[Discuss] Security

[gboyce at badbelly.com (Gregory Boyce)]

On Wed, Nov 2, 2011 at 1:10 PM,  <markw at mohawksoft.com> wrote:
> At my work, here are a few vending machines. One of these machines has a
> nice little antenna on it. Presumably, it communicates via cellular
> network to the vendor in order to report on usage and supplies. Yes, good
> idea. Cool.
>
> It occurs to me that this machine, most likely, did not have to go through
> any vetting. Not only that, I bet the grunts that stock these machines are
> hired more for strong backs and no criminal record.
>
> So, here we have a powered machine with external wireless connectivity on
> the premises with no actual over site. It is there 24x7, powered!
>
> Think of all the cool/evil things you could put in a vending machine with
> a wireless link. Imagine having direct access to a Linux box in almost any
> company you want. You could run any software you want. You could have
> wi-fi too. Could you break the company's wireless security? Could you
> monitor their wireless communications? Could you eaves drop on
> conversations near by?
>
> Everyone suspects the cleaning crew, and if you are interested in
> security, you do background checks. Almost no one cares about the vending
> machines.

There's nothing that device can do to your wilreless network that a
person with a directional antennae can't already do.  As long as you
don't plug it into your internal network, you're not worse off.

As for the eavesdropping, you wouldn't need an obvious antennae for
that.  There could be a camera or microphone in older vending
machines, televisions, coffee machines, fridges, ceiling tiles or even
a cabinet.  These could have less obvious antennas or hey, just have
the recordings picked up occasionally during maintenance.

There's an infinite number of things that "could" happen.  You need to
consider the likelihood and impact of those sorts of attacks.  In most
cases the likelihood is minimal.  Impact is probably minimal as well
unless its in the board room.