Re: [ISN] T-Mobile Hotspot uses SSN for passphrase

From: InfoSec News (isnat_private)
Date: Tue May 13 2003 - 22:16:40 PDT

Next message: InfoSec News: "[ISN] Honeypots: Definitions and Values"

Previous message: InfoSec News: "[ISN] New hacking tool sees the light"
Maybe in reply to: InfoSec News: "[ISN] T-Mobile Hotspot uses SSN for passphrase"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Kurt Seifried <kurtat_private>

I read this and thought "ok, not to bad... but..."

1) WEP. It'd be largely useless anyways, you have to distribute credentials
to each user that MIGHT use that access point. In other words you'd likely
end up with all access points using the same credentials, and since the
users number in the thousands it would quickly become public knowledge. So
let's ignore WEP since it's pretty much a non-issue no matter how you look
at it.

2) According to the security page:

"Similarly, at all HotSpot locations, the T-Mobile password change process
is encrypted using SSL technology. Except in a small number of locations
where the HotSpot login page notes otherwise (and requires you to check a
box by the notice before using the service), customer's user names and
passwords are encrypted by means of SSL technology, which prevents
unauthorized persons from reading that information. "

Oh... so not all access points use SSL. But that's ok, because there is a
check box to inform the user.

But this trains users to expect non-SSL encrypted login pages. Which of
course makes spoofing trivial, just setup an access point and a web server,
and harvest user credentials. Advice: use a high traffic area with no hot
spot access, use omni-directional antenna for bonus points.

3) The credentials used are reported as phone # and last 4 digits of SSN. I
wonder how account logout is setup? If it locks out after a few tries you
could trivially DoS users, it's not like finding out cell phone #'s is hard,
most phone companies get a block and assign them. SImply step through all
the phone numbers and login incorrectly N times to lock out a few thousand
accounts. If they do not have account lockout enabled simply cycle though 4
digit numbers, 10,000 attempts is not a lot. I highly doubt they have any
bad login/authentication time delays or back offs, again if they do this
allows you to DoS users (i.e. if each AP is limited to 5 authentication
transactions per second).

So we end up training users to enter credentials into non-SSL encrypted web
sites whenever their laptop finds an access point. Good stuff.

Kurt Seifried, kurtat_private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Honeypots: Definitions and Values"
Previous message: InfoSec News: "[ISN] New hacking tool sees the light"
Maybe in reply to: InfoSec News: "[ISN] T-Mobile Hotspot uses SSN for passphrase"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 14 2003 - 00:28:57 PDT