Does Your Free Wi-Fi Access Provide Free Access to Sensitive Data, too?

February 10, 2010 - By Justin E. Gehrke

February 8, 2010 – Recently, I took a trip to my local car wash. Yes, that might seem a bit lazy, but what does that have to do with technology? Well, they have a comfortable waiting room and offer free internet use. So, I logged on to one of the PCs to read the latest Google news. As I navigated to and fro, I noticed a user was logged into Google. It definiteley wasn’t me. As an ethical kind of user, I refrained from checking their Gmail for them, or seeing what other kind of Google services they utilize. I did the kind thing and logged them out.

My interest was piqued, though. Had they simply forgotten to log out? So, I clicked “Sign In” again and was met with the same automatically filled-in user name and password (in astericks obviously). Our friend Internet Explorer had remembered both. As an IT guy, I knew why. As a Network Security guy, I knew why it was bad. Luckily for me (I think), the options to view Internet Explorer’s setup were available. A quick check proved IE 7 was configured to not only remember filled in forms, but also user names and passwords. The questioned that remained: “Why?” Had an employee done it out of convenience, or had it been done by a customer? The important part was to change it. I spoke to the manager and informed him of my finding. He said, “Thank you,” but did not seem too concerned.

As my interest in this obviously insecure internet cafe was still piqued, I went, back to the PC. I opened a command prompt and ran a netview. The results showed three computers. The one I was on, the one next to it, and another unknown one. Looking around, I saw the computer used as a Point of Sales (POS). I asked the cashier if she had internet access and from where. She gladly volunteered that it was the same one used by the free use PC’s. This, of course, raised a whole other concern. Since I was able to see it, ping it, and could try and map to it, I knew it was not segmented in its own VLAN or even firewalled.

Why was this of concern? Well, in addition to the insecurity of the free PC’s demonstrated by unrestricted access, now the POS was also obviously unprotected. Additionally, my iPhone’s Wi-Fi detector told me the obviously named unsecured network was also open to guest connections. Basically, I knew that I could sit in the parking lot of the neighboring gas station, only 30 feet away, connect freely and try to hack the POS to my heart’s content. What stopped me from doing it? Only my ethics. I wasn’t out to do it, nor would I really have tried. That isn’t to say, though, that someone else with expert knowledge and time to kill would not have tried to hack into the POS, in an effort to get the credit card numbers. Of course, they could just as easily used a simple packet grabbing and analysis to collect the entire network’s traffic and sift through the data later. These might not be everyday concepts but anyone who can do a Google search could also figure it out.

In the end, I chalked it up as another example of a good, customer service oriented idea that was badly implemented. Simply installing Internet Explorer in a kiosk mode, securing the wireless (if wireless was even really necessary), and segmenting the POS in its own VLAN would have made the network secure and available for customers, without exposing the business to any unnecessary risk. Unfortunately, no one thought to do this. Between the insecurity of wireless (never know who’s watching), the configuration of the browser to remember passwords, and the POS vulnerability, it would simply be a matter of deciding what to go for first. The business certainly won’t do anything about it, but will you or others learn a lesson from it? If you don’t know how to secure a business or home network, look for a guide to help you. If you can’t figure that out, call a reputable local company who can. In the end, it could save you from a big headache and losing your or your customers sensitive personal data or financial information.