Network Scanning a Moving Bus

 



This is a true story, it happened to me this week.  For the sake of privacy I am intentionally leaving out the name of the organization that owns the bus line.  I am also intentionally leaving out the "how-to" part of the story.  

Those determined enough to piece clues together could figure out how I did what I did.  The purpose of this post is for us to think hard about our Information Technology and how it is serving us and our clients.  

The Story:

I was with my family we were driving down a major road in my city.  We have driven down this road a million times.  The particular area we were going past is a uniquely industrial area, a lot of manufacturing occurs here and there is a major bus line that operates here.  These busses ferry people between major cities like Red Deer, Edmonton, etc etc.

We were at an intersection and one of these busses pulls up beside us.  I glance over, and see that it has the universal WIFI symbol on the side.  Since I haven't been on a bus in a long time, this service was totally new to me.  

My mind started racing.  I understand the typical range of your average WIFI router. "I wonder if it reaches us?"

I reached into my pocket and pulled out my phone.  I turned the WIFI on, because I always turn it off when I leave the house.

I watched the screen to see if a connection would show up....and yes it did.  It was unmistakable that I was looking at the WIFI connection for this bus that was beside us.

I was surprised to see that the bus WIFI was open (no password required)

[side note] Someone on the bus was hotspotting with their phone (no password either) so I could have connected to their phone as well...if I wanted too.  This is beside the point.

The light turns green.  The bus begins to move.  I know that we only have 8 blocks before the bus goes one direction and I keep heading down the road.

We are both travelling beside each other, 40-50km/h.

I figure this would be an interesting experiment, so I connect.  No problems! Full bars!

So what next? I could surf the web? Nah, that isn't interesting.

On my phone I have a useful app for network auditing, Essentially conducts a ping scan of the network.. 

I click "Scan."

Immediately it returns 10 devices.  I am being shown IPs and MAC addresses.  I stop there and turn off the WIFI.

I was satisfied with this test.

Reflection:

A lot of things were going through my mind immediately after this.  From the time of seeing the WIFI symbol, me connecting and scanning the entire process was under a minute.  One thing I have learned in my security studies is that my "unique" idea has probably already been thought of.  

I can't be the first non-client person to piggy back a WIFI connection from a bus.  Maybe the first off a moving bus? Probably not ;)

I also figured I could safely speculate that there were 8 passengers on the bus.  One of the devices was the router itself and I would say that at least one of the other devices was likely the driver.  It's free WIFI, why not right!?

Learning:

What can we learning from this?  Well, the primary learning from this experience is that we should be mindful of the services we are providing our customers. 

Just because something can be offered does not necessarily mean that we should.  In the same breathe if a service is expected by our customers, then do so in a secure way!  Our client's entrust that we have their security in mind when we provide services to them.  

The solution for this bus is simple.  Had they put a password/passphrase on their WIFI(unique to that bus) and only known to this set of passengers, there is no way I could have connected as fast as I did.

It's fascinating and mind boggling at the same time that without any outward cues I was able to make a rough guestimate of how many people were in the bus.  In fact I was able to tell that of those supposed 8 guests, 6 of the devices were apple.  

These people had no idea that a random person that they never saw, or will ever see.  Knew that they were on that bus.

All data is valuable.

We are seeing in the news, in an increasing amount, that client data is being stolen.  Trusted vendors being hacked.  Popular software being compromised.

Honestly a part of the problem is that we as humans are so excited to jump on the bandwagon of new technology "early adopters."  We greedily accept anything that is bright and shiny without really absorbing and contemplating the ramifications.

I had a conversation with someone once and they were telling me that they could connect remotely from anywhere to their fridge in their house.  "I can check out the temperature, and this and this and this..." and I was very frank in my response

"but why?"  

My answer caught them off guard, the best answer that I got was "it's cool though."  Not long after this I saw a story of people hacking IoT devices (baby monitors, fridges, coffee machines).  

Why were these machines able to be hacked?  Because they were built with no security in mind.  The primary focus for development was to be shiny and attract as many purchases as possible.

Conclusion:

Providing services to your clients is necessary, that's why you have a business.  Your clients give you their money and have entered a contract saying they trust you.  Don't damage that trust, and ultimately our business, by incorporating shoddy security.  Be intentional about what you are doing and why, protect their data and your own and stay out of the news.











Popular Posts