76 chapter 5 Analog Wireless Devices Many of these offices, however, never realize that their convenience is potentially bleeding out private, proprietary, or personal information to anyone who cares to listen. A penetration test was able to use these headsets to glean enough information to accurately impersonate a remote employee "visiting" the office. He or she is able to gain full access to the building, bring in accomplices under the guise of vendors, and even be assigned a desk with a handy network connection. He or she spent the next several days scanning the network for vulnerabilities all while consuming the free office coffee, all because of some information gleaned from conversations over wireless headsets. Often overlooked, analog wireless devices can be a very large gap in the security of any office and must be taken into consideration as part of any security effort. anaLOg DevICes A well-timed article in January 2008 on the security Web site, DarkReading.com, told a story that many penetration testers are all too familiar with, but it is just a sample of what happens every day and the problem of "we didn't think about that" security. The article (http://darkreading.com/shared/printableArticle.jhtml?articleID= 208803553) by Steve Stasiukonis explains a scenario he experienced on a penetra- tion test. The client asked his team to test all the radio emissions from the target building, including Wi-Fi, Bluetooth, and anything else the author could find. This was of interest to them as they were keen to try new things and were very interested in the cordless headsets in use by many employees. They used a handheld radio scanner to scan through common frequencies for these devices and identify headsets in the target office. Once they knew the frequen- cies, they were able to eavesdrop on phone conversations and glean a large amount of information in a short period of time. Information they gleaned were things like participants in conference calls, employee names, locations, schedules, and other office gossip. It was not just phone calls either. Many headsets continued to transmit after calls were hung up, broadcasting office conversations as well. This information allowed him to impersonate an employee from a remote office visiting the target office. The plan worked frighteningly well. He was able to convince security that he is the employee with some dropped names of employees and a fake business card. He was assigned a desk and given a building access card right away with almost no questions asked. His new desk gave him network access and the freedom to sniff traffic and scan the network all day long. After a couple of days, he was able to book a conference room and invite a "vendor" (an accomplice actually) in for a meeting. This allowed them more network access and the ability to bring in further attackers past perimeter security. All of this was accomplished with just a little insider knowledge gleaned by lis- tening to insecure transmissions. The amount of information they learned would have allowed them insider knowledge on trade secrets, stock plays, and other very private information.