Fox news ran this story on August 8th, 2008 on how a company uses the iPhone to hack into corporate networks.

The company mails the phone in a package with a long-life battery where it sits in the mail room and eventually gets returned. While in the company premises it scans all available wireless networks for vulnerabilities. Although it may stay in the mail room for several days they say it only needs a few minutes to gather all the information needed for them to further break into that company.

You can read the article here, and we’ve included the full text below in case Fox news decides to take it off of their site:

LAS VEGAS — Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections.

How about stealing someone’s computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities Friday.

Their talks served as a reminder of the danger of physical attacks as a way to breach hard-to-crack computer networks. It’s an area once defined by Dumpster diving and crude social-engineering ruses, like phony phone calls, that are probably easier to detect or avoid.

As technology gets cheaper and more powerful, from cell phones that act as personal computers to minuscule digital bugging devices, it’s enabling a new wave of clever attacks that, if pulled off properly, can be as effective and less risky for thieves than traditional computer-intrusion tactics.

Consider Apple Inc.’s iPhone, a gadget whose processing horsepower and cellular and wireless Internet connections make it an ideal double agent.

Robert Graham and David Maynor, co-founders of Atlanta-based Errata Security, showed off an experiment in which they modified an iPhone and sent it to a client company that wanted to test the security of its internal wireless network.

Graham and Maynor programmed the phone to check in with their computers over the cellular network. Once inside the target company and connected, a program they had written scanned the wireless network for security holes.

They didn’t find any, but the exercise demonstrated an inexpensive way to perform penetration testing and the danger of unexpected devices being used in attacks. If they had found an unsecured router in their canvassing, they likely would have been able to waltz inside the corporate network to steal data.

To keep the phone running, the researchers latched on an extended-life battery that lasts days on end. But they only really need a few minutes inside a building to test the network’s security.

“It’s like saying, once you get into Willy Wonka’s Chocolate Factory, and you’re in the garden where everything’s edible, you have it all,” Graham said in an interview.

The attack won’t work, of course, if a company’s wireless network is properly secured. In that case, Graham and Maynor said there’s likely no big loss: the package that had been sitting in the mailroom would probably be mailed back to them so they could try it again elsewhere.

Another talk focused on new twists to Cold War-era espionage tactics that could allow criminals to sidestep the locks on computer networks.

Eric Schmiedl, a lock-picking expert and undergraduate at the Massachusetts Institute of Technology, outlined several surveillance methods long used by government intelligence agents that have become more accessible to garden-variety criminals because of the falling price of the technologies.

For example, Schmiedl said even low-budget criminals now have a way to eavesdrop on conversations through a window. It involves bouncing a beam from a laser pointer off the glass and through a light sensor and audio amplifier.

If the people inside the room are close enough to the window, their conversation creates vibrations that the equipment can translate into a crude reconstruction of the conversation, Schmiedl said.

“We’re burning the candle at both ends,” he said. “The technology is becoming easier and cheaper and anybody can do it. And at the same time there’s more incentive now to do it. These are two trains on a collision course. The question is when they’re going to collide.”

Identity Theft hackers love the dsniff tool. It automatically extracts login details, like names and passwords, for all the accounts being accessed on a wireless network. This article shows how hackers use it to get your information, what type of information they get, and what they can do with it.

Before you read any further, note that Wireless Personal Secure (Wifi Security Guy’s wireless security service) completely protects you and if you were using it the following would not happen to you. Click here to get this amazing protection or to learn more about it.

Dsniff can be ran in two different modes, “live” mode where it extracts names and passwords from an active wireless network, or “delayed” mode where it extracts names and passwords from a file that has all the network activity saved in it. This allows a hacker to use a tool like kismet to “passively” capture all the network activity and later extract all the login names and passwords when they go back home. It also lets a hacker record the activity of a “secured” network and crack the security at home, then extract all the login names and passwords that passed over the “secured” network. We will show how it’s used in “delayed” mode, it’s the easiest and most convenient use for a hacker.

When kismet runs, it records everything sent or received over a wireless network in a “dump” file. In our example we have a file named ‘Kismet-Apr-15-2008-2.dump’. This particular file was collected from a local sandwich shop during lunch. Let’s see what dsniff can pull out of this file:

Please notice we’ve smudged out all the login information. All in all there were 24 login names and passwords obtained in the course of that lunchtime. A hacker’s feast! In this little screen shot you can see a lot of pop logins captured. Pop (aka POP3) stands for “Post Office Protocol”, this is people logging in to read their email. You can read how once a hacker has access to your email (as now anyone who would have used kismet and dsniff as I did) he can now commit Identity Theft against you at our article: Wireless Network Identity Theft Example (technical).

As you can see the three most important pieces of information are displayed: (1) the server connected to, (2) the username on the email account, and (3) the password on that account. With those three pieces of information a hacker can now monitor all of these accounts and commit Identity Theft against them within just a few weeks.

There wasn’t enough screen space to show everything captured, so I’ve done another small screen shot so you can see other examples of the information captured:

The first entry (starting with “GET /sas/LoginSubmit”) is a web browser that is opening a “secured” page. Notice dsniff pulls out the Account ID, Username, and Password (look on that same line and you’ll see the entries, I’ve smudged out the user name and password to protect the user).

The second entry is a vulnerable snmp server. It’s a little complicated (and beyond the scope of this article), but with an unsecured snmp server around a hacker can break into the system and use it to exploit more users and gain more information.

So as you can see dsniff is a powerful tool that extracts login information on a wireless network (or file with all the network activity saved in it). The login information contains all the names, passwords, and which servers those names and passwords work on. The hacker then uses this information to commit Identity Theft. How a hacker can use this information to commit Identity Theft is covered in this article: Wireless Network Identity Theft Example (technical).

Kismet is one of an Identity Theft hacker’s favorite tools. In this article we explore how kismet works and why the hackers like it so much.

Before you read any further, note that Wireless Personal Secure (Wifi Security Guy’s wireless security service) completely protects you and if you were using it kismet would only record completely encrypted, uncrackable data - all of your information would be 100% safe. Click here to get this amazing protection or to learn more about it.

Kismet is a powerful tool that collects and analyzes information on all the wireless networks within range of the computer running kismet. We’ll familiarize ourselves with kismet’s basic functions first and then dig into exactly how wireless hackers use it to help them commit Identity Theft. It has two basic functions that hackers use it for (1) examining the wireless network and (2) recording all the network activity to run other hacking tools on.

Kismet is freely downloaded from the Internet and installs in minutes. It has a real simple configuration file where the hacker tells kismet which wireless network card (or cards) to use and which wireless channels he wants kismet to pay attention to.

1. Examining The Wireless Network

After kismet starts the hacker sees this screen:

This screen is split into the following sections:

1. Info

The Info section list a summary of everything kismet has collected or seen so far. In this snapshot we see:

• kismet has found 14 Networks
• kismet has recorded 252,331 wireless network packets
• of those 252,331 packets only 24 of them were encrypted
• 0 (none) of the encrypted packets were found to be “weak” (vulnerable to quick or easy hacking)
• 185 packets were “noisy” (hard to picked up because of some form of interference)
• 185 packets were discarded as unusable (the same “noisy” packets)
• on average kismet is collecting 152 packets per second
• at the bottom of the “Info” section (displayed in the full-screen image above) you can see kismet is using the ipw220 network card, is currently listening on channel 11, and has been recording packets for 45 minutes and 20 seconds.

2. Status

The status section lists recent events (in this case it’s letting us know there are some other wireless devices that are checking out the networks (”probing”), but it’s never actually joining one of those networks. That’s very suspicious activity, it may be a hacker who is watching the wireless networks to see what he can pick up. It also let’s us know that the Battery is charging and is up to 94% charged. This is handy for a hacker because he usually is not plugged in with a power cord when he’s collecting information, and he’ll need to keep an eye on his battery levels

3. Networks (now to the juicy stuff)

Let’s look at each of these columns and see what they are for.

Name - This is the name of the network. The first network listed is “Adhoc” which just means devices/laptops that aren’t actually a part of any particular network but are available to connect with other computers without joining a specific network. 467 adhoc packets seems a little high to me. This is usually because there are computers in the area that are “open” to connecting with other computers directly, but isn’t setup to use any of the wireless networks. Adhoc networks don’t have a central wireless access point, sometimes two people with laptops may create their own adhoc network just so they can share some files or some similar activity when there’s no access point around that they can join.

The “Probe” networks is showing what networks computers were trying to find. A common “security” step taken by people who have been misinformed is they “hide” their SSID (also known as turning off the broadcast of their SSID/ESSID). If you have been on a “hidden” network your computer can’t tell if that network is around or not because normal wireless networks broadcast a “hey I’m here and my name is XYZ” message, but a “hidden” network doesn’t. So your computer will broadcast a message that says “hey, I’m looking for network XYZ, are you around?” Those messages show up as “Probe networks”. You can read more on how hiding a network doesn’t really hide it in our article on Identity Theft And A False Sense Of Security - Wifi “security” measures that don’t secure your information, there’s a lot of misinformation floating around causing people to think they are secured when they really aren’t

The “<no ssid>” network is raw wireless traffic that was transmitted without being associated on any wireless network, a lot like talking to yourself out loud. Notice there are only 33 packets like this after 45 minutes of collecting information. Hackers usually just ignore “<no ssid>”

All the rest of the names you see in the list are “real” wireless networks.

T - Type of device. There are two basic types that show up here, G - gateway and A - access point. The difference between the two is very subtle and depending on who you ask you will get differing (and sometimes conflicting) answers. For a hacker the type is not that important. Notice that all “real” networks are all listed as A.

W - it use to stand for “WEP”, now it’s just an indicator of what type of encryption a wireless network is using (if any). N - none (or “no”), Y - “Yes” but unknown or varied (notice the Y is only on the <no ssid> network, O - “other”, sometimes the same as “N”.

Ch - Channel, what channel this network operates on. Because wireless networks can be close together it’s important to use different channels for nearby networks so they don’t run up a lot of interference. Notice these are almost exclusively on channel 11, a big mistake on the part of the people that planned the networks out. If you have networks that are near yours and yours just doesn’t seem to run as fast as you think it should, kismet can tell you which channels are in use by which networks so you can move your network to an “empty” channel.

Hackers also use the channel to narrow in on just one network. Ordinarily kismet hops from one channel to another listening and gathering information. While it’s on one channel it can’t be collecting information on any other channel. So once a hacker finds a network he wasn’t to really listen to, he tells kismet to only listen on that particular channel.

Packets - Whenever your computer sends or receives anything with the wireless network it does it in “packets” or small chunks of information. A high packet count is an indication of a very active network. You can see that Panera is the most active of them all.

Flags - There is a decent list of flags that can appear here, the flag hackers love to see is the “F”, which means “Factory Defaults”, in other words whoever setup the wireless network just took the wireless router out of the box, plugged it in, and then forgot all about it. That allows the hacker to login to the router (all manufacturers have a set of name/passwords that their wireless routers come with right out of the box) and change anything he would want. The “U” you see for Panera means kismet was able to figure out the range of addresses that are used on the network by examining the UDP traffic (a trivial point and you can forget it just as soon as you leave this sentence).

IP Range - This is the address range that can be used by a hacker if he wants to join the wireless network even without the permission of the wireless router. Once the hacker knows what address range is in use he can just take one of the unused IPs.

Size - This it the total amount of data that is sent on the wireless router. In this case Panera has been busy for the past 45 minutes and has transmitted 22 megabytes. Along with Packets, the Size tells how active a particular wireless network is.

If you haven’t guessed by now, I’m sitting at Panera Bread, a local wifi & sandwich shop here in Bowling Green. It’s lunchtime and it’s moderately busy. I look around and see no more than 10 laptops running at a time. Most people aren’t using public wifi to download large files, most of their traffic is going to be their email and visiting websites. With 22Meg of email and website visits we should see a decent number of logins that hackers would use for Identity Theft (and we do!).

As you can see, kismet is great for giving a hacker a quick overview of all the wireless activity going on in the area. Since Panera has the most activity, a hacker will use kismet to see more detailed information about this particular network. When he selects the Panera network and hits ‘c’ to see the client list of that network, this is what he would see:

Here’s a closeup:

Let’s review these columns:

T - type, S is the “station” or the wireless router, T are the clients (technically ‘T’ here stands for ‘To-DS’ or ‘this client has transmitted to the distribution system’, in other words this client has transmitted on the wireless network).

MAC - Media Access Control. This is the “physical address” of each of the machines on the wireless network. Another misnomer floating around is that by locking your wireless network down by MAC address (only allowing the MACs of your laptops on the network) you will keep everyone else off. You can read more about this in our article Identity Theft And A False Sense Of Security - Wifi “security” measures that don’t secure your information, but basically a hacker can see all the MACs listed here and can easily set his own network card to use one of those MACs instead of his own and the “locked down” network is now available for his access. See the article on the false sense of security for more details.

Manuf - Manufacturer. This handy, but not necessarily important. The hacker can see who the registered manufacturer of that computer’s wireless network card is. This is determined by MAC, each manufacturer has a MAC range they can use. In the larger screen shot you can see one listed as “Apple”, that’s a Mac notebook. Interesting information but for most uses it’s not needed.

Data - This is how many packets were transmitted by this client that actually carried data (information the hacker would be interested in). At the top of the list is the wireless router, every computer sends information through the router and in turn everything that is sent to the computers comes through the router, so it will always have the most data packets. A hacker can use this to tell which clients are the most active on the network.

Crypt - This is the number of encrypted packets sent by this computer. As you can see, this is an “open” or unencrypted network so none of the data is encrypted.

Size - This is the amount of data transmitted in bytes. This is another indicator, used with the Data column, that tells the hacker which clients are the most active on the network.

IP Range - This is the IP address of this computer on this network. A hacker can use this IP address to narrow down his list of computers he wants to target with other tools. Also, if MAC filtering is turned on and the hacker is going to join the network by setting his own MAC to be the same as one of these clients, he’ll also manually set his IP address to the same addressed used by the machine with that MAC address.

Sgn and Nse tell how strong the signal and noise is from this particular client, as you can see it’s not set and really not needed.

2. Recording Network Activity

The kismet configuration file tells kismet where to save all the network activity. Anytime kismet runs it automatically records all the network activity. This is an important point for a hacker, he doesn’t have to run any of his other hacking tools while he’s out collecting information - all the tools he will use can use the files kismet saves the network activity in. This means a hacker can go setup in (or near) a local cafe/hotel/business/etc and just let his laptop run. He can read a book, eat, etc and his laptop is busy collecting all the information he’ll use later to break into the wireless network.

In the case of a unencrypted network he’ll just go home and run some of his tools (like dsniff). If the network is encrypted kismet will still record all the encrypted packets. At home the hacker uses tools like the aircrack family to break the encryption and then runs tools like dsniff after that on the unecrypted data.

The point is with kismet recording the hacker can go back home and take all the time he needs in order to break into the wireless network without actually being at the location. And after he’s broken the network at home everything he’s recorded is now available for his examination, and he can come back to the location later and since he now has the encryption keys he can immediately access everything on that network from that point forward.