[luau] Fwd: Wlan @ bestbuy is cleartext?

whenever whatever at whoever.net
Thu May 2 01:06:55 PDT 2002 

wlan problems, this subject flooded the list today, hopefully this has useful
info for someone.   (I forwarded some of them on this email)
sorry for the spam.

----------  Forwarded Message  ----------

Subject: Wlan @ bestbuy is cleartext?
Date: Wed, 01 May 2002 08:57:14 -0700
From: Blue Boar <BlueBoar at thievco.com>
To: vuln-dev at securityfocus.com

I was asked to anonymously proxy this question to the list.  Here ya go.

						BB

-----------------------------------------------------------------------------
-----------------------

This past week I went to bestbuy to purchase a D-link wlan card... egar to
get my laptop up and running while in the car I put my card in and
installed the driver. I noticed the traffic light was lit up as if I had a
connection. Out of curriosity I fired up kismet and sure enough there were
packets flying through the air right infront of BestBuy. Well I decided to
run in an try to make a Credit Card purchase real quick to verify that my
info was not going all over the parking lot in the clear. Well after
sorting out my logs I noticed what looked to be like SQL queries and table
headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME,
REGISTER_ID and things of that nature... luckily no where in that data did
I find my own credit card. Non the less I decided to run to the store next
to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted
through the data collected and this time I did indeed find a RAW clear text
credit card number....not mine ... but definately a credit card number.

Heres my delima... I checked out a few of the other best buy stores for
"beacon packets" and everyone I drove by was sending them out...so I assume
all BestBuy's are wlan enabled. What I need to find out is ... are
BestBuys's Cash register terminals indeed using wlan and are they indeed
sending out MY data in the clear... I am NOT comfortable using my credit
card at ANY BestBuy as of right now...  due to legality though I don't feel
comfortable walking into the store and confronting someone about it.... for
all I know it could be standard BestBuy corp. practices to use nonsecure
wlan. I figured by starting a thread other people that have attempted this
may have more info or some from BestBuy may be reading the list and they
may pipe up.

-----------------------------------------------------------------------------
-----------------------
Re: Wlan @ bestbuy is cleartext?
 From: Blue Boar <BlueBoar at thievco.com>
 To: vuln-dev at securityfocus.com

Another anonymous comment:


---------------
What is more scary than CCs, many drug stores & hospitals have their
business connected via unencrypted 802.11b.  I thought that medical
companies were required to do all things neccesary to protect medical
records.  I'm surprised that many companies have not been sued over
this one yet.
---------------

                                                BBRe: Wlan @ bestbuy is
cleartext?
 From: Blue Boar <BlueBoar at thievco.com>
 To: vuln-dev at securityfocus.com

Another anonymously forwarded post.

                                        BB

--------------
This is indeed what's going on, and Best Buy is not the only retailer that
is guilty of it.  In the last two years I and others have done our own
research and found several large retailers that use WLAN to allow their
registers at the front of the store to talk to their main computer in the
back to handle things like pricing (how the register knows that the
toothpaste that was $1.99 on Saturday is now $1.50 on Sunday) as well as
credit card processing.  At first we thought it was simply POS data to
help keep an accurate inventory and pricing data, but soon discovered
there was also credit card data being sent.  I've found a decent indicator
to be the use of pricing/stocking guns with antennae, but it is not always
a smoking gun.  When you consider that it's names like Wal-Mart and Best
Buy, both large retailers, the benefits of making this information known
has been a equally weighed against what said retailer would do to us in
the courts if we made the information public.

It's a good reason to use cash over the convenience of plastic.

Regards,
--------------
RE: Wlan @ bestbuy is cleartext?
 From: "Michael Cunningham" <m.cunningham at xpedite.com>
 To: "H C" <keydet89 at yahoo.com>, <vuln-dev at securityfocus.com>

This information is already going public.
I have gotten several emails from newspapers
and online websites (big names to).

The faster it is exposed the less damage people
with not the best of intentions can do. Realisticaly
the underground community probably makes up
half or more of this mailing list.

I personally am going to scan my local stores tonight
to see if I can detect this problem. I cant trust
a company with my credit card info who cant even
setup a 802.11b lan correctly. I will let everyone
know what I find.

Thanks,
Mike

----------------------------


Re: Wlan @ bestbuy is cleartext?
 From: Blue Boar <BlueBoar at thievco.com>
 To: vuln-dev at securityfocus.com

Yet another anonymous poster:

---------------------------
If you don't see 802.11b access points the store is probably using older
FHSS-based cards (frequency hopping spread spectrum) instead of the newer
DSSS (direct sequence spread spectrum) cards. Since the physical layer is
different, new cards won't see older access points. Most POS systems based
on 802.11 use cards OEM'd from Symbol, the original Spectum24 cards. The
new Spectrum24 High Rate cards use DSSS instead of FHSS.
---------------------------

                                                BB
-------------------------------------------------------
--
Re: Wlan @ bestbuy is cleartext?
 From: "John" <johns at tampabay.rr.com>
 To: "Michael Cunningham" <m.cunningham at xpedite.com>,
<vuln-dev at securityfocus.com>

I would assume it's more than the few mentioned (Best Buy, Home Depot, Wal
Mart, KMart, Tech Schools).

-----------------------------------

Re: Wlan @ bestbuy is cleartext?
 From: Erik Parker <eparker at mindsec.com>
 To: Mariusz Mazur <mariusz at isn.pl>
 Cc: vuln-dev at securityfocus.com

Let me know if you find any. From what I heard from a media source, when
they approached Best Buy about it today, best buy ordered their stores to
shut off the wireless registers.

My local Best Buy checked out an hour ago, to not have wireless running.

However, Petsmart, and DSW shoes do the same thing.. unencrypted customer
data.

-------------------------------------------------------

More information about the LUAU mailing list