August 07, 2008, 12:55 PM — Federal prosecutors have charged 11 people with stealing 41 million credit cards, obtained by wardriving. (Read news story here.) The criminals drove around and scanned wireless networks for vulnerabilities, then installed sniffers that stole credit card information. Was this kind of attack inevitable? I believe it was.
Actually, not only do I think it was inevitable, but I also think the attack was not as severe as I had expected. First of all, attackers really do not have to go through the effort of actually being physically present in the neighborhood they want to scan and attack. It is enough to make their intended victims visit a corrupted web page, which can be distributed by spam or advertisement. (Read how this works here.) But the sophisticated attacker can do even better -- he can let already infected machines try to infect the machines in their neighborhood. The infection spreads geographically, and spreads like a wildfire in dense neighborhoods. A detailed analysis in my recent book shows that several US Metropolitan areas would be likely to suffer exponential spreads. Now, that is bad news.
But things could get worse. Is stealing credit card numbers the worst we can expect attackers to do? I do not think so. Remember, the machines an attacker would corrupt are routers. They carry all your traffic. Yes, much of it is encrypted. But why is that? It is because many companies use SSL. Often, they send you HTML code that lets you perform an SSL post or otherwise start an SSL connection.
But what if the router, which is on the path between the web service and your machine, modifies the HTML your computer receives? What if the HTML is modified to perform two posts: the expected SSL protected post, and one that goes straight to the attacker? (See an upcoming paper by Myers and Stamm for how this could work.) It would be the death of SSL for most practical purposes.
So, yes, 41 million stolen credit cards is bad. But not nearly as bad as we will have to expect if we do not fix the underlying vulnerabilities that allow this to happen.