An anonymous “war driver” has told Computerworld that it’s possible to access internal systems through the wireless service run by the Otago District Health Board (ODHB). As a result, the Dunedin hospital authority may have to review the security arrangements relating to its wi-fi pilot.
The “war driver” — a person who looks for vulnerable wireless networks — says the ODHB’s wi-fi service at both Dunedin and Wakari hospitals is only lightly protected, with Wired Equivalent Privacy (WEP). This is a rudimentary form of wi-fi access security that can easily be cracked. And cracking the WEP key has been made even easier by the ODHB using only a simple, ten-character numeric code, the tipster says.
Once past the WEP hurdle, the ODHB’s system automatically assigns a network address with DHCP (Dynamic Host Configuration Protocol) on the same segment as other machines on the internal LAN, says the war driver.
Once inside the network, “social engineering” could be used to obtain usernames and passwords, says the war driver.
This could involve visiting wards to get staff names and then calling — pretending to be from the health board’s IT helpdesk — and asking for various people’s login details as part of a security check, for instance. According to the war driver, there are no checks on who logs onto where, nor are there restrictions as to which systems can be logged onto.
The ODHB’s acting CIO, John Tolchard, says the need to achieve a balance between security and cost-effectiveness was behind the choice of WEP. There are always trade-offs between security and complexity for users, he says.
Tolchard asks: with the WEP key cracked, “then what would he [the attacker] do?”
According to Tolchard, all the systems on the ODHB’s network are password-protected and only select users who need access — and who attend a training programme — get logins. There is no way anyone could access confidential information, such as patient records, without a valid username and password, he says.
Nor are password details given out over the phone, says Tolchard. And employees who leave the ODHB are subject to an exit interview and have their login details revoked. To Tolchard’s knowledge, there have been no recorded incidents of ODHB network security being compromised.
However, the war driver also noted that traffic across the wi-fi network is unencrypted. By running a traffic-sniffer on the link an attacker could record a session that may contain user names and passwords.
The sniffing session could be done unattended, with analysis of the content of the recorded traffic done elsewhere, says the war driver.
Tolchard recognises that unencrypted traffic is a potential attack vector and, because of this, the ODHB may review the wi-fi service as it’s still only at the pilot stage.