Wardriving Parliament

The Story:

In early November, 2009, I went to Ottawa for the Cyber Security Protections Strategies conference. I was speaking on my views from the attackers point of view. I also took advantage of the opportunity and pointed out to the attendees that much of the great research comes from independent researchers and that they should not be ignored or maligned. I also pointed out that no matter how tiny or obscure, someone is always watching and prodding it, looking for holes and to never consider something to small.

Since I was in Ottawa anyways, I figured it would be a good time to take in the sights and show Grey Frequency some of Canada's capital and that we actually have buildings and history more than 50 years old. I've never been there, and as a good Canadian, I should visit the seat of our government and go see Parliament.

To re-enforce the fact that anyone could be looking at any time, I pointed out to the attendees that I had all my Wardriving gear with me and that I was planning on taking the Parliamentary tour. No one had ever, as far as I know, publically scanned Parliament and posted any results. Anyone who knows me, knows I would not pass up an opportunity to scan such a place. A citizen checking up on the security of his government and how his tax dollars are spent.

So, on the second day of the conference, Grey and I hopped a cab across the river to downtown Ottawa and got dropped off right in front of Parliament, much to the suprise of Grey Frequency. Being that she is from New York and the decidedly different opinions on public access and security of federal buildings, this was a big deal to be dropped off right in front. It also really surprised her that we could just walk right up to the building across the courtyard. It made me kinda proud that we had not completely freaked out and locked the citizens out of their Government buildings.

Politics and commentary aside, since I was in Ottawa and taking the tour, I might as well see what parliament was doing for wireless security. I had some faith that they were doing something right inside the building, but part of my interest was what they might be doing to secure their devices when away from the control of Parliament IT. I had previously contacted the Parliament visitor center and inquired about taking laptops in on the tour. They indicated that there was no issues and that it would be subjected to the usual airport style security screening:

Quote from Library of Parliament Information Service email:
"In reply to your request, all visitors must go through security at the visitor's entrance at the right side of the Peace Tower. There you will go through a scanner and be asked to power on your cell phone and laptop (similar to airport security protocols). Once you've past screening, you may keep these items with you or if you prefer, security can store them while you are on your tour."

Fair enough. I can deal with that. Though the irony of a security screening point at the bottom of the peace tower was alot more irony than I could handle.

I previously had done some research and found the Parliament Pub was directly across the street and according to it's web site, a very popular hangout for politicians and parliamentary staff. They also advertise free Wi-Fi which sweetens the pot for an attacker; Are staff behaving securely with their wireless devices when away from the office?

As it happened, we arrived at Parliament just missing a tour, but were able to get tickets to the next tour at 3:15pm. This gave us a nice hour and a bit to grab some lunch. We went to the parliament pub and had lunch and setup my gear.

I setup my eeePC with Backtrack 3 and a fresh battery in my bag. Running Kismet and BTscanner to scan for WiFi an Bluetooth respectively.

The Pub's network was obviously open, though in retrospect I should have checked for a captive portal. The pizza was really good, so I forgot. However several client devices (staff most likely) were connected and transmitting in the clear. A chit chat with staff revealed that we had missed the rush but that the network was used fairly often by parliament staff though they were not sure for what (Official or other business).

After lunch we walked straight across the street to the base of the peace tower and the visitor center. This is when it got interesting.

The bag had my net book running for the walk over. In the bag was my camera, flashlight and usual assortment of pens and business cards. Knowing it would be X-ray'd and checked, I made sure nothing would have freaked them out according to their rules sent to me earlier. I had flown with that bag as carry on, so I knew contents met thier criteria of "Airport security Protocols".

We entered the security checkpoint and I began the usual routine of stripping out of anything that might set off the metal detector. Steel toed boots came off, coat, hat, and the bag all went on the X-ray belt.

I walked through the metal detector, no problems. I reclaimed my boots but my bag and coat caused some issue. the two guards had some quick and hushed back and forth pointing to various things on the x-ray. They said my bag would have to be checked, which was half expected, but worked since that meant it would be sitting at the checkpoint for the duration of the tour, scanning everything that went in the immediate range which appeared to include the 'official use' checkpoint on the other side of the wall (I may be wrong on that, but there were no tourists in that line as far as I could tell). They proceeded to tag my bag with a claim check, but then also set about seeing what I had in my coat pockets. They took my cell phone, USB thumb drives(!) and even my camera(!!) which I thought was odd at the time considering it was an obvious tourist destination.

So my bag was checked and I was completely stripped of all electronics. They also took Grey Frequency's cell phone, but only when they found out we were together. Almost immediately started thinking that something was up when I noticed others in the tour group after we passed security had cameras, bags and phones with them.

I'm thinking that announcing my intentions at the conference probably led someone to call ahead (not entirely, unwise, though unfounded reasoning on the part of whomever did). Also being on the front page of the Ottawa Citizen probably didn't help at all (That's a 6 year old picture BTW, it's terrible).

So the tour begins and since both houses were in session, the tour was short as we couldn't go into the house or senate as a tour group (though the public galleries were available). Throughout I noticed people in our tour group taking photos and video with their cameras, doubling my suspicion that I had been targeted.

We had just gone through the Parliamentary library and were getting a civics lesson on the senate when a security guard came up and tapped me on the shoulder. He quietly asked me to come with him, there was a problem with my bag and they needed to speak with me in the security office. I should mention that, at this point I was certain I was about to be ejected, arrested, or otherwise detained and I was thinking to myself if I had enough bail money to make my flight home that day.

The guard took us downstairs, back to the visitors center. He explained that my laptop being powered on was causing them some worry and they wanted me to turn it off. He took us to the security office where my bag had now been moved to. Another guard in the office explained that they were putting the claim check on it and noticed the laptop, camera, etc and since it was valuable, moved it to the office for safe keeping where they noticed it was on.

I knew that the Kismet logs wrote to disk every few minutes, but BTscanner doesn't, it needs a manual save. Obviously not wanting to draw attention to what I was doing, I just hit the power without unlocking the screen saver, sadly losing the Bluetooth data. They also had me turn off my cell phone (was set to silent anyways)and Grey Frequency volunteered to turn hers off as well.

The guard then took us back upstairs to the tour group where we continued the senate lesson. Once the tour was over and we hit the gift shop (hey, we're tourists), we talked to the guard again and he took us down to reclaim our gear and we were on or way.

I feel I must point out before I go on that the security staff and everyone at parliament was very nice and despite my assumption that I was about to be arrested, they were very kind and pleasant to deal with. Very courteous and professional.

Now, in retrospect there are a number of interesting things that I noticed about the whole situation that make me wonder.....

First - When my bag was being checked and all of my gear stashed in it, both I and the security guard made sure that the buckles were done up tight (Defcon messenger bag). This begs the question; how or why did they notice the laptop was on without going through it a second time, un buckling the straps and digging inside? I cannot remember if the buckles were undone when I met it again at the security office.

Second - Why were others on the tour allowed to have cameras and mine was not allowed even after I inquired about it specifically?

Third - Despite checking ahead on the rules regarding laptops, mine was suddenly seized and checked? It would not suprise me that someone phoned ahead and let them know I was coming. One would think that it should be an all or nothing situation. I can understand if they were changed since I last checked with them, but see the second item on this list.

Fourth - If I was targeted as a threat of some sort, I have to say, they treated me very nicely (thanks for letting me take the rest of the tour). That said, there is something curious about if they are worried what little old me could do with a passive sniffer. Exactly how bad is their security if they think the guy on the front page of the paper is a threat?

Fifth - If I was targetted specifically, what possible threats did or could they have missed while fixated on me? The obvious looking threats (guy in black fedora and trenchcoat) is not always the biggest or the one you need to worry about.

Sixth - How, since my bag had no identification on it, my name or picture, did they know who in the tour to contact about it? This lends credance to the idea I was targetted.

I would just like to point out that listening to unencrypted communications (packet headers) on unlicensed frequencies (2.4Ghz) is perfectly legal, and considering this is a public building, as a citizen, I figure I have the right to check up on how they are treating security and to offer suggestions in case something's can be done better.

In the end we walked out and headed off to the airport. Grey Frequency was wondering if mayber her American citizenship caused some sort of issue as well, some sort of anti-Americanism within the security staff. She also wondered how someone (myself) could be targetted like that when the previous day I had been trying to help IT staff from many businesses and government agencies understand threats against them and to improve thier security.

The Files:

Kismet-Nov-03-2009-1.network - Kismet Networks File, Human Readable
Kismet-Nov-03-2009-1.csv - Kismet Networks File, CSV Format
Kismet-Nov-03-2009-1.xml - Kismet Networks file, XML Format
Kismet-Nov-03-2009-1.dump - Original Packet Capture File (pcap format)

The Results:

I did'nt get much on my scans unfortunatly. Since the bag did not make it very far, and the building construction materials are'nt RF friendly, I was impressed I got anything at all.

While I did'nt get any apparent hits from obvious Parliament netowrks, I did get quite a number of probe requests from client devices. These requests are clients looking for networks that they have connected to before and want to again. Tools like Karmetasploit (Karma + Metasploit are built to take advantage of this by 'becoming' any network that a client is seeking out. This can lead to the client connecting to the attacker and now the attacker *is* the man-in-the-middle and also has a direct connection to the client. The implications of this in the context of a Parliamentary client device are apparent.

Many of the beacons I caught were after the tour started which means the bag was inside the building. They may have only been other tourists devices (which means they were on, but no one else was asked to turn theirs off!), but the question remains, what if they are not? Have these devices been properly hardened against tools like Karma?

At this point, without more time and a bit more co-operation from staff, it is hard to determine much else beyond what I have posted here. If I visit again in the future (and am allowed in) I will bring my gear once again and see what ever there is to see.

If you have the oppourtunity to do some sniffing inside Parliament, please send me your stories and logs. I am still very curious what the wireless situation is inside Parliament, particularly the Bluetooth situation since I have no data at all from that.

RenderMan 11/11/09
render {at} renderlab {dot} net

Return to Main