Attacks/Breaches
9/10/2007
09:45 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hacking the White House

War walk around the President's house exposes some interesting vulnerabilities outside the fence, but solid defenses inside

I'm sitting with Richard Rushing, chief security officer of AirDefense, on a stone bench that sits neatly between the White House and the U.S. Treasury Building. As we both look intently at the laptop on Rushing's lap, a three-foot Radio Shack antenna protrudes from his briefcase, pulling in transmissions from both of these carefully-secured national institutions.

Yup, we're "war walking" the White House. We're looking for wireless networks that are open to hack. (To see a photo of Rushing and his antenna, see Figure 1).

Figure 1: Richard Rushing
AirDefense CSO Richard Rushing stands in front of the White House. The white box hanging out of his briefcase is the antenna used to war walk the grounds.

As we sit, scanning the IDs of dozens of wireless networks in the area, the shadow of a uniformed White House security officer falls over our screen. He's the first one to notice our antenna, even though we've passed at least eight officers on our walk so far.

Damn, I'm thinking. Now we're in for an hour of police questioning, or maybe worse. I wonder when I'll get home tonight?

"Excuse me, gentlemen," the officer says politely. "I don't mean to interrupt, but what is that device you have there?"

Rushing, a trained penetration tester and ethical hacker, doesn't try to hide anything. "It's an antenna," he says.

The officer frowns for a moment and looks at the antenna more closely. Then his face brightens. "Cool," he says. "Nice. Thank you." And without another word, he turns and walks away, crossing the street.

And that, folks, is the only time anybody stopped us. We walked the entire White House grounds, circling the Old Executive Office Building and the Treasury. We passed at least 20 security officers while Rushing pointed the wireless antenna out of his briefcase (it's that little white box you see in the photo). Several officers appeared to notice it; only one of them said anything.

It could be that they knew what we were doing and didn't care, confident in the White House's wireless defenses. Or it could be that they saw it and didn't know what they were looking at. Either way, it didn't make me feel more confident in the security of our national institutions.

As it turned out, however, the White House's wireless defenses -- at least inside the fences -- were pretty sound. On a one-hour walk around the grounds, Rushing was able to collect data on 104 wireless networks. The antenna discovered 66 wireless access points, and roughly 90 stations connected to them.

About half of the networks were unencrypted, and many of them were using WEP, an early wireless security technology that has been proven vulnerable on numerous occasions. But we weren't able to decipher any IDs or addresses belonging to White House staff -- most of the "open" connections belonged to hotels, coffee houses, and law offices in the surrounding neighborhood.

If President Bush was sitting on his bed, surfing ESPN via a wireless connection to get ready for his fantasy football season, we couldn't tell -- not from where we were sitting, anyway.

Despite our failure to intercept Laura Bush's personal email, Rushing's war walk did provide a number of lessons for enterprise network and security managers. Rushing, who is on a mission (along with many of his AirDefense colleagues) to show organizations how vulnerable their wireless networks can be, showed me some obvious flaws -- and potential hacks -- that many companies may fall prey to in the near future, if they haven't already.

At the Treasury building, for example, we pick up the faint trace of a user accessing an EV-DO wireless broadband network, bypassing both the building's wired network and local WiFi. Many employees are taking to using their personal EV-DO cards at work so they can use Websites or applications that aren't allowed on the corporate network.

"Some people think they're doing the company a favor by using EV-DO, but once you're on the Internet, you're still subject to any attack on the Web, and you're using a machine that you're planning to attach back into the company network, if you're not connected while you're sitting at the desk," Rushing observes. "You're still bringing risk to the company, if you're not following policy."

Rushing brings up the access screen for a local law firm which offers unencrypted guest access via WiFi. "Here, all you have to do is crack the password and you're in," he says. "That's not enough security." About 70 to 80 percent of the rogue access points that AirDefense uncovers are created by "guests," usually consultants or other business partners who are onsite and looking to get out to the Internet or their own company's network.

"Occasionally, we see consultants connecting to another client's network while they're on site with the primary client," Rushing laughs. "Talk about double dipping."

Later, Rushing shows me how easy it is for a phisher to duplicate one of these internal "guest" log-in screens and grab all the traffic from an unsuspecting client. "I'm surprised we don't see more of that."

After we pass the White House press room, we pick up a network called "ABC Wireless LAN," quite possibly a WiFi connection established for the use of reporters and camera crews onsite. "Some companies will have a mobile WLAN setup that they use when they deploy groups of employees out in the field," Rushing notes. "Often, they're not doing enough to encrypt them, or at least disguise them so that an attacker can't find them so easily."

Rushing also shows me how wireless networks and devices are often misconfigured. We pick up several Hewlett-Packard printers, which ship with a WiFi capability that many companies don't bother to turn off when they're installed. "They plug it in and it works, and they don't bother to read the rest of the instructions," he says. "But a printer can be a point of access into the network, just as a PC can."

In another network, the IT administrator has done a good job camouflaging the name of the network and protecting the primary access point with a strong password. But many administrators don't understand that their "secondary" APs, such as those in conference rooms or office floors, may be listed by name ("first floor conference") in sub-fields of the WLAN software, and are just as accessible as the primary AP.

"When you do wireless, you have to give up your wired network thinking," Rushing warns. "You can't designate one AP as the main point of access and put a firewall in front of it, like you do in a wired environment. Every AP in a wireless network is equally vulnerable. And you can't practically put a firewall in front of all of them."

A wireless network can be entered through any access point that can be found with a simple Radio Shack antenna, such as the one we've been using on the White House grounds, Rushing says. "In fact, in most businesses, it's actually easier, because I can war drive into the parking lot and collect data on any network that's within 100 yards or so," he says. "And any AP in the building could be my point of entry."

To prove his point, Rushing later pulls up WIGLE, a war drivers' database that contains information on some 2.8 million wireless networks and access points that have been mapped by hackers and hobbyists around the world. WIGLE provides much of the same antenna-generated data that we've just collected at the White House -- only it's also got a map function, so you can see exactly where the APs are in your area -- and which ones are unprotected.

"Kids are adding to WIGLE all the time -- it's one of the ways you can look cool," Rushing says. "The more APs you've mapped, the cooler you are."

Rushing superimposes the WIGLE map on Google's real-world satellite photo maps, so that we get an aerial view of the White House and surrounding area, with wireless APs represented as small rectangular boxes. About 4,000 wireless networks and APs have been mapped in less than one square mile around the White House -- at least eight of them are shown within the building itself. None of them shows up as accessible, but we can see exactly where they've been detected previously.

Apparently, we're not the first people to have done the White House war walk. "The one thing that most administrators don't know about wireless," Rushing says, "is how much leakage they've got. The signal leaks out because of poor security, or through open doors or windows, or even because of problems with the wireless network itself that your vendor doesn't tell you about. If an attacker sits there long enough, they can get signals that nobody intended for them to have."

Maybe it's time somebody mentioned it to the White House guards.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web