R00Ting Public WiFi Networks: DHCP Name Poisoning Attacks

Always on the lookout for interesting articles, this is one that calls for some thought.

Here is a scenario: EvilX visits a public WiFi HotSpot. Once he/she is associated with the WiFI network, a DHCP message dialog is exchanged between the his/her computer and the DHCP server, which is most likeyl the default gateway. Upon that stage an IP address is reserved for the client and the machine is dropped into the network. From that point on, EvilX can see some of the machines by ARP scanning the network or even performing some pings (ICMP) if the network is not segmented, which is usually the case.

From here it just goes down with all the simpletons who actually use public hotspots (but who doesn’t. It’s soo convenient to sit in a Starbucks (as if, we’ve got only three here, and they’re all at the airport) or McDonalds (for lack of the mentioned starbucks) and do some work while sipping a nice moccachino. But I digress…

The attack very much depends on the particular setup offered by the hotspot provider, but because it exploits many ‘default settings’ it might very well work like a charm.

Laptops through customs

I came across an article in the New York Times which, among things, notes the authority the US Customs Border patrol has for looking into your belongings, including the content of your laptop. According to the article (and private conversation I’ve had with people involved in with US Customs) it boils down to that they can do whatever they pretty well fancy. Your civil rights are, when standing in front of the officer, suspended.

Interestingly, I recently came across a setup which enables your laptop to boot into ‘well known and recognized’ Windows XP when no USB stick is used and into Debian if you use the external boot-usb. Can that be used as ‘false testimony’, I wonder?

Technorati Tags: