Unsecured Wi-Fi Hotspots as Security Threat

Every once in a while, you hear or read stories about drive-by spammers, scum-sucking turdlets who exploit open wireless networks to send bulk email without consequence; it’s just one of many possible ways an unsecured wifi access point can be used for nefarious purposes, when all is said and done.

The use of cellphones as triggers for explosive devices is fairly well-established, but I have to wonder if anyone has ever considered the dangerous combination of VOIP and unsecured wifi hotspots in this context.

The dastardly plan, in essence, is really simple – you purchase a wireless VOIP telephone (I like the UTStarcom F1000), and perhaps an used laptop with wireless capability; under $300 USD, cash, at any decent-sized electronics or computer show. Then, using an open hotspot, (or, better yet, ones whose encryption you’ve cracked,) you register one, perhaps two, free VOIP accounts with different providers. The wifi phone is setup to use one account, and configured as a trigger, the same way a cellphone would be, within range of a wireless access point (open or cracked.) Bomb in place, you can call the VOIP phone from the laptop (configured with the other disposable VOIP account and, again, using someone else’s public or private hotspot anywhere in the world) and, well, you can figure out the rest.

The big advantages (from the criminals’ perspective) of this are that VOIP providers never see the MAC address (the unique serial number, essentially) of the wi-fi phone, just the IP address they’re behind; even if there’s enough of the phone left to identify the serial number, it’s impossible to trace what VOIP service was used, let alone who called it, just from the MAC. (Even if the wireless network logs everything into and out of their network, things like SIP and STUN proxies add further layers of complexity and confusion to the whole matter.) Even if that information were recovered, if the person is truly paranoid, they’d toss the wireless card in their laptop after the fact, discarding the only other MAC address in any way associated with the endeavor. (You could spoof the laptop MAC address, of course, but why take chances when 802.11b cards and dongles are $10 or less?)

It’s far from a perfect crime, and overlooks the really hard bits, but it seems both workable, and within the realm of possibility. If you’ve spotted any obvious flaws in this somewhat worrisome theory, by all means share them in the comments, though…

Published in: Geekiness, General, Security | on August 6th, 2007| No Comments »

You can leave a response, or trackback from your own site.

Leave a Comment