SecureMac, Inc.

Checklist 104: Guess Again! And Again! And Again!

August 30, 2018

It might seem like we have a thousand new security issues to talk about each week — but if you’ve been listening for a while, you know that’s pretty much par for the course these days. This week we have a plethora of stories about telcos (and their partners) dropping the ball when it comes to user privacy, followed by yet another Facebook story that leaves us wondering “When is enough enough?” and wrapping up with a big problem where parental spyware proves once again that actions can have …

Checklist 104: Guess Again! And Again! And Again!

It might seem like we have a thousand new security issues to talk about each week — but if you’ve been listening for a while, you know that’s pretty much par for the course these days. This week we have a plethora of stories about telcos (and their partners) dropping the ball when it comes to user privacy, followed by yet another Facebook story that leaves us wondering “When is enough enough?” and wrapping up with a big problem where parental spyware proves once again that actions can have unintended consequences in the digital age. All that, plus our insights into these stories, featured in today’s episode. So, without further ado, here’s the checklist of topics for today:

  • Dial V for Vulnerability
  • Facebook for Your VPN? Not the best choice
  • Spyfone secrets left out in the open

We’ll kick off today’s discussion with a multifaceted view of several security issues ongoing in the world of telecommunications today.

Dial V for Vulnerability

Our mobile phones are increasingly a core part of our security efforts, with so many companies adopting two-factor authentication that relies on codes sent to users by SMS. As a result, the bad guys have started to spend more time looking for ways to compromise a user’s account with a mobile phone company so that they can intercept and use these codes. While most of the stories we’ll discuss here today have to do with mobile providers, the first one we’re visiting today actually features Apple at fault. A bug in a webpage in Apple’s online store, it turns out, had the potential to expose at least 70 million user-created PINs from T-Mobile.

Mobile phone companies typically require users to create PINs (or to self-identify using the last four digits of their Social Security Number) as a key method of validating their account when interacting with the provider themselves or a third party, such as Apple. So, what was the flaw? T-Mobile users who wanted to purchase a new iPhone on Apple’s site would select their product and carrier and then be redirected to an authentication page requiring their T-Mobile phone number and PIN. Here’s the problem: the form in question lacks any sort of rate limiter, meaning you could plug in an infinite number of guesses trying to pair a PIN with the phone number the bad guys want to target. Eventually, you could guess the right PIN for the target phone number.

The researchers who uncovered the flaw in Apple’s site also found similar flaws in mobile insurer Asurion’s website when the site prompted AT&T customers for their PIN. So, what’s the big deal? Why are these PINs so important to keep hidden, if they don’t offer immediate access to a user’s device? The answering is social engineering. With a valid PIN, bad actors could call up your phone company, pretend to be you, and supply your PIN. With a quick call, they can make changes to your account and start receiving the two-factor codes for any of your accounts linked to that phone number. Given how much we use our phone numbers for today, this type of “identity hacking” is incredibly dangerous.

The good news: both Asurion and Apple fixed the issues quickly. For its part, Apple seems to have made a simple mistake, as all other carrier authentication pages on their store were properly rate-limited. While there’s no sign that this bug was abused on any large scale, changing your PIN from time to time is a smart security practice anyway. When you do, be sure not to re-use a PIN from anywhere else, such as your bank account. Just as with passwords, you want to spread your risk around and limit how much damage one compromised account can create.

For our listeners who are Sprint customers, if you’re feeling a bit smug right now — pump the brakes. According to TechCrunch, researchers recently uncovered a big security flaw in Sprint’s systems, too. First, important internal portals were hidden behind very weak usernames and passwords. The researcher did not reveal them, but states that they were “easy to guess.” The password combos were all it took for the anonymous researcher to log into the portal, and from there, guessing a second account allowed him access to Sprint’s customer information portal. From that point, it would be trivial for a bad guy to transfer a target user’s phone number to their own device.

To do so required, of course, only the target’s phone number and their PIN. Here’s the kicker: Sprint’s internal page wasn’t rate limited, either, so the researcher could simply brute force all possible PIN combinations to quickly hijack the target number. The internal dynamics of the site meant that a hacker who broke into the portal could tamper with accounts on Sprint, Boost, and Virgin Mobile services. Sprint’s response was to point out that “legitimate credentials” were used, and that the site wasn’t exposed to the open Internet — but isn’t it just the same if it’s apparently so easy to guess the passwords? Access has since been locked down, hopefully with some stronger procedures in place.

Let’s look at one more telecom-related problem, this time from big ISP Charter. Charter, which recently closed an acquisition deal for Time Warner Cable, has begun folding TWC’s customers into their own systems. That meant encouraging customers to register fresh accounts on Charter’s website. Once on the page, users were prompted to enter their phone numbers and their ZIP codes for authentication purposes. Here’s the fun part: the ZIP code didn’t have to be correct for a user to proceed to the next page.

Worse still, someone trying to hijack another’s account wouldn’t even need to know your phone number! This form wasn’t rate limited either, meaning a hacker could potentially run a brute force script to find any valid TWC customer’s phone number and make a move on their account. Charter says, as companies often do, that they have no evidence that this loophole was abused or exploited in any way. Nonetheless, it seems like even major companies are forgetting some of the most basic digital safeguards. For the most part, aside from changing your PIN regularly, as we mentioned above, there isn’t much to do other than hope that the companies you do business with can treat your information securely — just watch out, and if you quit working with one carrier, see if they can remove your account data before you leave.

Facebook for Your VPN? Not the best choice

Oh, Facebook — will we ever go a week without visiting a topic related to the social media giant? Not that they had a stellar track record before, but ever since the Cambridge Analytica story first broke, it has seemed we have an unending torrent of Facebook stories to contend with; this week is no different. This time, the story centers around an app owned and operated by Facebook called Onavo Protect. Billing itself as a VPN application, Onavo allows users to create an ostensibly secure private network on their mobile device to help avoid malicious traffic on the web. It accomplishes this by routing your traffic through Facebook’s servers first; can you see where this story might be going?

Very recently, Apple informed Facebook that Onavo would have to come off the App Store—due to recent changes in Apple’s privacy and data use policies, which it says Onavo now runs afoul of; as a result, iOS users can no longer download Facebook’s VPN app. According to Apple, Onavo not only violated the rules regarding data collection but also in terms of acceptable use for customer information. Given what we know about Facebook and its penchant for “vacuuming” up as much data as it possibly can, this seems in line with their usual methods. The new guidelines put out by Apple forbid collecting info on what other apps exist on a device and include a condition that states users must be clearly informed when information is collected and how it will be used.

Users who routed their traffic through Onavo practically gave Facebook carte blanche to analyze the information. One can imagine that having access to such a huge trove of information would be extremely valuable for a company like Facebook, whose advertising partners would like very much to know whether their campaigns result in real gains to their traffic. More importantly, though, Facebook uses that information itself to make major strategic decisions. Information gathered through Onavo apparently informed the company’s decision to pursue the acquisition of WhatsApp, a multi-billion dollar deal that Facebook concluded back in 2014.

Think about that: Facebook has apparently been gathering, analyzing, and using (hopefully anonymized) browsing data for nearly half a decade, and only now did someone say, “Hold up, stop.” While Onavo has been pulled from the App Store, it will continue to function as-is for users that still have it; however, they’ll no longer be able to receive any updates. Android users can still choose to let Facebook get a window into all their browsing habits, though, which leads us to an important question: what’s anyone doing using a VPN owned and operated by Facebook in the first place?

Part of the issue may stem from how many people have a limited view of the Internet, seeing Facebook as their primary portal to everything on the web. In other cases, it may be an issue of cost. In just about every case, reputable VPNs charge a monthly subscription fee to offset the cost of maintaining servers and providing connections for individuals. Onavo, on the other hand, was free. Give the average user a choice between free and paid software, and they’ll probably choose the free version every time — and since “private” is in the name of “virtual private network,” they may think no one can see what they’re doing. The reality is, though, that traffic must pass through someone’s servers. In a paid VPN’s case, that traffic is typically encrypted such that the fewest number of people as possible can view it (if at all). With Onavo, that’s clearly not what went on here.

There is a right way to approach VPNs, though, that won’t leave your data dangling out there for Facebook to nab. We discussed it ourselves, back in Episode 19 of the Checklist, called All About VPNs. In that episode, we discussed topics such as what VPNs are and why you should use them, and more importantly, how to go about selecting the VPN service that will be best for you. They can be extremely handy tools, especially once you get in the habit of using them, so we advise you to check that episode out if you haven’t—and avoid giving Facebook the chance to snoop on you more than they already do!

Spyfone secrets left out in the open

For our final story in this week’s episode — something else that’s surprisingly bad!

Motherboard reports that a company called Spyfone whose primary product was mobile phone spyware marketed to both business owners and parents left a huge trove of user information completely exposed to the web through their server in the Amazon cloud. Worse still, it wasn’t just information on the company’s customers that was exposed in the Amazon bucket — it was all the data stored and gathered by the people those customers were spying on, too. The types of data that anyone with the right know-how could have stolen from the server is staggering in its scope. Motherboard states the bucket included pictures, Facebook messages, text messages, recordings, contacts, and even location history.

All in all, the researcher who uncovered the data by simply looking for vulnerable Amazon servers says that he uncovered terabytes worth of data, including thousands of pictures and audio recordings with absolutely no encryption on them whatsoever. The individual was even able to retrieve a specific photo taken by a Motherboard reporter as proof of his ability to explore the contents of the private folder. According to his estimates, nearly four thousand tracked phones had their data dumped into the folder, and a quick analysis of it all yielded nearly 50,000 unique and valid email addresses, too.

The story gets worse. The researcher continued to poke around in Spyfone’s online presence, ultimately discovering that he could access their private employees-only websites with almost no effort. They didn’t even have a password set up to protect them from unwanted visitors! In no time, the researcher (who asked to remain anonymous, fearing legal action for his explorations) created an administrator-level account for himself and gained access to even more customer information.

Spyfone’s response to all this? An unusually unguarded expression of relief that a researcher had found the problems first, and not the bad guys — and a generic statement that they would partner up with security firms to analyze and fix their problems. In other words, it’s another case of closing the barn door after the horse has already left. The reality is, though, software like this brings with it a host of problems, both technological and philosophical.

In general, we don’t recommend using this type of software; while some may begin with good intentions, the very name of the company itself, Spyfone, seems to indicate this isn’t exactly a product geared towards protecting children. Even when your aim is to protect your kids, spying on them like this may not be the best way to achieve your goals. The same goes for employers trying to monitor their employees. Reaching the point of installing spyware willingly should probably be an indicator all its own that there are much bigger problems at play — and not problems that a piece of software is going to fix.

Even in cases where one could justify its use, we come up against the same issue we face when we discuss backdoors: a key that works for the good guys can work for the bad guys, too. Do you really want to trust yours or someone else’s private information to a company like Spyfone, who simply leaves the door wide open for all to come and see?

That doesn’t mean parents have no options when it comes to watching out for their kids online, though. In fact, we’ve discussed it before— it’s available back at Checklist 24: 5 Things to Know About Child-Proofing Your Kid’s iPhone. We encourage you to head back and check out what we had to say about these spyware programs already, and what you can do to make the world of mobile browsing a bit safer for your kids.

That will do it for this week’s discussion, but you can count on us being back again next week. As we finally start to leave the summer behind and turn our attention towards the autumn, it’s a certainty that we’ll see plenty of new issues and stories cropping up — and before you know it, the holidays and all its potential digital dangers will be upon us, too!

Join our mailing list for the latest security news and deals