The Geek Squad

January 25, 2009

Ok… I don’t condone black hat hacking or password stealing, but I found this very interesting. I found this article in the Summer 2008 (Volume 25, #2) issue of 2600, the Hacker Quarterly. While it explains how to capture login and password information, it speaks volumes to the ineptitude of Best Buy’s “Geek Squad.” The article is written by Turgon.

Ahh, the Geek Squad: love them or hate them, they’re here to stay. Best Buy’s computer “task force” can be found in every store, at your home or office, or on the road in their black and white VW Beetles.
A majority of their employees, who are known as Agents, are high school kids with a basic understanding of Windows Vista and XP, but more than a few of them really know their stuff. Some even read and contribute to 2600 Magazine.
What is this article about? Well, it isn’t a rant about incompetence. Sorry guys and gals, but you can find plenty of that on consumerist.com or on countless forums. No, what I am here to talk about is a tiny security issue with huge consequences. Here’s how to wreak havoc in five easy steps:

First Step: Call the Geek Squad at 1-800-433-5778 and set up and appointment for a wireless network security install. This is their cheapest and quickest service. Unfortunately, it will cost you $59; as we’ll see later, though, this is a small price to pay for such a prize.

Second Step: Install a keylogger on your laptop or desktop computer. Software, hardware, doesn’t matter.

Third Step: Reset your wireless router settings to the defaults; disable WEP and WPA, and use the default SSID. Then, sit back and wait for your appointment. A field tech, who we’ll call Double Agent, will show up at your door. He or she will take a look at your situation and secure your router with WPA: piece of cake! Thank the agent for their amazing WPA-typing skills and reject any other additional services they may try to “up-sell.”

Fourth Step: Your hero agent will now sit down at your computer, open a Web browser, and go to https://sts.geeksquad.com/sts. Once there, they will type in their login credentials. The username will be something like 123456; the password will be a case-sensitive combination of letters and numbers. The agent will pull up your name and account on the Geek Squad system, which is called “STS,” and which is able to take credit cards via a shopping cart feature, print receipts, add charges, remove charges, and so on. Your receipt will print out, and the Agent will log out and close the browser.

Fifth Step: With the agent gone, you should first change your WPA key to something else. You’ve now got the agent’s STS login and password.
Thanks to your keylogger, you now have login credentials for STS, giving you access to Geek Squad’s entire customer database of literally millions of customers. Addresses, phone numbers, and e-mail addresses are just the beginning. Most agents, per corporate policy, also log copious notes of every customers’ WPA or WEP key, SSID, IP address, PC make and model, O/S, RAM amount, viruses found, and lots more. The Geek Squad database contains information not only about individuals but also about their numerous small business clients.

Note that agents are required to reset their STS passwords on a regular basis, and a hacked password is easily reset by corporate. Therefore, having an agent’s login credentials is only good for information gathering; once an agent realizes that his password has been changed, he’ll have it reset in minutes. There’s no easy way for an agent to know if an account is being abused, as it’s possible to login from multiple computers or browsers at the same time. One could theoretically have unfettered access for months before the agent is forced to change the password at a server prompt.
Agents are usually clever enough to find keyloggers if they are performing virus removals, system optimizations or upgrades, and similar jobs. The simple fact that they’re only out to encrypt your wireless router means they won’t even look twice to check background programs or physically examine the machine and inspect for hardware loggers.
Best Buy likes to cut corners, and its employees and customers always get the short end of the stick. A workable solution to the security issue I have discussed would be for Best Buy to provide a laptop to its agents for on-site use. Companies like HP, Toshiba or Gateway would probably even split the cost to have these “respected” Geek Squad agents toting their brand’s laptop into impressionable customers’ homes. Other prevention techniques that Best Buy might employ include a server-side upgrade requiring a SecurID token for access to STS or limiting lowly Agents’ access to the huge database of customer information.
For a company at the cutting edge of new technology, Best Buy is setting their Geek Squad brand up for major trouble. There’s huge risk that any of their over 2,000 field agents might enter their credentials into a comprimised computer. There’s also the risk of abuse. At all times, any agent, Best Buy manager, or call center phone jockey has access to an extravagant amount of customer data. I am no whistle blower or disgruntled employee, but corporations like Best Buy are reactionary. They only act on behalf of customers or employees when they get in trouble. When all other methods fail, I turn to the community!

%d bloggers like this: