from the forgot-to-put-the-key-in-the-switch dept.
There are plenty of reasons not to use hotel Wi-Fi. It’s often expensive, sluggish, and unreliable. Sometimes it seems like nobody knows the network password, and when trouble arises it’s hard to convince the front desk that there’s a problem with their network, not one with your devices.
Now you can add something new to that list: Hackers are using hotel Wi-Fi to steal data through zero-day vulnerabilities that companies like Adobe and Microsoft aren’t even aware of. ( http://blogs.wsj.com/digits/2014/11/10/cybercrime-gang-targets-execs-using-hotel-internet/?mod=ST1 )
Kaspersky Lab has appropriately dubbed the attacks the Darkhotel APT ( https://securelist.com/blog/research/66779/the-darkhotel-apt/ ). (It’s not as catchy as Heartbleed, but it’s a little more explanatory, I guess.) Darkhotel works by taking advantage of hotel Wi-Fi’s public nature and the willingness with which many people install updates to popular software like Adobe’s Flash. Hackers are said to have used the tactic to steal information from people traveling in Asia, but researchers found that the malware infected computer across North America and Europe, too.
(Score: 3, Interesting) by jackb_guppy on Tuesday November 11 2014, @05:11AM
They "know". Just like MS storing your bitlocker encryption keys in the cloud, "to help you recover them"... and the NSA. Who would you expect to put this 0-day exploits in the code in the first place?
We get the government we pay for! Microsoft and NSA making the world safer for themselves.
My hat size is colander large! Need holes for ventilation.
(Score: 2) by Marand on Tuesday November 11 2014, @05:21AM
Is this a case of the hotel infrastructure being compromised, or just the usual "you can't trust other people on the network with you" problem? Linked articles didn't seem to be clear on that. If it's the latter, I'm surprised this is even a problem; every hotel I've visited in the past five or six years has used AP isolation to keep individual users from interacting in any way. Any public hotspot that isn't doing that is fucking things up royally.
If it's the former, the interesting part isn't the hotel wi-fi aspect, it's that people are getting access to and sabotaging the infrastructure from within, then returning to wipe out traces afterward. That's some spy movie shit, just to target specific individuals with malware.
(Score: 5, Informative) by Fnord666 on Tuesday November 11 2014, @05:44AM
According to the Kaspersky paper, the vector for initial infection was one or more hidden iframes on the hotel's web portal login page. These launched installers that look like application or plugin updates but also contain trojans, backdoors, etc. What was interesting was that these iframes were only served to certain guests and the resources on the hotel's network were deleted right after checkout by the target. Between the access to the hotel's infrastructure and the knowledge that the attackers had of the guest's itinerary, there was either inside help or the hotel's networks have more holes than a screen door.
(Score: 2) by Marand on Tuesday November 11 2014, @06:24AM
Thanks for that info. I didn't see the relevant info in the linked pages and I missed the PDF links the first time because I thought it was an embed/render error caused by NoScript. (A couple sites I visit have had similar-looking issues with JS off)
That means it really is reaching the spy movie plotline level I mentioned in the previous post, just to install malware on target systems. That's intriguing, amazing, and depressing all at once.
(Score: 0) by Anonymous Coward on Tuesday November 11 2014, @09:45AM
Glad to hear this kind of shit is happening to other people as well! In the light of the article it however might be customer service instead of a glitch...
(Score: 2) by Wootery on Tuesday November 11 2014, @10:22AM
The linked article on securelist.com doesn't even mention the word 'update'.
Does anyone know what's going on here? Are they hijacking an insecure update mechanism in Flash or something?
(Score: 2) by TheLink on Tuesday November 11 2014, @04:39PM
I suggested this years ago:
http://it.slashdot.org/comments.pl?sid=457132&cid=22455074 [slashdot.org]
Current wireless solutions in practice don't have something like https usage.
Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).
If you have a WiFi network secured using a naive shared key method, anyone with the shared key can decipher the access of the other users. This might be fine in your house, but not good in some public cafe.
Seems the way around this with current WiFi technology is to let every user use an account - username and password.
Apparently in this case even if users share the same username and password, using WPA2 or whatever (I can't be bothered to keep accurate tabs on below par crap ;) ) they can't decrypt each others sessions. Not sure if this is 100% true given the track record ;).
Assuming it's true, it would be much easier if Windows (and other O/Ses) would default to a standard username and password AND also check the cert of the AP (and issue warnings if it looks dodgy). You should be allowed to log in using a particular user account, or be prompted if the AP rejects the default.
Then people like Starbucks/BK/etc could use certs for their WiFi networks, and customer can have reasonably secured comms at least between themselves and the AP.
The WiFi Alliance should have copied the SSL _concepts_ and got the help of decent security people, rather than coming up with crap year after year (for how many years?).
IBM announced something similar later: https://media.blackhat.com/bh-us-11/Arsenal/BH_US_11_Cross_Arsenal_Secure_Wireless_Slides.pdf [blackhat.com]
And I think there's some bunch going about trying to do it with limited success - seems some clients require specifying a client certificate even if none is required.
But overall not many seem that interested. I guess we have to wait for it to become a big enough problem?