Simply Security - News, Views, and Opinions from Trend Micro

Posted on September 21st, 2012 in Mobility by Simply Security | Be the first to comment | Tags: Mobility

Expert criticizes Virgin Mobile for forcing account holders to use weak passwords.

While many users know to use strong, unique passwords to protect themselves and their data, a vulnerability with many mobile carriers' Wireless Application Protocol (WAP) may leave users open to fraudulent purchases and data security vulnerabilities.

According to IDG News columnist Lucian Constantin, the exploit allows attackers to bypass the authentication process of a carrier's web portal and purchase content or premium service subscriptions through a user's account. A total of 20 portals based in several European countries were tested, 15 of which were deemed exploitable.

"The vulnerability stems from the fact that many such websites authenticate users automatically based on special HTTP headers sent by mobile browsers or added by the operator's proxy server when the phone's data connection is used," Constantin wrote.

Bogdan Alecu, an independent Romanian researcher, discovered the vulnerability, which is exploitable due to the way websites authenticate users based on mobile HTTP headers, Constantin reported. Alecu tested the exploit by using Firefox extensions to generate headers that contain a user's phone number. In some cases, Alecu had to buy a SIM card from the targeted mobile operator to mimic the IP of a phone from that carrier's system, while some attacks were successful using his own internet connection. In either case, the only piece of information the researcher needed was the user's phone number.

Although Alecu didn't name any specific companies, he told IDG News that many carriers neglected to fix the vulnerability after he notified them. The researcher also had difficulty obtaining SIM cards from U.S. carriers, which places a geographic limitation on his work.

Virgin mobile security flaw
Another mobile security flaw was recently uncovered by software developer Kevin Burke. The exploit stems from Virgin Mobile's online account login feature, which requires account holders to use their phone numbers as usernames and only allows 6-character passwords. Burke said that he contacted the company a month ago, but the vulnerability hasn't been fixed.

"This is horribly insecure. Compare a six-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits – the latter has 218,340,105,584,896 possible combinations," Burke wrote. "It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day. I verified this by writing a script to “brute force” the PIN number of my own account."

Burke highlighted several actions that attackers can take once they have a user's PIN. These include purchasing accessories such as a new handset, reading text message logs and changing a user's PIN to lock him or her out of the account. In addition to not allowing complex passwords, the website doesn't block access after a set number of failed password attempts, making accounts particularly susceptible to brute force attacks.

Security News from SimplySecurity.com by Trend Micro