News

Department of Interior Wireless Networks Breached by $200 Units Hidden in Backpacks

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

Wireless networks within the US Department of the Interior (DoI) have been successfully breached ... not by high tech equipment, but 'on the cheap'.

As a means of testing the security of the networks, the DoI's Office of Inspector General (OIG) 'attacked' some of the hundreds of networks with low budget kits used in publicly accessible areas within the DoI's Washington office.

"We assembled portable test units for less than $200 that were easily concealed in a backpack or purse and operated these

units with smartphones," stated the OIG in their Final Evaluation Report. "Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking."

The results of the DoI attack showed that their wireless network infrastructure didn't operate to the guidelines set out by the National Institute of Standards and Technology (NIST).

The attacks went undetected by security guards and IT security staff and were able to intercept and decrypt (wireless) network traffic in numerous bureaus, including two where the OIG was able access internal networks. They also obtained the credentials of one bureau IT employee and used them to log into the bureau's help desk ticketing system.

"Our attacks reveal(ed) that the Department did not deploy and operate a secure wireless network infrastructure," stated the OIG. "We also found that several bureaus and offices did not implement measures to limit the potential adverse effect of breaching a wireless network."

Further to this, the OIG found that the DoI didn't require regular testing of network security, or maintain complete inventories of its wireless networks, and published contradictory, outdated, and incomplete guidance.

While the report was damning of the DoI, it didn't blame it entirely and noted the role of the Office of the Chief Information Officer (OCIO), which is in place to assist the DOI in all areas of information management and technology.

"These deficiencies occurred because the Office of the Chief Information Officer (OCIO) did not provide effective leadership and guidance to the Department," stated the OIG. "(It) failed to establish and enforce wireless security practices in accordance with NIST guidance and recommended best practices."

As a result of the attacks, 14 recommendations were made (in a draft report) to strengthen the DoI's wireless network security. The OCIO concurred with all recommendations and stated that it is working to implement all of them, with 13 of the 14 resolved.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203