For this week’s discussion, research an article describing a breach where wireless (Wifi) was the entry point for the breach.
What weaknesses in the configuration did the attackers use to enter their target’s system?
What countermeasures would you implement if you wanted to defend against this breach?
Please include the URL for the article, so that others can read the article(s).
Nicholas Fabrizio says
Title: Wi-Fi hack caused TK Maxx security breach
URL: https://www.zdnet.com/article/wi-fi-hack-caused-tk-maxx-security-breach/
This is an older article from 2007, the apparel and home goods company TJ Maxx was hacked for approximately an 18 month period from mid 2005 to the end of 2006. This breach also impacted their international subsidiary TK Maxx. The hackers were able to steal 45 million customer records which included credit card information. The hackers were able to gain access to the network because the company secured it wireless network using the Wired Equivalent Privacy (WEP) security protocol. The article states “the hackers were able to crack the WEP encryption used to transmit data between price-checking device, cash registers, and computers at a store in Minnesota” (Espiner). Using the information they stole the hackers were able to create their own accounts in the systems and pivot to other systems collecting transactions being sent to banks which was unencrypted. This breach could have been mitigated it the company upgraded their wireless security to a newer protocol, such as WPA or WPA2. The WEP protocol was initially cracked in 2001 and deemed to be unsecure.
Zhuofu Wang says
Thanks for your sharing.
I am curious that their equipment is not updated regularly? Or is it because the hardware equipment is too old to support updating?
Nicholas Fabrizio says
I would bet it was a combination of reasons why they did not update. In a different article I found it was mentioned that an investigation into the breach was conducted by Canada’s national privacy commissioner and the privacy commissioner of Alberta. In their report, it was mentioned that TJX (parent company) should have moved to WPA sooner, but TJX disagreed with the statement.
https://www.computerworld.com/article/2541162/canadian-probe-finds-tjx-breach-followed-wireless-hack.html
Anthony Wong says
I would agree with the commissioner that TJX should have moved to WPA sooner. But I understand that this would be a massive change for TJX and possibly could have taken 4 years or more to fully adopt WPA. I thought it was interesting that TJX was collecting driver’s license information to prevent fraud. I wonder if there could have been another way to identify a customer besides driver’s license.
Amelia Safirstein says
I wonder if it was also in part due to a lack of understanding of potential losses. Publicly traded companies, like TJX, are focused on lowering their costs and increasing their profits. If those in charge didn’t grasp the seriousness of WEP vulnerabilities, they probably didn’t even consider spending the millions of dollars to replace old, incompatible devices or the man-hours to update compatible devices before it was absolutely, blatantly necessary.
Kelly Sharadin says
Hi Nicholas – crazy how much WiFi attacks have progressed from your example in 2005 to one I shared in 2020. Whats even more concerning is how many organizations are probably still operating with the same set-up they had in 2005. One thing I wonder is, if a company is that lax in security measures – would an upgrade even help? Would they create a super strong password? Security requires a wholistic understanding of how these pieces fit together – I guess some businesses can with stand repeated attacks and others can’t if they don’t improve security posture. Interesting to think about.
Bryan Garrahan says
https://www.cnet.com/news/weworks-weak-wi-fi-security-leaves-sensitive-documents-exposed/
While this hack wasn’t malicious in nature it does highlight some major issues related to the wifi networks provided by shared workspace company, WeWork. A new WeWork shared space occupant, Teemu Airamo, performed a scan of his WeWork network in 2019 and was able to obtain access to some alarmingly sensitive data of companies who are also occupants of WeWork shared space/network including financial records, business transactions, client databases and emails. The article notes, “CNET reviewed the scans, in which 658 devices, including computers, servers and coffee machines were exposed on WeWork’s network, spilling out an “astronomical amount” of data”. Another interesting finding was around passwords – as Teemu was able to scan for and locate passwords that were available in clear text. What’s worse, he noticed that the same wifi passwords were also utilized in other New York and California WeWork building locations.
Teemu deployed a VPN in an effort to secure and prevent his companies data from being exposed to potential malicious actors. Additionally, Teemu suggested the following methods WeWork could deploy in order to improve their wifi security posture:
– Use wireless client isolation so the companies on the WeWork network are segregated;
– Set up firewalls to watch for rogue traffic and automatically disconnect any new access points;
– Block Wi-Fi scanning activities; and
– Deploy different passwords to each WeWork office location
On top of that, I think as another layer of security companies could apply some logging and/or monitoring controls of their wifi network traffic.
Nicholas Fabrizio says
Thanks for sharing.
I’m surprised that WeWorks did not address this issue even after their client brought it to their attention as this type of publicity would only hurt them financially. The article said “anyone can book a day pass for about $50 a day or a conference room for $25 an hour. That would be all a potential hacker needs to get in the building and the Wi-Fi password.”. If anyone can gain access to the building and shared network for a limit fee, it would be difficult to secure the physical and technical security and just put anyone of their network at risk.
Kelly Sharadin says
Bryan – great break down of this case. I remembered hearing about this case but did not know specifics and this is even worse than imagined. At the very minimum I can’t believe each office location had the same WiFi passwords. I have to wonder if WeWork has a clause for using WiFi at your own risk because I don’t know how tenable even with Teemu’s recommedations those solutions would be to continuously monitor. This is like the Starbucks open WiFi scenario we talk about but on steroids.
Anthony Wong says
Kelly – Great point on if WeWork has a clause for using the Wi-Fi. I would imagine they do, due to the fact on how poorly they responded to the situation. It’s a shame.
Amelia Safirstein says
Especially because WeWork customers are largely startups that aren’t likely going to focus much attention or resources on information security.
Kelly Sharadin says
Apple’s proprietary wireless mesh protocol (AWDL) has revealed the most concerning hack for iOS devices; attackers can use this exploit to access nearby iPhones using only wifi. Due o the severity of the exploit, Apple has since issued a patch. The article quotes one security researcher saying an attacker could deploy malware via wifi onto the victim’s device “even if it’s in their pockets” (Tech Times, 2020). It’s a stealthy attack that can avoid detection from the user and works by “importing a buffer overflow in a driver for AWDL,” which provides privileged access to the device (Tech Times, 2020).
https://www.techtimes.com/articles/254656/20201202/experts-claim-iphone-zero-click-wifi-exploit-notorious-hack-interaction.htm
Bryan Garrahan says
Thanks Kelly this is a very concerning article for Iphone users due to the fact that you can be exploited without even interacting with your phone. As we’ve discussed throughout several classes this article solidifies the fact that we need to be cautious of the wi-fi networks we connect to., especially since sensitive data can be compromised. Luckily, it appears that Apple already patched the vulnerability and notes it was not exploited in the wild per the article below.
Beer said that Apple fixed the vulnerability before the launch of the COVID-19 contact-tracing interfaces put into iOS 13.5 in May.
Candace T Nelson says
https://www.fda.gov/news-events/press-announcements/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities-0
While researching articles describing breaches where Wi-fi was the entry point, I encountered this News Release titled FDA Informs Patients, Providers and Manufacturers About Potential Cybersecurity Vulnerabilities in Certain Medical Devices with Bluetooth Low Energy that was published on March 3, 2020. Although this article does not relate to an actual breach, this disturbing Wi-fi vulnerability was explained in detail, as follows:
A set of cybersecurity vulnerabilities referred to as “SweynTooth” has been determined to affect the Bluetooth Low Energy (BLE) wireless communication technology that allows two devices to pair and exchange functional information and preserve battery life. Software is currently available that would allow unauthorized users to exploit this vulnerability to wirelessly crash devices or stop them from working, or to access functions on devices that are intended to be limited to authorized users. At risk of exploitation are pacemakers, stimulators, blood glucose monitors and insulin pumps; electrocardiograms, monitors and ultrasound devices found in health care facilities; consumer wearables; and IoT devices.
Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health stated: “Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm. The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”
Microchips manufactured by the following companies may be affected by the SweynTooth vulnerability: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. Medical device manufacturers had begun assessing which devices may have been affected by the date of the News Release, and some manufacturers had already released patches. The FDA asked these manufacturers to communicate affected devices to health care providers (HCP’s) and patients, and they suggested that patients proactively inquire of their HCP’s whether devices they rely on could be at risk.
It sickens me to think of the depths that cyberthief’s will go to in order to cause harm (or even death) ☹ Hence, I performed additional research to determine whether there have been any SweynTooth breaches of medical devices since March 2020, to no avail. Perhaps my classmates will succeed at finding situations where this vulnerability has been exploited.
Anthony Wong says
Hi Candace,
I was unable to find if the vulnerabilities were exploited, but I did find that the vulnerabilities had a CVSS score ranging from 6.1-6.9 out of 10. I was expecting the scores to be hire since it has a chance to cause severe harm to a human being. As I’ve learned, human life is always the top priority even in cyber security.
Candace T Nelson says
I cant agree more, Anthony – thank you for providing this additional information!
Nicholas Fabrizio says
Hi Candace,
Thank you for sharing this article. While I was looking into this vulnerability I found an article that mentioned the vulnerable BLE SDKs were used in over 480 products and they expect this number to grow. I agree with Anthony that it is surprising the CVSS score are not higher considering the some of the devices being impacted. According to the ZDNet article, the sweyntooth attack can either crash the device, reboot and force the device into a frozen state, or bypass security features to take control.
https://www.zdnet.com/article/unknown-number-of-bluetooth-le-devices-impacted-by-sweyntooth-vulnerabilities/
Candace T Nelson says
Thank you for looking into this further, Nicholas. Not surprising that the reported instances of this exploit has grown. I followed your link to a more recent update (7/14/2020) via a site that is dedicated to SweynTooth:
https://asset-group.github.io/disclosures/sweyntooth/
This is the portion of the article that I found most disturbing: “The most critical devices that could be severely impacted by SweynTooth are the medical products. VivaCheck Laboratories, which manufacture Blood Glucose Meters, has many products listed to use DA14580. Hence all these products are potentially vulnerable to the Truncated L2CAP attack. Even worse, the latest pacemaker related products from Medtronic Inc. are potentially affected. While our team did not verify the extent to which SweynTooth affects such devices (e.g. the impact of remotely restarting such devices or remote code execution in the worst case), it is highly recommended that such companies update their firmware. This is to avoid any situation that could pose life threatening risks to the patients using the respective medical products. Unfortunately, the security issue found in Dialog DA14580 is still unpatched (cf. Table 5). Nonetheless, Dialog is working on an internal security patch for DA14580 and will release it for general public in the next SDK release.”
Zhuofu Wang says
iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever
Zhuofu Wang says
URL: https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/
Ian Beer, a researcher at Project Zero, designed a Wi-Fi packet of death exploits for the IOS system. He utilized a memory corruption bug in the iOS kernel. It allows attackers to remotely access the device via Wi-Fi, and this doesn’t require user interaction. The attack uses a buffer overflow bug in a driver for an Apple-proprietary mesh networking protocol. And exploits can be transferred via the Airdrop without any indication. Apple fixed this vulnerability in May, and Beer said he didn’t find any evidence to show that this vulnerability was exploited in the wild. But Beer also mentioned that at least one exploit seller noticed this.
A video is also provided in the article, which is the exploit in action. The attacker gained permission and turned on the phone camera without touching the iPhone.
Anthony Wong says
I’m surprised this is the first time I am hearing about this vulnerability especially since there are so many iPhone users. Awesome video to go along with the article. Thanks for sharing.
Amelia Safirstein says
Terrifying! It’s fortunate that Apple fixed the vulnerability before it was exploited by bad actors but recent stories like these have left me wanting to add a physical cover to my smartphone camera.
https://www.forbes.com/sites/daveywinder/2019/11/19/google-confirms-android-camera-security-threat-hundreds-of-millions-of-users-affected/?sh=a2986d14f4e1
Zhuofu Wang says
New Kr00k vulnerability lets attackers decrypt WiFi packets
URL: https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/
Kr00k is a bug (https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf) but can impact the encryption, which used to secure data packets, that sent over a WiFi connection. The user password will be used to generate a unique key to encrypt these packets, and this key will reset to zero value (Disassociation.), which happens during a temporary disconnection due to the low WiFi signal. The attack can make devices into a long time dissociated state, then use Kr00k to decrypt WiFi traffic. The good news is the patch has been released (CVE-2019-15126), and Krook can not affect the WiFi connections that use the WPA3 WiFi authentication protocol.
Kelly Sharadin says
Hi, interesting read – “Kr00k impacts devices from Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), but also access points from Asus and Huawei.” I agree fortunately that WPA3 offers some defense against Krook. However, unless upgrading to WPA3 is able to be pushed through to the above devices’ firmware… I think most people remain unaware what WI-FI security their routers or IoT devices are running.
I will have to research how I can upgrade to WPA3 on my Pi 3
Anthony Wong says
In June 2019, a series of vulnerabilities were discovered in few TP-Link Wi-Fi extenders. Attackers were able to compromise the Wi-Fi extender by exploiting a remote code execution (RCE) vulnerability to obtain root access without needing to authenticate. According to the article, any shell command could be executed by modifying a HTTP GET request Users on the network could be lead to malicious sites with malware or fake sites to perform phishing attempts.
One countermeasure I would implement is to add authentication. Another countermeasure, which TP-Link implemented was to patch the vulnerability.
https://securityintelligence.com/posts/critical-rce-vulnerability-in-tp-link-wi-fi-extenders-can-grant-attackers-remote-control/
Bryan Garrahan says
Thanks Anthony – it’s cool to see Burp Suite being applied in order to discover more detail about this RCE vulnerability. The following stood out to me as I was reading, “The vulnerability at hand is somewhat surprising because it can be exploited by a remote attacker without requiring login/authentication to the Wi-Fi extender. Moreover, while common in most attack kill chains, privilege escalation would not be needed here since all processes on these devices already run with root-level access. Running as root by default is quite risky because anyone who may compromise the device could perform any action on it.” Perhaps making critical processes require privileged escalation could help mitigate the risk further.
Kelly Sharadin says
Agreed Bryan – interesting use of Burpsuite and good analysis of how these types of attacks can bypass steps in the lockheed kill chain. That’s one thing i noticed about the iphone exploit as well. Attackers are able to gain access and avoid detection with their initial attack. The speed of infiltration against the victim is growing expotentially – its no wonder that much of IR seeks to be automated to keep up.
Nicholas Fabrizio says
Hi Anthony,
Thank you for sharing this article. It is nice to see TP-Link took the vulnerability seriously and internally verified to see if other models were impacted, which they were, and uploaded a patch. I also noticed in the article it was mentioned a function called “vsprintf” which could be exploited with a buffer overflow attack. This vulnerability could also allow an attacker to cause a denial of service on the network.
Bryan Garrahan says
Perhaps TJ Maxxx was simply unaware of the WEP protocol security shortcomings. However, if they were aware, it appears that additional layers of controls could have been deployed in order to detect this breach sooner, but it doesn’t appear that they were. For example, once the hackers gained access they were able to create accounts for themselves – which in my opinion shows a lack of control around new/modified user access provisioning. Additionally, the article reveals the hackers left notes on files that had already been copied. I believe some type of log review could have detected these activities and stopped them much earlier.
Amelia Safirstein says
Two researchers found that the firmware Netgear was using on many of its routers is vulnerable to buffer overflow attacks. The web server used on Netgear routers did not use stack cookies. A stack cookie or canary is placed between the buffer and the control data so that it is the first data affected in a buffer overflow. The program attempts to verify the canary, and if it cannot, the corrupted data can be invalidated or dealt with before it causes any serious issues.
https://www.pcmag.com/news/79-netgear-routers-vulnerable-to-serious-security-flaw