Coffee With a View ~ Braindead Security

A few weeks ago, I patronized a local café, and while doing my usual work I took a break to have a peek at the wireless network. What started off as a casual look around quickly revealed a lot more than expected. Here's the story of my "coffee with a view...." (Names have been redacted to protect the *ahem* innocent.)

The coffee shop operates an open wireless network for its patrons - no password required to connect. Right off the bat, this should raise an eyebrow from anyone interested in security matters, because it allows each patron's traffic to be transmitted over the air in the clear, without any encryption. Yikes.

If there isn't any security on the client connections, we might expect security on the wireless router to be lax as well. I checked my local IP address, which was in the 10.1.10.x subnet, and pointed my browser toward 10.1.10.1 (the most likely address for the router). Sure enough, I got a login screen for the router's management page. And look at that - a Comcast logo!

The default login for Comcast business routers, according to this page on their site, is username: cusadmin, password: highspeed. Lo and behold, it worked. Without even trying, I managed to log in to the local router. Oh dear....

Poking around a bit, I found some interesting information in the port forwarding configuration. Here are a couple of IP addresses that look like they hold some importance on the local network:

Service Name	Type	Start Port	End Port	Server IP
Remote Desktop	TCP/UDP	3389	3389	10.1.10.150
Teredo	UDP	51731	51731	10.1.10.150
HTTP	TCP/UDP	80	80	10.1.10.155
Camera	TCP/UDP	6036	6036	10.1.10.155

Very interesting. It would seem we have a Windows server and a camera system, both configured to allow remote access, but also (crucially) accessible from the insecure public wifi network. I took a cursory look at the web page on 10.1.10.155, which turned out to be the login page for access to a DVR hooked up to some security cameras. Fortunately, this one didn't use the default credentials, so they at least took some basic precautions there. Let's have a closer look at that Windows server:

Oh dear - they've left SMB open to the local network. Are there any shares open?

You've got to be kidding me. Please tell me you didn't leave your POS system accessible to guest users over the local, unsecured public wifi....

Welp, there you go. POS data is sitting there, ripe for the taking. At that point I set up a meeting with the owner of the café for the following day to discuss what I had found. Upon presenting my discovery, I was reassured that it was a temporary situation due to an upgrade of the POS system that was currently in progress. No, they didn't need details, no, they didn't think it was a problem, and yes, they had everything under control, thank you very much.

I am pleased to report that a few days later these glaring security holes had indeed been patched up. I can only hope, for the sake of the business, that someone with a more malicious predisposition didn't get in there while they had the opportunity.

Braindead Security

A view from the other side.

Menu

Monday, June 19, 2017

Coffee With a View

0 comments:

Post a Comment

Popular Posts

Blog Archive