I am on vacation this week, taking in the sun and the sand on a very nice beach along the east coast. Of course, one of the first things I did when I arrived was to check out the connectivity to the Internet. What can I say, even on vacation I am a geek. I am staying in a condo that does not have Internet service, so I fired off my laptop, searched for all of the wireless networks in the area, and sure enough, found many to choose from.
Seeing all of the secured networks, I was curious to see how secure they really were. I always have to laugh when I see an SSID out there that says, "Linksys." I clicked on one and a box asking for a pass-phrase popped up. I typed "admin," and I was connected to the network. It was that easy.
I saw many hotels in the area running secured networks, as well. I clicked to connect to one, and another box asking for a pass-phrase popped up. The default didn't work this time so I got creative and typed in the name of the hotel. Sure enough, I connected to the hotel's network.
Since I work in security, and I am no longer on the dark side, I didn't want to wander too far into the hotel's network. My technical curiosity really wanted to see what I could get into, but I feel a technical and social responsibility not to exploit their site. If I have time at the end of the week, I might wander over to the hotel and try to find their security people and have a talk.
So now that I can surf unrestricted off of the hotel's network, I have to ask, is it by design, for the hotel guests, or just poor security practices? Either way, the net effect is the same. I can go anywhere I want using the IP address of the hotel. I can open a bogus e-mail account and spam my friends; I can visit any site I want. I can drop to a system prompt and launch a virus. Okay, it would take a bit more work to launch a virus, and remember, I am on vacation. And of course, since I am on the network, I am open to attack, as well.
I can understand a hotel wanting to make Internet access available to its guests, most of whom probably expect it as a matter of course. However, we need to look at the security repercussions of an open network and not using wireless technology securely. Letting anyone enter a network to surf unrestricted is a security nightmare just waiting to happen -- for both the provider and the users. And IT departments don't have to worry that they're repeating themselves too much when they advise users of the dangers of Wi-Fi. Even some of the most careful users can still be vulnerable, as this recent story about a flaw found by Radware security researchers shows.
I am now exploring a pay option; I really don't want someone smarter than me hacking into my system -- the way I am hacking into someone else's system.