Disney World Goes 802.11b

LighthouseJ writes "Over at CNN they report that Disney World in Florida has a 47-square mile 802.11b wireless LAN through the park with 200 access points. The move comes after visitors complaints that they couldn't use credit cards at every place in the park. Plus, it allows "cast members" to offer guests goods and services anywhere, not restricted to where the credit card machine is at. The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support sees this as a valuable technology, citing mobility and flexibility as the main reasons for the switch. Khan goes on to say that the system is protected by a 128-bit encryption scheme and software installed to detect intrusions. When he was asked if visitors will have access to the wireless network, CNN quotes him to say: 'We need you to come to the park and enjoy the park,' he said. 'If we start opening Internet cafes, you won't do that.' He's a smart man." So, running AirSnort wouldn't probably be the best idea? *grin*

How long will it be?

Before they get cracked and decide this was not a good idea?

Probably more protection than WEP

If they only have WEP, I won't spend a dime there. But I bet they are not dorks, they probably have everything done over a real encryption scheme

I want to know...

How long before that network is comprimised. In a matter of days People will probablly know what websites Mickey has been to (www.nakedmice.com) or what Mickey purchases online. (Probablly Real Dolls )

Things the visitor can do besides surf the web

There are things the user could use besides surf the web. For instance, a little app on your wireless device that let you check the length of lines at the rides, the reservations at a restaurant etc.
Still, just as is, it is cool.

Re:Things the visitor can do besides surf the web

A realatively inexpensive device (solar maybe) for the kids' shirt. You lose your kid? Go to the security desk, and they can find what AP your kid is closest too.

Also could be used to collect better metrics on which Guests prefer which attractions. Like Slot Club cards at casinos. Maybe you can get perks if you blow a lot of money in the gift stores (Glass Castle anyone?)

I'm sure there's other uses too.

Re:Things the visitor can do besides surf the web

I don't think that you can surf the web. Just because they use Ethernet and IP does not mean that they are connected to the Internet at large. Taking into account that this system handles lots of credit card orders (even encrypted) it would make more sense if the entire system was on its own isolated network.

Re:Things the visitor can do besides surf the web

Disney already has a system in place called SmartPass which allows visitors to "reserve" a place in line so they can go off and do other things (shop) and come back later without having to wait in a huge line. They also get the added benefit of knowing which rides you went on and where you were shopping before hand (your park access card is your room key, park ticket, SmartPass, credit card, Big Brother device, etc).

I won't get into it because it's to OT, but they also have biometric scanners at the gates for season pass holders (no privacy policy, 'natch).

Porn on the roller coaster

Sweet! Streaming porn while you whirl till you hurl!

Big deal

I got out of the US Army last year and my last duty station was in Italy. I worked at the General Staff level and used my government credit card to pay for many dinners with visiting VIP. Imagine my surprise when paying for a dinner the restaurant owner brought out a wireless credit card machine. And this was a year and a half ago.

This is great!

Whoo hoo! Not only do you probabaly get a monster connection to the internet, but you could probably get on it really easy considering that wireless ethernet has almost no access controls.

You know, some people go to Disney World to meet Mickey Mouse, others go for the rides. I think I'll go for the killer Quake III experience ;)

If they're smart, it won't be IP...

or at least, if it /is/ an IP network, each device will be a VPN client. I would presume Disney has enough money to hire people smart enough to not depend on WEP for security.

Then again, larger companies have done dumber things...

-C

enjoy the park...

"We need you to come to the park and enjoy the park"

Imagine your laptop in one hand, some candy in the other one and getting chased by 23 security officers running over and knocking down mickey and his fellows...

I'm sure this scene is going to make it into "password: swordfish 2"

this sounds like a big heap of enjoyment to me ;)

headlines

2 million credit card numbers stolen from disney world by 12 year old with laptop...

Hmmmph.

Proof positive that the Slashdot editors only accept posts from people that they like. I submitted this on the 18th and it was rejected even before I could do a screen refresh.

2001-11-18 18:41:49 Disney's Wireless Magic Kingdom (articles,news) (rejected)

God, I love the smell of burning Karma in the morning....

Hacking it

They say they have "software" that detects intrusions. That doesn't seem to imply much about tracking you down to the square foot.

OTOH, I don't recall ever seeing a laptop, so you'll stick out like a sore thumb unless you're in the bathroom with a PDA.

They do search bags currently. ALL bags, even diaper bags.

Also, there's an active Linux community among their IT people. There are definitely pockets of clue there, and it's likely that would extend to their IT security people as well.

Are they near an airbase?

Because I'd hate for wireless Mickey 2001 to start picking up air traffic chatter

Hi kids! I sure hope you enjoy the RED LEADER, RED LEADER THIS IS TANGO ONE. and make sure to visit our LOCKED, COCKED, AND READY TO BURN TANGO ONE, WHAT'S YOUR STATUS?

And hey, under the recent terrorism bills wouldn't that qualify Mickey as a terrorist? There's be a trial to top OJ.

The first thing I thought of...

Not another wireless mouse!

Ba-dum-pa-chi! Thanks folks, I'll be here all night!

VPN

The article doesn't mention if the entire 802.11b network is run over a VPN. If it's not I'm sure it wont be too long before we all find out.

Good reason why they'll never offer 'Net access...

While on my honeymoon in DisneyWorld this year, my wife and I took quite a few of their Behind the Scenes tours. On the Epcot one, we found out why Disney will most likely never let people have 'Net access in their parks. (At least not in public places.)

Our tour guide said that they actually did have a kiosk there a few years back that let people browse the web and check their web-based e-mail. He checked on the kiosk once and found that some pervert had left up a XXX e-mail and changed the wallpaper. He wouldn't elaborate on what it was, but he said it shocked even him.

Luckily for them, they were able to remove the offensive material before anyone noticed. Still, as a place that bills itself as "family-friendly," they simply can't take the risk that it would happen again (and more high profile).

Our tour guide kept the possibility open that they would resume 'Net access with some types of safeguards against this, but no safeguard is 100%. Public Internet access is just not a high-priority item for Disney. (Believe me, there's so much to do at Disney World, that you won't have time to browse the Net.) The PR risks of another abuse far outweigh any customer gains.

Re:Good reason why they'll never offer 'Net access

• Our [Disney] tour guide said [...] some pervert had left up a XXX e-mail and changed the wallpaper [on a public terminal]. He wouldn't elaborate on what it was, but he said it shocked even him

Probably some of that sick, perverted, Godless Pixar stuff. ;-)

CNN lies, it's not a 47 square mile cloud

Only about 35% of the 47 square miles owned by The Walt Disney Company in Central Florida is developed. I highly doubt they went through the expense of creating a WLAN cloud that covers marshland. I doubt that even the hotel resort properties are covered either. It probably only the 4 theme parks, the 3 water parks, Downtown Disney and maybe Fort Wilderness near Pioneer Hall. That drops the square mileage significantly. Even with the hotel areas its only a fraction of 47 square miles. I really hate bad reporting.

Hack Disneyworld

By definition, any given network is crackable. It's just a matter of time, right?

Here are some exploits that we can be sure of seeing in the future:

1. 'It's a Small World' animatronic dolls reprogrammed via wireless network to share their cultural feelings via a massive animatronic orgy of all nations.

2. Michael Jackson's "Captain Eo 3D" video replaced with low-quality MPEG of a video taken of what really happened at Macaully Caulkin's last birthday party.

3. Ride Space Mountain during DDOS season? Only if you're feeling suicidal. You never know when that modified Nimda worm is going to kick in.
4. Parade of Lights all flash in sequence to spell out "L33+ X1DD135 OWNZ JOO DIZNY"

5. Animatronic Abe Lincoln now shouts, "Beefcake. BEEFCAKE!!!!"

Only news is that people have noticed it

I took note of their network over a year and half ago when I went there with my Highschool senior class.

I noticed the cash registers were connected to an 802.11b network.. also, I spotted some computers as well.

I didn't have an 802.11b card at the time, and my only laptop had suffered a terrible accident.. so I wasn't able to do any 'diagnostics', but I thought it was interesting. Maybe next time I'll bring my PowerBook /w 802.11b card and go to work.

See, you don't need to worry about getting into the park with your laptop.. Because this also extends to their hotels and probably their on-site buses as well.

Eventually a cash-less park?

Disney could eventually use this to lead to a 100% cashless park (increasing patron safety in the long run -- less need for cash might lead to less to gain for purse-snatching).

Yes, we all agree that this network may be risky for transfering credit card info around, but they could over time move to a "disney dollar" card, where you pre-load the disney card with your credit card as you enter or on the phone or whatever, then use that disney card within the park grounds to buy whatever. Disney can then provide insurance against fraud against that card instead of worrying about being libel against Visa and AmEx in the case of number theft over the airwaves...

The other advantage is that Disneys own systems could authorize the sale over the Disney card instead of having to send out to a Visa/MC/AmEx authorizer off site-- it would be considerably faster that way (since the system could be built up front to support the average # of visitors on site), especially during holiday seasons...

Just a thought...

How about something useful

They should rent out wireless digital cameras, whenever a pic is taken its upload via 802.11 and before they leave the park, the got prints of the family vacation.
Also a previous article said it would be used to play music around the park based on location. IMHO, kinda of a waste for just CC's.

Could be fairly secure

The article doesn't say they are using tcp/ip. Doesn't look like it has internet access either. Probably requires some sort of username/pasword combo (possibly built into the devices) to log on to the LAN. If the encryption is properly implemented (a big if) it could be very secure.

Cracking the Protocol...

Since you posted that AirSnort link, I was curious, so I popped over to sourceforge and downloaded it. Part of their documentation says: "For a key length of 128 bits, this translates to about 1500 packets." then it goes on to describe how you can search for certain constants (starts with 0xAA, etc) within the packet to see which random keys were successful. Interesting stuff, and definitely a clever way to decode: thanks to flaws in the logic, every bit rate can be reduced to 8-bit encryption.

However, once you've collected your packets and broken the key, you now have a decoded packet. Well, what does that mean? You have the framing information (packet length, header) and the message body (which is just raw data).

I'd bet a 7-day park-hopper pass that the data in the packet's body is encrypted a second time with a more reliable scheme. If there's one thing Disney knows how to do well, its make money, and they can't risk the bad PR for this to foul up.

Funny thing I heard about Disney..

I heard a rumor that some of the employees at Disney World in California started referring to the place as "Mauschwitz". Management got royally pissed, sent around a memo forbidding the use of the term, and without skipping a beat, everyone switched to "Duckau".

-jcr

who dunnit?

"The man responsible, Murshid S. Khan, Director of Telecommunications and Technology Support"

I graduated UCF with my Computer Engineering Degree in 2000. For our senior design projects, Disney came and solicited us heavily to work on their projects. Free labor, helping a poor college student out with an idea, free labor, did I mention free labor. This project along with several others were mentioned. My comments regarding network security concerns were treated as pessimism. Needless to say I did not lend my time for Disney's free labor.

I only see three problems with this:

One, if they run NAT everything will resolved back to disney.com.

Two, who could trust such an..ahem.."Mickey Mouse Operation".

Three, their DHCP will probably charge by the address's lease life, which will be lobbied by congress to last the life of the laptop/user+ 90 years now? Talk about a revenue stream...oye.

Additional information-crypto and GUEST TRACKING?

More info to be found at http://www.computerworld.com/storyba/0,4125,NAV47_ STO65816,00.html . They mention that it involves "128 bit encryption", which certainly leads one to think 128b WEP, but remain cagey about further security- I'll vager VPN. One thing that did catch my eye was the guest tracking. They propose the innocuous example of insuring guests have all returned to a cruise ship- but I think that sets a dangerous precedent...

Anyone else see Westworld/Futureworld? ;)

Thermowax

Wireless networks

People really have no clue about how to secure wireless networks.

I'm sitting here typing this while I wait for Jim "Open Source is Un-American" Allchin to deliver the keynote at the Windows Embedded Developers Conference. I have already found one guy on the un-WEPed 802.11b network with his C: drive mapped as \\steven2\c

The funniest thing I've ever seen...

While working for the rat-king a number of years ago, I went to lunch in the cafeteria under the magic kingdom. I walked in and saw Snow White, in complete costume and makeup, sitting on her boyfriend's lap smokign a cigarette.

Maybe Snow can start start taking credit cards to turn tricks in the alleys of main street. :-D

They'll have security

There's no way that Disney wouldn't take network security VERY seriously for this project. Although it does make me a bit nervous they placed so much emphasis on the 128-bit encryption.

I tcpdumped about 10 megs of data snarfed from the most wirelessly connected university in America, and besides broadcast queries for NT servers and floods of IPX SAP frames coming from network printers, the *only* packet of interest I got was the output of a finger some guy ran against his own OpenBSD box on campus. And I later found plenty of security-related posts from this guy on usenet, too. How's that for irony?

I went home and reviewed web pages describing their security infrastructure due to the weakness of 802.11b, and it was very intense. Beyond Kerberos. If Disney's doing this specifically to mobilize credit card readers, I've gotta say that wireless has been weakened long enough for them to not have any excuse to do it right.

Not to mention, with IBM's Tomorrow World being such a big hit in Epcot (and Disney closing DIG, their Internet venture), I'm SURE we had something to do with their planning and deployment. And I totally agree with the others who have said that enabling wireless PDA's such as line checking, maps, and restaurant reservations.

What equipment?

Does anyone know what brand of radios & APs they're using?

heh

Great, instead of war driving, people will be doing war riding on "It's a small world after all".

FIRST

The US FIRST Robotics national competition is in EPCOT.

Boy, we're gonna have a field day with this ;-)

Lets hope they have repeaters

Otherwise there will be dead spots. Roller coasters tend to obstruct radio waves.

When I worked at Incredible Universe before it got bought ca. 1996-1997. We had wireless "Telxon" pads that worked as portable terminals for scanning in customer orders. There were times where we would have to stand on a chair and point them at antennas to get them to work. I guess the visible metal warehouse style ceilings caused problems as well as all of the electronic stuff running.

Possible internet access on the network...

I really didn't give this much thought until i noticed somebody mentioned the FIRST competition being held in spring there. US FIRST [usfirst.org] I've been to the competition before, and they try to give internet access/network drops in the pit area for contact and information (it helped save us last year, grabbing a copy of the bot's code of our site that we forgot to bring) so I do believe we'll have indirect access to the network through wired access points. Why create another network when one's in place. So it is very possible that internet access on the network, also you never know what kinda db software their using, if they connect to a local system or a system for the three disney parks. It would seem to me that it is highly unlikly that they don't have internet access, even if it's only for disney exec to look at the latest people flashing at splash mountain -LOWORBIT

VPN over 802.11b?

I wonder if they are using IPsec over the 802.11b network? I know I would.

New lyrics for Mickey Mouse club theme song

The inevitable consequence is that the network will be very insecure, so let us mess with the lyrics:

"M-I-C-K-E-Y...

Why? Because w3 0wnz0r j00!!!!"

Well, it is a lot easier than saying "because 802.11b doesn't specify encryption at the physical level".

I was just there

In Epcot, the small souvenir stands all had what looked like paper towel tubes wrapped in wire. Those were the 802.11 antennas, but they were there for over a year.

In Disney/MGM, some popcorn and hotdog stands still couldn't take charge cards as of last week, so I guess it's still being rolled out.

What type of services?

Plus, it allows "cast members" to offer guests goods and services anywhere...
A ride with Minnie on Space Mountain... priceless.

Done it...

Guess I'm a typical Slashdotter when I say I've used my laptop at Disney World before. I'm a local and spend quite a bit of time in the parks, especially Epcot. On more than one occasion I've hauled the laptop in when it's rainy and there's not much else to do. If you look, you'll find access points at kiosks all over the place. Look harder and you'll find RJ-45 jacks too. Fear of the mouse police has stopped me from plugging in, but I must admit this artice is almost an invite. Too bad I've got a Cisco Aironet card, which AirSnort doesn't support. Don't care about CC numbers, but they've got some cool stuff on the intranet. They're searching all bags after the 11th, and with this article, I don't think bringing the laptop would be such a great idea anymore. As mentioned in another comment, they used to have unrestricted access at more than one exhibit in Innoventions, including Apple. Nowadays the only way to get access there is if you know someone at the IBM exhibit. Access at the computer centers at the resorts is dialup and priced like highway robbery, though I heard they're planning to get DSL. You can get access at the Wonderland Cafe at DisneyQuest, but that's protected by MS Proxy Server. Disney's been trying out some high tech stuff recently, like palm-esque GPS navigators at Animal Kingdom and blinky LED buttons triggered by IR. Even better, they're planning interactive "Park Pal" toys, with over 100 trigger points in the Magic Kingdom alone.

As for ordering bus shuttles...

I'm a local to WDW, and I currently am working for the mouse. I read in the article that they were saying they would use the palm pilots with networking to call up shuttles (aka buses). Well, not surprising, they tried to roll this out last spring and it failed, miserably. They started at about 8 in the morning, and within ten minutes the whole system crashed. Bus wait times went up to an hour, and several GSMs (Guest Service Managers) were promptly brought to the ground and pummeled mercilessly by guests. After a few weeks, the costs got too high so they canned all the non-essential people involved with the project. Figures.

I would use an Internet cafe

I don't know about everyone else but when I went to Disney World a few years ago I was dying for Internet access. I had not bought my laptop then and looked everywhere for someplace to log onto the Internet while I was there. I have to be connected where-ever I go and if Disney had an Internet cafe, even if the price was expensive (like everything else), I would have used it no doubt.

Anyone else feel this way or am I just too big of a geek? :)

wireless network

i installed a wireless network at palm springs highschool. it was for the portables so that they could have internet access. downloads moved from 80-90k and it was like having wireless dsl. security is great since they have to have the right wireless nic in the first place, second they have to have the software installed, third they must have the encryption code, and fourth they must have internet explorer properly configured to even acces the internet. its great walking around with a laptop and still being connected. i even did all the hardware install my self and lined up the shotguns with a laser pen light from radio shack and got a 94% signal strength which is 14% higher than real world situations. its been up for a little over a year now and is still working with maximum efficiency. Its not hard to set up either in fact since its wireless im pretty sure the guy who installed it at disneyland probbably thought it was a snap. you just need power and place to mount it. there are a few more steps to it but its a peice of cake. and once you have it set up right everyone is a happy camper. If you want to set this kind of stuff up you can practically go down to bestbuy and compusa and buy the equipment for youre home. although the proffessional equipment is better quality and usually state of the art, its still the same concept. if you set it up at home you would say is that all there is to it. plus and disneyworld they probbably didnt want to tear up the ground and buildings to install a regular network. wirless is a way cheaper solution because you save a ton of money on labor. it probbably cost them 1/4 of what it would cost if they did a regular network since cat5 only goes 333 ft. max even though ive gotten it to go alot farther. and fibre optics is way to expensive.

security

look guys first someone is going to have to pay to get into the park and walk around everywhere suspiciously even to find out what equipment they are using. i would put it up in the ceiling out of site my self. then they need the software. and while there they would have to find out what software they use and break the encryption code then once they did that then they might have a chance. i personnaly wouldnt waste my time and money doing that. id rather be enjoying myself. if i wanted to get into there system i would do it from home. anyways a wirless network isnt anymore secure than walking up to a free rj port and connecting youre laptop and messing around.

Tell that to the joker that bought $2300 of stuff.

Recently, I had lost my CC and had a new one issued- the only individual that I'd given the new number to was a Hell Desk employee at my ISP to get my autobilling straightened out. 3 days later someone bought some $2300 on the card from a car parts place in Houston (performance parts for some GM car...). I've gotten it straightened out- but they successfully used it.

Almost nobody checks billing addresses over the phone or online.

Nobody asks for a signature for mailorder or online purchases- how would they DO that.

Nobody that I've dealt with in recent times asked for the validation code from the back of the card- in general, I don't believe they do.

Nobody attempts to change the account- they just try to purchase with it. In many cases they succeed.

All it would take for someone to take you for several hundred dollars is to make a duplicate card (Easy with a magstripe writer) and use it at those pay at the pump gas pumps. No validation, no checking, no PIN.

Re:Restraunts have been doing this for a while.

Yeah, you just have to worry about the haX0r sitting in the park across the street. I have enough faith in Disney's renowned paranoia to believe that they took measures to protect their network; I have no faith that the average restaurant owner will do anything more than plug in a Linksys access point and call it done.

Yes it is, and here's why

Any information needed to make a purchase is stored. Typically up until now it has been CC# and exp date. As you mentioned, more information is being required now to make the same purchase.

However, for one click shopping, etc. that many online retailers have (where no signature is required or signature is on a digital pad), they still have to store all that extra information, because it's needed to authenticate the purchase. So when anyone stumbles across your database, they still have the access to the information they need, they just need to grab 5 columns instead of 2.

The only method you mentioned that would solve this is faxing the signatures. And if the signature is digital (UPS, MicroCenter, etc), it's probably stored as a LOB in the database in a picture format anyway, and the Hacker now has a printable version of your signature. Also, most e-tailers don't have your signature because it's impracticle to get it from you. Remember, just because your CC was stolen from somewhere that needs a signature, it can still be used somewhere that doesn't

Re:Bad place to ask the question

Why even USE Windows? Just make a new partition and install Linux...it's not that hard.

Re:Not a worthwhile target

• The 3-digit validation code from the back of the card. Paypal, C2IT, and most "online cash" places demand it now; many merchants do as well.

That might not be so crucial. I don't know about other places, but at the unnamed large chain office supply store where I work, we only check the CID on AmEx. I point out that Visa and MasterCard have both had it for years, and ask why we don't check that too. "Because only American Express has it." "That's not true. Look here." "Oh. Well, that's just the way it is."

And of course, for point-of-sale you don't need the address, and I don't need to explain how rarely cashiers do a proper signature or ID check...

Re:Not a worthwhile target

For all the questions asked and objections raised, you have yet to either defend or apologize for your overtly anti-Semitic statement, "it's probably just a greedy jew thing." Is it your feeling that this nauseating comment was somehow justified, or that it is such a minor issue that it is beneath your notice?

You said, "I'm proud to be a Black man." Well, congratulations, you've just reinforced the stereotype that all African-Americans are anti-Semites. Now that's something to be proud of!

I'm glad I know it's not true, and that bigots like yourself do not represent the entire black community. But I see more than enough of this crap, and it makes me wonder just how bad the problem is.

Tim