Sunday, May 13, 2012

You travelers in hotels, please send ViewSource/pcaps

The government has recently put out a scary advisory claiming hackers are targeting travelers with malicious popups on the hotel networks. Cybersec people travel a lot, so they can confirm this by checking their own hotel.

The easiest way is by doing a "view source" on an HTTP (not HTTPS) web page and see if anything has been added. There are two ways hackers might change things. The first is that they might replace the page completely with a framing page, and then stick the real page inside the frame. The second is that they simply append some JavaScript code at the end, either right before or right after the page.

Go to some some famous login page, like http://twitter.com (you have to turn off things like HTTPSEverywhere for this to work). Don't login, just look at the raw page with "view source". Hit Ctrl-A to select the entire thing, then Ctrl-C to copy, then paste it into an email and send it to me (pcap@erratasec.com). You can also check it yourself for suspicious framing or trailing JavaScript at the end.

Better yet, start "windump" or "tcpdump" on your machine, save to file, and email me the file, after capturing the login page (but before you login).

What can the hackers have broken into in order to man-in-the-middle webpages?
1. They have an evil WiFi access-point you connected to instead of the hotel's.
2. They compromised the hotel's access-point and installed OpenWRT on it.
3. They compromised a deep-packet-inspect device inside the hotel's network
4. They compromised a device in the upstream network.

If you send me raw captures, I should be able to figure this out, especially if during the capture you do a traceroute.

I've setup an email address to receive this information: pcap@erratasec.com.

3 comments:

Ryan Russell said...

What, no tool that sniffs your http traffic, makes the same http request over an encrypted tunnel, compares the two HTML pages, and automatically submits the pcaps for the differences?

Robert Graham said...

Shush.

You don't actually need to sniff it. You can do all that over sockets. Establish a connection to httpS://twitter.com and http://twitter.com, download both pages, compare the diff. You could make this a background service that automatically does this once you've logged in.

cw said...

An interesting project idea Robert. What about ARP spoofing tools to inject HTML and javascript responses into the target browser? Or a tool such as air2pwn, which was used at a defcon years back to inject crude images where any other image would be.