I live within 2 minutes walk from a street packed with restaurants and bars, probably more than 30 of them. Most – if not all – of these, provide WiFi Internet access as a service for their customers, and most – if not all – of these put their servers and point-of-sales (POS) terminals on the same network.
Of course it is pretty easy to understand what is happening here. The restaurant or bar owner know little, or nothing, about IT. The vendor or supplier of the point of sales system cares little, or not at all, about anything except selling point of sales terminals, and while this vendor will probably be tasked with setting up the network, their staff know next to nothing about the consequences of their decisions.
As a result, anybody who can connect to the outlet’s public WiFi can poke around the network with absolutely no risk of being detected. This in turn leads to a number of “interesting” problems.
The very first problem is that these uncontrolled public WiFi networks put the owner at an enormous risk resulting from potential illegal actions performed by the users. This could range from piracy (downloading copyrighted material) to serious offences such as distribution of child pornography. Since most of these semi-public WiFi access points uses a shared password that is distributed to all customers on request (if not actually pasted on the wall somewhere) there is no way the individual users can be identified.
Or another one:
Denial of Service
The second potential problem is various means of denial-of-service (DoS) attacks. Having a device on the same network as servers and POS terminals, it would be relatively easy to render the Internet connection or indeed the network itself completely useless. Downloading a popular bittorrent could easily fill the available bandwidth completely, and ARP flooding/poisoning could easily be used to ensure that the entire network would only serve one specific client.
I honestly do not know if a typical POS terminal will continue operating if the server is unreachable, but I imagine this could potentially put the POS terminal out of service for the duration of the attack.
Finally network sniffing. ARP flooding/poisoning/spoofing will trick most – if not all – cheap consumer access points, which means it is trivial for anybody who is connected to capture all network traffic. That includes traffic from other customer’s phones, tablets and laptops, and traffic from and between the point of sales terminals and the server (presumably running a centralized accounting application of some sort). This all sounds pretty nerdy and something that would require significant skills. Think again! Hell – I got an app for my Android phone which will quite happily do this for me – without any knowledge needed whatsoever (DroidSheep).
DroidSheep is a bit of a toy really. It will collect “sessions” for a number of services (Google, Facebook, Email etc.) but that is about it. There are of course more serious tools available. An application such as Ettercap is potentially much more dangerous. Ettercap will, like DroidSheep, use ARP poisoning to ensure that all network traffic is captured. It also contains plugins that can trick servers into sending passwords in clear text (or at least in a form that can be analyzed and cracked later) or force the servers to disconnect from the network.
To solve the problems listed above, a number of changes needs to be implemented:
This one is so simple it is almost a no-brainer. When putting together a network of potentially vulnerable servers, make sure that network is isolated completely from unknown users.
Force users to “sign-up” with a valid e-mail address so that the users can be identified.
Separate Exit Strategies
Route unknown users through an anonymizing network such as for example Tor. This would ensure that no illegal traffic can be tied to the business owner.