public release so as to give those stores some time to react. No comments were raised.
Beyond the tenants of responsible disclosure, this report hopes to be a frank and frightening look at how poor retail security is during the 2007 holiday season
The reason for this project are simple; With the volume of information about the TJX breach that has been in the news and the general knowledge that wireless networks have security problems, are consumers being properly protected by retailers. The season being what it was and my proximity to a very large test bed, it was an easy and obvious choice to do this.
On the flip side, I also wanted to see what consumers knew about security of their bluetooth devices, namely cell phones, PDA's, etc. For such a test you need a large group of people. I know of no other than holiday shopping crowds at West Edmonton Mall.
The huge transient population of the mall and the shopping mecca that it is, gave a brilliant test environment for both parts simultaneously; to scan retailers wireless networks for poor security, and to scan the shopping crowds for discoverable and potentially vulnerable bluetooth devices.
My goal is to raise awareness about the multitudes of targets that present themselves to even the most pedestrian of thieves with a little technical know-how
The method was simple. An ordinary laptop running Ubuntu Linux was put into a backpack. The laptop ran Kismet to scan the wireless networks and BTscanner to scan for discoverable bluetooth devices. Both programs are commonly used to conduct audits for rogue devices and sources of interference and are both open source and available to all
The backpack was carried in rough laps around the mall to cover as much space on each level as possible for as long as the battery held out (3-4 hours).
The laptop used it's internal atheros based wifi card with kismet for the wireless network scanning, and a Linksys USBBT100 Class 1 USB bluetooth adapter in the side USB port of the laptop poking out the top of the bag.
Behaving as an ordinary shopper, I went out on several occasions to collect data. December 12th in the evening for several hours, December 22nd for several hours in the evening, and December 23rd in the afternoon to followup on previous results for about 4 hours
Once each run was taken, the data was saved and analyzed later
Kismet logs were parsed for obvious store names as SSID's and weak security settings (i.e. open or WEP).
BTscanner logs were combined and aggregated to generate some numbers about possibly vulnerable phones and devices
At no time were any devices accessed. The entire audit was designed to make sure that no damage was done. Kismet only picks up packets broadcast on a public frequency, and BTscanner communicates and queries devices for feature support based on standard bluetooth discoverability protocols. Your bluetooth PDA probably interacts more with devices in a day in more ways than I did.
General audit observations:
Several things were observed while collecting the data:
First: West Edmonton Mall is a very huge place. Covering 48 square
blocks, it's alot of ground to cover and it really hurts to walk it all
several times with a heavy coat and backpack.
Second: Christmas shopping at West Edmonton mall is an insanely hectic
thing. The sheer amount of people and spending going around you is quite
overwhelming.
Third: Laptops is unventilated backpacks with running get very hot
against ones back while wearing them
Fourth: If you look like your want to spend money, No one will ask
anything about the odd blinky thing sticking out of your backpack (or why
you are wearing a backpack with a trench coat)
Fifth: Santa Claus is apparently wireless enabled
Sixth and Final: Even though Edmonton is a rather remote place by alot of
standards, the data collected is probably indicative of other large retail
malls around North America.
Wireless Results:
Having lived in Edmonton all my life, I knew that the mall had a great deal of wireless. Several times before I have attempted to map this without success. This was the best effort to date.
The mall is a very busy place when it comes to wireless. The mall itself offers their 'wemisphere' network through all corners of the mall. This is their pay for play service offered throughout the mall and their web site. The SSID for that service is "WEMiSphere".
The Fantasyland hotel, which is attached to the mall, offer's guest wireless Internet access through a fairly large part of the mall. The SSID for this network is "FLHGuest". Both are open to connect but limit access to the Internet at large to paying customers (captive portal). There is another wireless network running throughout the mall that appears to be for security personnel and administration or for the waterpark. This network had the SSID "T5wpk" and was secured with WPA. The all is owned by the "Triple Five" group, T5 is obviously a reference to this.
All 3 of these networks are known to the mall and therefore are not a part of this audit, their presence is not the focus of this report, though the use of the unencrypted networks for anything important is a good subject of another study.
What is the focus are the 250+ other wireless networks and devices that were detected during the course of collection that presumably are under the control of the individual stores and not the mall administration.
The assumption was made that a wireless network in a retail store that was not obviously for public use (i.e. used encryption and had no signage indicating it's presence) was for staff use only. A further assumption is that such a network has some level of corporate data going over it at the least (i.e. inventory levels, hand scanner queries), and at most it would have customer personal information and payment information (credit card numbers and full customer records).
With these assumptions, a huge number of the detected networks were for company use only and not for public, yet they betray their presence, use poor security, and contribute to the general RF 'noise' of the mall.
While many networks were running WPA/WPA2, a surprising number were running either open or with WEP. WEP has several flaws that using easily accessible software, an attacker could recover the encryption key in as little as 60 seconds, granting them access to all the data going through the air for that network.
Names withheld to protect the vulnerable
The first example is a network that contains a doctors name. It is a medical office in the mall that likely has patient data traveling over it and is only using WEP encryption. Alberta has some of the strongest privacy legislation around and disclosure of medical information, no matter how small, can be subject to steep fines.
One is a company that sells security equipment. This company has many signs advertising video surveillance systems for sale around the store but their wireless network is using WEP. They might care to expand their knowledge base.
An international agency that surely deals a great amount with the personal information of young women on a regular basis is using WEP.
A camera retailer that may have transaction data in the air at worst, or just inventory data on expensive merchandise that could be manipulated.
A union that seems to be co-located with their members employer is using WEP. The data going over that network would likely be of some interest to all sorts of parties.
A computer retailer who likely uses the wireless to provide network access to their location, which would be difficult to run a wire, I will admit. However, as they are running WEP only, transaction data is surely going over that link and could be intercepted. As well, access to that network could leverage well into access into the corporate network.
Another retailer that almost certainly uses wireless to avoid running cables to their unique location is running WEP as well. Access to this almost certainly gives some if not all access to transactions for that location.
A health and beauty services provider that is running an open network. One can only guess at what could be going through there.
A beverage company that appears to have a great deal of transactions going over it's WEP encrypted network given the amount of packets going by.
A perfume retailer with multiple locations that seems to have set up their network in a hurry and is only using WEP.
Another health and beauty provider that is only running WEP. Client data may or may not count under privacy regulations as medical information, but I would not want to find out the hard way.
A major theater in the mall has 2 access points running just WEP. transaction data may be on there, but I'm sure that someone who recovered their WEP key would not be appreciated on their network.
Several cellular phone retailers were noticed to have WEP encrypted, or even wide open networks. These may have been for public consumption with the latest generation of wifi enabled phones, but I would be curious to know if it is completely separate from their PoS and corporate system.
Full stats of the data found is available here
There are literally hundreds of networks in the mall that are within the control of individuals stores. Some seem to have a very good corporate policy in place. They are running WPA2 and likely have someone looking after them on a regular basis. Others, it seems, have been installed insecurely and are not being properly maintained or addressed by corporate policy in a very long time.
These networks are a threat to the retailer and the consumer. A lightly equipped attacker could easily blend in with the crowd and compromise the wireless network of one of these locations, giving them access to the transactions for that store and all the credit card fraud that represents. Even worse they might obtain a foot hold into the corporate network to much bigger cache's of data, just as happened to TJX.
The mall administration has no right to tell it's tenants how to run their business or network beyond anything that effects the malls operation. However, if something did happen, the location would be named as 'West Edmonton Mall' and all the negative attention that would bring. It may be in the best interests of the mall administration to regularly check the mall airspace as a 'good neighbor' and send out notices to stores who's settings are a cause for concern. This at least gives low level employees something to pass up the food chain to get it addressed and leaves the mall doing some due diligence. It's likely that the mall already has the capacity to do this anyways as part of their maintenance and tuning of the wemisphere and FantasyLand Hotel's networks.
The Bluetooth portion of the scan was meant to offer comparison data to the Bluebag project performed in Europe at airports and train stations. North American mobile phone usage and technology differs greatly and it was of interest to see how things compared.
It would appear that North America is catching up to European bluetooth usage
In all, over the span of 3 days, 434 Bluetooth devices were discovered.
The List of discovered devices is available HereThis number, while nowhere near the European numbers from the Bluebag project, shows that Bluetooth usage is very quickly being adopted over here.
Sadly there is no data saved in the logs about the capabilities of each device and what services it advertises, however one can expect a certain percentage of a large sample such as this to be vulnerable, particularly any that have a default model name being advertised.
There are many possible vulnerabilities for these devices. The usual bluesnarfing attacks to obtain SMS messages and phonebook entries are possible. Further it may be possible to issue AT commands to the phone and have it dial expensive toll numbers, unknown to the owner of the phone, raking up high charges on phone bills to be paid out to the attacker.
It seems that to answer the question, "Has anyone learned anything from TJX", the answer is "Not enough have". A great many retailers in one of the largest malls in the world are running very poorly secured wireless that put customer data at risk, along with company assets and intangibles like reputation.
This survey was done with very simple tools that could likely be found and purchased at the mall. It is not unrealistic to expect that persons with criminal intent could abuse the stores weak security for their gain, if they are not already. As well, given the huge amount of transactions that occur per minute during the holiday season, entry into the corporate network would be very valuable and possibly not noticed until much later, at which point the bad guys are in the wind.
Both retailers and customers should be aware of the risks of wireless devices and do what they can to protect themselves and their mutual information