For a few days, I spend my time between home and the hospital. My wife has undergone surgery (nothing critical, it was planned). Personally I hate hospitals and spending hours over there “offline” is a pain. Luckily our hospital offers sells Wi-Fi access to the patients.
On a pure business point of view, Wi-Fi access gives to the hospital extra revenues. I already talked to a contact who’s busy in the medical domain. He told me that Wi-Fi became a service like phone or television. Worse, some patients choose their hospital based on the Wi-Fi availability! (like an hotel)
Once my wife installed, I started a kismet! Two major wireless networks were detected. One called “Guest”, non encrypted, and a second supporting WEP & WPA encryption methods. There was a lot of traffic on the private network but nothing on the guest one.
The open network was fully closed: even no DNS resolution via an external name server. This means no DNS tunneling! Only the two name servers provided via DHCP responded but with always a local IP. The default gateway was the only server available on the subnet (thanks Nmap!) and offered proxy services. I configured my default gateway as a proxy in Firefox and tested some HTTP access. A new problem occurred: some local hostnames were unresolvable (something like *.local). I added them in my local /etc/hosts file (resolving to the default gateway IP address) and bingo! The captive portal (based on HTTP) worked and asked me for credentials. Why no login/passwords were detected over the network?
I came back to hospital reception and performed some social engineering: “I read on a document that Wi-Fi is available? Could you tell me more?“. The answer was: “Indeed but our technical team reported that it’s not working at the moment“. Oh oh, that’s the reason why the traffic was so light!
I asked the receptionist to provide me credentials, she did. I received a form to sign with end-user agreements like no support at all, no information sharing, etc. And also:
- a login
- a password
- and an expiration date (up to the end of March)
Indeed, as said the receptionist, the Wi-Fi access was not working out-of-the-box but with my previous investigations and the extra entries added in /etc/hosts, it worked perfectly with the provided credentials. Now, what about security?
1. The credentials were: login == my wife’s last name, password == my wife’s first name. FAIL! There is no environment more open than an hospital. Patient’s information are written down on a lot of papers, on rooms door, on beds, … Too easy to find!
2. The captive portal was configured to use HTTP! If the hot-spot was properly configured and used by patients, a lot of login/password pairs could be easily sniffed!
3. As a lot of public wireless networks, no encryption was provided! Do NOT run clear-text protocols without a VPN or other kind of encrypted tunnels.
4. Finally, the private network SSID was composed of the hospital initial and the solution provider name. This can make the work easier for potential malicious users if they want to find vulnerabilities. This solution was deployed by the hospital.
On a health point of view, I’d like to understand why on one side, hospitals deploy wireless solutions (for patients or internal usage) and on the other side, some scientists warn about the potential risks brought by electromagnetic waves… Who’s right?