Information Security News mailing list archives

Re: T-Mobile Hotspot uses SSN for passphrase

From: InfoSec News <isn () c4i org>
Date: Wed, 14 May 2003 00:16:40 -0500 (CDT)

Forwarded from: Kurt Seifried <kurt () seifried org>

I read this and thought "ok, not to bad... but..."

1) WEP. It'd be largely useless anyways, you have to distribute credentials
to each user that MIGHT use that access point. In other words you'd likely
end up with all access points using the same credentials, and since the
users number in the thousands it would quickly become public knowledge. So
let's ignore WEP since it's pretty much a non-issue no matter how you look
at it.

2) According to the security page:

"Similarly, at all HotSpot locations, the T-Mobile password change process
is encrypted using SSL technology. Except in a small number of locations
where the HotSpot login page notes otherwise (and requires you to check a
box by the notice before using the service), customer's user names and
passwords are encrypted by means of SSL technology, which prevents
unauthorized persons from reading that information. "

Oh... so not all access points use SSL. But that's ok, because there is a
check box to inform the user.

But this trains users to expect non-SSL encrypted login pages. Which of
course makes spoofing trivial, just setup an access point and a web server,
and harvest user credentials. Advice: use a high traffic area with no hot
spot access, use omni-directional antenna for bonus points.

3) The credentials used are reported as phone # and last 4 digits of SSN. I
wonder how account logout is setup? If it locks out after a few tries you
could trivially DoS users, it's not like finding out cell phone #'s is hard,
most phone companies get a block and assign them. SImply step through all
the phone numbers and login incorrectly N times to lock out a few thousand
accounts. If they do not have account lockout enabled simply cycle though 4
digit numbers, 10,000 attempts is not a lot. I highly doubt they have any
bad login/authentication time delays or back offs, again if they do this
allows you to DoS users (i.e. if each AP is limited to 5 authentication
transactions per second).

So we end up training users to enter credentials into non-SSL encrypted web
sites whenever their laptop finds an access point. Good stuff.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

Current thread:

T-Mobile Hotspot uses SSN for passphrase InfoSec News (May 12)
- <Possible follow-ups>
- Re: T-Mobile Hotspot uses SSN for passphrase InfoSec News (May 13)