Figure 1. Yes there is a ship in the mall, and a whole bunch of wireless

Much has been made in the media about the frequency of computer intrusions that result in masses of credit card and other personal data being expropriated by person’s unknown and often used for fraud and identity theft. The recent intrusion at Zappos.com allowed intruders access the personal information of upwards of 24 million customers.

Whenever I read one of these stories, I am often surprised by the reactions of shock and amazement among managers and executives I speak to. They are amazed that these events happen at all, which is surprising to me especially considering how commonplace and routine these intrusions seem to be.

As a wireless guy, my mind always thinks back to the 2005 intrusion of TJX and other companies by Albert Gonzalez and his co-conspirators. This attack in particular was what many people in the security community thought would be a wakeup call. Compliance with regulatory standards is a good start, but standards such as PCI DSS (Payment Card Industry Data Security Standards) do not have a direct relationship to the actual security of a system. You can be compliant, but also have holes the size of a truck.

In the case of TJX, they had a wireless network installed in a retail location in Miami, Florida. This network was encrypted with WEP (Wired Equivalency Protocol), which at the time in 2005, was already easily broken with simple tools. WEP was still allowed by PCI standards at this point despite the availability of WPA. WPA (Wi-Fi protected access) was the newer and stronger encryption algorithm that was designed to replace WEP when it started showing weaknesses.

The equipment that TJX had deployed however was of an older generation and would not support WPA. As such, there would be a significant financial cost in replacing equipment and time reconfiguring in order to upgrade. Internal emails released during the investigation after the intrusion showed that management decided that the risk was low enough to defer the upgrade for another year. This fateful decision is costing the company upwards of 1 billion dollars and over 5 years in cleanup, upgrades and fines. Whatever risk formula they were using obviously failed

About a year after the disclosure that TJX had been penetrated I wanted to see what the situation was like for myself – to see what security was like in average retail settings in order to provide some hard data for researchers to work from and for use in presentations. As a wireless guy, my natural inclination was to check on the status of the wireless security since that was an initial cause of TJX’s downfall and something that could be tested passively and legally.

The timing was perfect as the Christmas holidays were upon us and the volume of retail spending that occurs at that time of year would be high.

In the end I wanted to answer the question, “Did companies learn from TJX or were they ignoring it at their own peril?”

Fortunately, in order to test this hypothesis, all I had to do was two things I usually did anyways around that time of year – Wardrive and holiday shopping. I happen to live in Edmonton, Alberta, Canada, home of the West Edmonton Mall (http://www.wem.ca), one of the largest shopping malls in the world, which was the perfect place to test for this project.

Across several days in December 2007 I stuffed my laptop, running Kismet (https://kismetwireless.net/), into a bag along with a few extra battery packs and proceeded to warwalk through several miles of halls and the throng of thousands of holiday shoppers in order to answer my main question as well as a few smaller questions.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

The first part of the question was how many networks were in the mall. No one had publicly released any sort of number for this mall and I had no idea how many retailers would be using wireless. The next question was, out of those networks, how many were ‘secure’, meaning using WPA, and how many were insecure, meaning WEP or wide open.

The results were quite a surprise.

In 2007, a total of 489 networks were discovered. Of those, many were setup by the mall for public use and could be ignored.

Figure 2. One of the mall access points on a ceiling

But what was interesting was the 105 WEP encrypted networks detected.

While no attempt was made to connect to any of these networks or to ascertain if payment card information was accessible at the store level or other security measures (i.e. VPN’s) were in use, the fact that 21% of the total networks discovered were running an encryption scheme known at the time to be vulnerable to attack was frightening in and of itself. One can make a guess that at least some of those networks were connected to the same network as the point of sale systems, debit terminals, and even provided larger access to corporate network resources or worse.

In the case of TJX, the wireless network was used to gain remote access to the corporate network and the payment data centrally stored there. A foothold from a single store was all that was needed in order to widen the access. A mall like this could have dozens or more potential footholds for a dozen other companies.

Aside from retail establishments, several other worrisome networks were noted. While many SSID’s indicated retail stores, some SSID’s identified places such as medical establishment which potentially could provide access to patient data. Also fund was a modeling agency, which is likely to store a great deal of personal information on adults as well as minors, was also noted in the scan. Both of these examples were running WEP.

I was obviously concerned about what I found. After writing up my results, I contacted the mall administration in the hopes that they would be able to alert stores en masse that they should review their wireless security. To my knowledge, no such communication was made. This was not surprising since the mall is basically a landlord and has no interest in stores internal operations. Additionally, I did not have the resources to track down and explain to each and every network owner what the risks were. I also did not have resources for a lawyer should any get the idea to ‘shooting the messenger.’

At the time, I thought the scan would be a one off event. It gave me some real world numbers to use and opened my eyes further to the lack of general security.

Fast forward two years and for reasons known to only myself at the time, I decided I should repeat my scan during the holiday shopping season of 2009 to see if anything improved since 2007. Since that time, WPA adoption had greatly increased, users by and large were getting wiser and PCI DSS standards were pushing for WPA (though still allowing older installs of WEP a pass).

In 2009, 578 networks were detected, an 18% increase over 2007, which was not an unexpected increase over the intervening two years. What was interesting was the 127 WEP networks I detected, 21% of the total networks detected, or roughly the same percentage as was seen in 2007.

As before, some businesses did not seem to understand the risks associated with using WEP. Particularly at this point, two years since the original scan, tools to break WEP had improved dramatically and were capable of reliably recovering a key in as little as 60 seconds. As well, YouTube was full of videos on how to accomplish this with freely available tools.

Unfortunately due to a hard drive crash and a lesson learned about the damage of not keeping backups, only about half the original data I collected from 2007 remains. Therefore, a direct comparison is not easily accomplished and we cannot see who the previous offenders are. None the less, the increase and persistence of WEP is interesting by itself. Almost 3 years after TJX, retail stores had not gotten the message.

Of interest as well was the growth in public Wi-Fi. Many stores seemed to be setting up their own customer use networks. These open networks are very likely (hopefully) segmented from any corporate data handling network and as such are not at risk for the purposes of this study. However, what was a surprise was that there were 11 access points that were operating wide open with default SSID’s and channels. This combination of settings typically indicates they likely had never been secured or configured beyond opening the box. While one can assume a few were for demo purposes, but out of that many, a few are mysteries that the owners of the networks they are plugged into would be well advised to solve.

At this point I believe that this is my longest running project and after talking to many other professionals, they appreciated the guerrilla nature of my data collection and the ‘real world’ numbers that it was providing.

Fast forward two more years and I decided to repeat the scan yet again. Once more I strapped on my laptop and braved the holiday shopping crowds to collect data at West Edmonton Mall. What was immediately apparent was the growth of our connected culture and how pervasive Wi-Fi networks have become in businesses and our personal lives and how much customers appreciate Internet access.

The 2011 scan detected 973 networks, a 98% increase over 2007′s 489 networks and a 68% increase over 2009 for an area that remains roughly the same.

The number of WEP networks as a percentage had dropped considerably to only around 10% of the networks detected. However, the actual number, 104 was still remarkably close to the 105 networks from 2007 and the 127 detected in 2009. While a few of these were previous offenders from 2009, and some have SSID’s that indicate they are meant for public use (WEP being just a formality to get you into the store to get the key) many of these WEP networks were new since the 2009 scan was done.

This means that most of these units are new installs. Long after the IEEE deprecated WEP’s use (2004) and conceivably setup after the outright ban on WEP (early 2010) by PCI DSS means that some devices are still actively being setup with WEP 5 years after TJX to the potential violation of PCI DSS and generally accepted best practices.

Of significant note is the persistence of the 2009 detected ‘dlink’ and ‘linksys’ default networks in 2011. At least one of the ‘dlink’ units is the same as what was detected in 2009 (an equal number, 6, were detected); and of the ‘linksys’ units, 2 were detected in the previous 2009 scan and an equal number (4) were detected as before. This eliminates the possibility that these were demo units and at one point or another, some were replaced. The owners of these units hopefully are not using them for anything critical, but even then, the availability of anonymous Internet access from a public place can bring about a great deal of liability issues should someone do something illegal using the network.

A new variety of oddities had also entered the data. A new network named ‘GPCS’, which has MAC addresses adjacent to known mall provided public and internal network names, is operating with WEP. This is curious since the remainder of the mall operated networks were setup well and securely. Its function is likely for some legacy application or other function where WPA is not an option.

An ironic piece of data that was revealed was the fact that the Apple store, which in 2009 had been using Apple access points, is now using Cisco equipment (at least according to OUI lookups on the mac addresses).

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Figure 3. Lots and lots of walking. From east to west the mall covers 8 city blocks

Overall, WEP usage is down, but a frighteningly large number of retailers, and in particular smaller ones (judging by identifying SSID’s), are still using WEP. This despite it being a large risk to their business operations and, if not properly segmented from customer data and corporate network access, is a serious security risk to the organization as a whole.

Overall, the project over the last 4 years has seemingly answered the question I initially set out to answer; has anyone learned anything from the TJX intrusions? My conclusion is that they have. However, the lesson has been learned very slowly and only when dragged kicking and screaming into upgrading through equipment failures, replacement and threats of fines and punishment than any sense of protecting customer data. Security through attrition it would seem.

This project and its collected data are very timely as this collection of data can allow us to predict the future. It allows us to not only look back in time and compare how retailers are progressing with dealing with old and known attack vectors, but towards the future and how they will deal with new ones.

On December 27th, 2011, just days after the 2011 data was collected, a paper was released
https://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/ that detailed a vulnerability in WPS (Wi-Fi Protected Setup), a protocol developed to make it easy to add a device to the network. Through the use of an 8 digit PIN, usually on the access point itself, a client can prove to the access point it should be allowed to connect to the network and be securely given the network key for future use.

The problem exists in that the PIN is verified in two parts. If the first 4 digits match, the access point acknowledges that portion is correct to the client before verifying the second half. This reduces the keyspace dramatically. An attacker only needs to try 10,000 combinations for the first 4 digits, and only 1000 for the last 3 (the last digit is a checksum). Once a proper PIN has been received, the attacker can join the network and is given the WPA-PSK key. Tools such as Reaver (https://code.google.com/p/reaver-wps/) quickly became available to exploit this on vulnerable devices with an average of about 4 hours to recover a key. One can assume that as time progresses these attacks will improve on that average.

Using the data from 2011 we can determine that a huge number of networks are running in the mall with WPA-PSK. These networks, 554 of them long thought secure using WPA-PSK and compliant with PCI DSS, may be vulnerable to this attack.

While not all units may be vulnerable some have lockout thresholds and other countermeasures. One can expect that given the variety of devices used, many networks in one of the world’s largest malls are insecure (my back-of-the-napkin guess is about 150). All of the owners believe themselves to be secure since they are compliant (PCI DSS that now requires WPA-PSK at minimum). They likely have little idea that another TJX scale intrusion is possible and they could be the victim.

As the public’s expectation and usage of public Wi-Fi increases, the sight of a person with a laptop at a coffee shop or a restaurant or even a bench outside a store is going to be (if not already) commonplace. The question for the future is, “Is that person a customer checking email or someone walking away with the company’s wealth?”

If you are interested in looking at the data for yourself, it is all available (minus some of 2007 due to hard drive crash) on my site at http://www.renderlab.net/advisories/wested/ along with this and any further analysis.

Figure 4. User or attacker? Hard to tell the difference.

Hopefully data such as this will allow those who are aware of potential problems to show how wide spread the problems are. It also helps show how it would behoove retailers to be more proactive in the security of their retail operations for the sake of their businesses and for the sake of their customers. No one wants to be the next TJX size intrusion.

I will likely continue this bi-annual scan in the future. Understanding the scale of threats is part of figuring out how to stop them. As time progresses, I may revisit the saved data in an effort to check for later discovered vulnerabilities and flaws (like the WPS exploit).