Re: [ISN] T-Mobile Hotspot uses SSN for passphrase

From: InfoSec News (isnat_private)
Date: Tue May 13 2003 - 22:16:40 PDT

  • Next message: InfoSec News: "[ISN] Honeypots: Definitions and Values"

    Forwarded from: Kurt Seifried <kurtat_private>
    
    I read this and thought "ok, not to bad... but..."
    
    1) WEP. It'd be largely useless anyways, you have to distribute credentials
    to each user that MIGHT use that access point. In other words you'd likely
    end up with all access points using the same credentials, and since the
    users number in the thousands it would quickly become public knowledge. So
    let's ignore WEP since it's pretty much a non-issue no matter how you look
    at it.
    
    2) According to the security page:
    
    "Similarly, at all HotSpot locations, the T-Mobile password change process
    is encrypted using SSL technology. Except in a small number of locations
    where the HotSpot login page notes otherwise (and requires you to check a
    box by the notice before using the service), customer's user names and
    passwords are encrypted by means of SSL technology, which prevents
    unauthorized persons from reading that information. "
    
    Oh... so not all access points use SSL. But that's ok, because there is a
    check box to inform the user.
    
    But this trains users to expect non-SSL encrypted login pages. Which of
    course makes spoofing trivial, just setup an access point and a web server,
    and harvest user credentials. Advice: use a high traffic area with no hot
    spot access, use omni-directional antenna for bonus points.
    
    3) The credentials used are reported as phone # and last 4 digits of SSN. I
    wonder how account logout is setup? If it locks out after a few tries you
    could trivially DoS users, it's not like finding out cell phone #'s is hard,
    most phone companies get a block and assign them. SImply step through all
    the phone numbers and login incorrectly N times to lock out a few thousand
    accounts. If they do not have account lockout enabled simply cycle though 4
    digit numbers, 10,000 attempts is not a lot. I highly doubt they have any
    bad login/authentication time delays or back offs, again if they do this
    allows you to DoS users (i.e. if each AP is limited to 5 authentication
    transactions per second).
    
    So we end up training users to enter credentials into non-SSL encrypted web
    sites whenever their laptop finds an access point. Good stuff.
    
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 14 2003 - 00:28:57 PDT