lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <411A8B3A.8040202@securescience.net>
Date: Wed, 11 Aug 2004 14:10:18 -0700
From: Secure Science Corporation Advisory Notice <bugtraq@...urescience.net>
To: bugtraq@...urityfocus.com
Subject: SSC Advisory TSA-051 (T-mobile wireless and Verizon Northwest)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Secure Science Corporation Advisory TSA-051
http://www.securescience.net
e-response@...urescience.net
877-570-0455

- ---------------------------------------------------------

T-mobile Wireless and Verizon Northwest are vulnerable to caller-ID
authentication spoofing, enabling arbitrary compromise of customer
voicemail/message center.

- ---------------------------------------------------------------------

Vulnerability Classification: Authentication bypass, remote compromise,
confidential information breach.

Discovery Date: July 09, 2004
Vendor Contacted: July 28, 2004
Advisory publication date: August 11, 2004


Abstract:
- ---------
T-mobile Wireless and Verizon Northwest (Washington state) grant
implicit trust to certain Caller-ID input for receiving voicemails and
accessing customer message preferences. Caller-ID spoofing allows
forgery of a calling number to the target number. When spoofing the
target number while calling T-mobile or Verizon Northwest, the target
trusts the CID to be accurate, bypassing the password response, and
allows direct access into the targets voicemail message center.

Description:
- ------------
During a recent demo with Caller-ID spoofing, a discovery was made when
spoofing the targets own number. When calling the target, and if they
did not pick up the call, the voice mail box would go into administrator
mode without verifying or authenticating a voice mail box passcode.
This confidential information breach is caused by the implicit trust of
Caller-ID as the sole authentication mechanism from the targets phone.

Particularly T-mobile is of greater concern, as it demonstrates when
dealing with the threat model of a lost or stolen phone, an arbitrary
entity can listen to the voicemail without authentication from the lost
or stolen phone. Most mobile carriers do trust the Caller-ID that is
displayed, but still ask for a passcode.

Verizon Northwest (formerly GTE) has the same vulnerability, excepting
that it is a landline carrier, not a mobile service.


Tested Vendors:
- ---------------
T-Mobile Wireless
Verizon Northwest

Suspected Vendors:
- ------------------
Multiple untested Telco vendors
Multiple Credit-Card activation protocols

Vendor and Patch Information:
- -----------------------------
Secure Science Corporation has made multiple attempts to contact the
vendors with no response.

Solution:
- ---------
Add 2-factor authentication (passcode requirement) by default and cease
implicit trust of Caller-ID information.

Credits:
- --------
Secure Science Corporation: Lance James, with many thanks to Samy Kamkar
and Dachb0den Labs.

Disclaimer:
- -----------
Secure Science Corporation is not responsible for the misuse of any of
the information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Secure Science Corporation products.
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBGos4S5qPmxIxbpkRAhE8AJ936K8F1dfzcCGBHrJH0B4J1mcwiwCgtyBL
Z5HBN6+R9qVvt1k8tgAyPeI=
=yDLU
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ