Slashdot Mirror
More Holes Found in T-Mobile Website
mogwhat writes "Even though T-Mobile's website was decisively hacked into over a year ago by now (in)famous cracker Nick Jacobsen, a blog posting by computer security expert Jack Koziol details many serious security holes in various T-Mobile websites. You would think that T-Mobile would have paid attention the first time? Time to get a new cell phone provider!"
Can you pw*404*
Aaw crap. I guess he could.
I just find myself not caring. Great, another company has an insecure website. Can someone explain why this is a big deal?
Now the question is how the hell we get our company to switch after moving alllll of our crackberries to T-Mobile, and we are constantly having issues.
And with all of this privacy concern, what kind of liability does that put T-Mobile at when sensitive market data can be compromised? *SCARY*
Sorry man... the Internet pooped on me.
I wish I could switch to a provider that protects their "secured" website better than T-Mobile but they're the only company that provides the Sidekick II in the United States. And I can't really use other phones because of my hearing disability.
I hate the feeling of being trapped to one provider because they have something the others don't, even though they treat their customers like complete and utter shit. T-Mobile customer service leaves quite a lot to be desired.
"Black holes are where God divided by zero." - Steve Wright
Why is it that every time a Slashdot news story gets posted, a riducilousy inane comment or question has to be appended to the actual news item?
Could this be the lamest thing ever?
Time to get a new cell phone provider!
Because of their website?
I'm willing to bet that the guy in charge of coding the backend for their site is not the same guy setting up the telephone network.
________________________________________________
suwain_2
TMobile Customers should let TMobile know that we care about security issues on their website, and that we consider this to be very important for our continued relationship with them!
little known, but the Secret Service have jurisdiction over counterfeiting crimes
It's not a little known fact amongst people who follow the hacking/cracking/phreaking/carding scene, even loosely. Read the excellent book the hacker crackdown by Bruce Sterling for an informative account of what the SS does (and also does spectacularly wrong).
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I liked them when they were One2One. the service was (in my experience) decent and the adverts were interesting (as far as adverts go). then they because T mobile. what the fuck is T mobile? I get the mobile part, but T?
and when I'd want to top up my credit I'd have to listen to a 5 mins of crap about how they had changed for the better, before being told I had to now wait 30 mins for my top up to take affect instead of the almost-instant old way. yay for progress.
that was several years ago. I left them and never looked back.
Traditional Landline companies take customer privacy very seriously (at least the ones I worked for) but the new technologies - Mobility, cell, internet divisions/companies always seemed to be playing fast and loose with phone company policy. Very frustrating from the landline side of the house. Not that the landline divisions are much more secure but at least they generally have the right attitude to security.
The rock, the vulture, and the chain
From the latest CryptoGram by Bruce Schneier:
"T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers."
And I seriously doubt if the treatment of security would be or is any better from any of the other cellular carriers.
- SR
"God is a comedian playing to an audience too afraid to laugh." -- Voltaire
But i just finished compiling my embededd gentoo for it!
How do we know that Verizon, Sprint, AT&T or others are safe? T-Mobile should get hit with the liability for the identities of their violated customers, which would force them to tap their business liability insurance. That would force the other telcos insurance companies to force audits of them. We still wouldn't know whether we were protected, but it would be more likely. If a T-Mobile liability suit could find that T-Mobile violated its own published privacy policy, and held it accountable, that might force the other telcos down the same road, of honoring their own privacy policies. The same goes, of course, for all other personal info cachers, with their own toothless privacy policies. Until there's some serious consequences for lying about these responsibilities rather than backing them up, it's all wide open.
--
make install -not war
The problem is that there's no point [for Americans; there may be for people in other countries]. What, exactly, is getting a new cell phone provider going to do for you? It will punish T-mobile for not being careful with your data, which is deserved. But will it protect your data? Not really. Oh, if you use their data services you might prevent some eavesdropping or picture-stealing...or might not. T-Mobile got caught, but that doesn't mean the other services aren't having problems.
But it won't protect your personal data. That is out of your hands and has been for the last thirty years or so. Your personal information has already been given away or sold by ChoicePoint, the government, the credit bureaus, and everyone else. Your only option is to assume it's gone, check your credit report regularly, and hope someone isn't using your social security number. Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it. Despite all the rosy stories about how after 300 hours of work people managed to clear their names, there are real stories of people who don't get their money and credit ratings back. There simply haven't been any solid studies one way or the other -- it's all anecdotal.
No, I'm not fucking bitter at all.
What I say does not represent the views of my employers, my friends, my cats, or myself.
according to netcraft they are running win 2k for the server.
Evolution or ID?
The article says the site uses ASP, but that error message at the end sure looks like a Java stack trace to me.
Go ahead and waste your life with your inhibitions, just don't ruin other people's lives with your intolerances.
lets see, your network is so insecure that someone hacks into it using government accounts and steals private information from your company.
do you...
a) tighten your security on your network so it doesnt happen again
b) appoligize and place it on your "things to do" list or
c) dont change a damn thing but pay snoop dog and company mega bucks to advertise your new sidekick II?
if your t-mobile then c is the correct answer!
Good Karma, Bad Karma, doesnt matter to me... I'm still going to say whats on my mind!
If you try to go to their webmail, it chides you for not using a supported browser (Firefox 1.0 or Mozilla 1.7.3 for instance) and instead insists that you use an IE based browser and is actually broken in Gecko based browsers. It also has the feel of a crappy, thrown together site.
I read the internet for the articles.
Get More... Of other people's data... ;)
"Nature bats last..."
From a technical standpoint, you are correct. Legally, though, cellular phones are afforded the same protection as landlines. Cordless phones, however, are not. At least, that is my understanding.
"Sometimes a man's gotta do what a woman wouldn't consider." - Red Green
Sure pwning the network through their website doesn't help but you shouldn't be talking company secrets over a cell (for example) and not expecting someone, somewhere, to be able to hear you.
DAMN YOU OCTODOG! DAMN YOU TO HELL!
Anybody fooling enough to assume that material posted to a t-mobile website is SECURE pretty deserves whatever they get...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
This is why I believe that phone should stay a phone, and not be a smart phone. I can't wait for the audio XXX spam. I want to see people's faces when their phone starts moaning like a wet whore in heat.
T-Mobile use GSM.
Soooooo........how does your digital scanner breal the encryption?
Encryption in the GSM network utilizes a Challenge/Response mechanism.
The Mobile Station (MS) signs into the network.
The Mobile Services Switching Center (MSC) requests 5 triples from the Home Location Register (HLR).
The Home Location Register creates five triples utilizing the A8 algorithm. These five triples each contain:
A 128-bit random challenge (RAND)
A 32-bit matching Signed Response (SRES)
A 64-bit ciphering key used as a Session Key (Kc).
The Home Location Register sends the Mobile Services Switching Center the five triples.
The Mobile Services Switching Center sends the random challenge from the first triple to the Base Transceiver Station (BTS).
The Base Transceiver Station sends the random challenge from the first triple to the Mobile Station.
The Mobile Station receives the random challenge from the Base Transceiver Station and encrypts it with the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station utilizing the A3 algorithm.
The Mobile Station sends the Signed Response to the Base Transceiver Station.
The Base Transceiver Station sends the Signed Response to the Mobile Services Switching Center.
The Mobile Services Switching Center verifies the Signed Response.
The Mobile Station generates a Session Key (Kc) utilizing the A8 algorithm, the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station, and the random challenge received from the Base Transceiver Station.
The Mobile Station sends the Session Key (Kc) to the Base Transceiver Station.
The Mobile Services Switching Center sends the Session Key (Kc) to the Base Transceiver Station.
The Base Transceiver Station receives the Session Key (Kc) from the Mobile Services Switching Center.
The Base Transceiver Station receives the Session Key (Kc) from the Mobile Station.
The Base Transceiver Station verifies the Session Keys from the Mobile Station and the Mobile Services switching Center.
The A5 algorithm is initialized with the Session Key (Kc) and the number of the frame to be encrypted.
Over-the-air communication channel between the Mobile Station and Base Transceiver Station can now be encrypted utilizing the A5 algorithm.
We can make the login page say "I like cheese" and cause server errors. Wee. These aren't holes so much as simple bugs, unless someone can point to a definite way to, say, log in as any user without a password, or get a list of account numbers, or something besides making the login form display some silly phrase.
Another statement the article makes is that the text bug "could be used in a phishing attack on T-Mobile customers, especially if you hex encoded portions of the URL." How? Wouldn't any phishing attack involve making the form submit to some place besides the official website? Doing so much as trying to insert an HTML tag produces a server error (which, I'm guessing, is intentional), so it wouldn't even be possible to close the form and open a new one in its place that submits to a rogue site.
Bears don't normally eat things that talk and move backwards.
So I'm sitting in a doughnut shop near Grand Ave in Oakland and there is apparently a T-Mobile store next door. Not knowing this at the time I turn on my wireless to see if I can score some free internet...and I get an open connection. After my internetting is done I peek at Network neighborhood (because I'm always curious to see *how* open someone's internet connection is) and Voila! I get direct access to the T-mobile store's *two* servers next door. OK, it wasn't exactly direct. I had to use my enormous hacking skills to put in a username of "Administrator" with a *blank* password when I tried to connect to the server). Bingo - direct access to ALL T-mobile business info *including* completed and pending credit info.
This is not a troll or a joke - it really happenned. I *like* T-mobile's phones...but their lack of security (well at least that one store's security anyway) scares me.
It seems that you know more than I, but I was pretty sure you could listen in. It would be illegal, I am sure it isn't that difficult to break if someone cared enough. I don't have a digital scanner and the Feds have made illegal to manufacture one for civilian use that allows you to recieve cell phone ranges and the mirrored ranges so legally you can't unless you have one from several years back. I'd be more worried about my social security number and all my information getting stolen than someone listening to my conversation. With enought time and motivation anything is possible right, well maybe not anything, but listening to random cell conversations I'm sure could be.
Someone care to explain?
Since this is a Java exception I can't think of a way to exploit it. I happen to write Java web frontends on a daily basis and some of the pages will throw exceptions if fed malformed parameters. Where is the problem?
Of course we usually mask the exception by some generic error page and log the stacktrace somewhere else but still I don't see where having the stacktrace could help someone break into the system.
A couple of days ago some ne'rdowell got a hold of my credit card number and started buying italian airline tickets with it. Fortunately, my credit card company noticed and gave me a call.
T-mobile is about the only website I give my credit card number to. Could their weak system be the culprit? I don't know enough about hacking to know if this is possible, but it seems like quite a coincidence...
https://my.t-mobile.com/Login/?rc=*yawn*
all at the same time. I switched from T-Mobile about a month ago. I could care less about pictures, phone calls or text messages. I hardly use text and haven't owned a camera phone ...
My only question is whether or not access has been gained on a large enough scale to SSN's and other personal data.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
OK, this isn't a crack per se, and likely even more illegal -- but in my area at least, the digital stuff goes down occasionally and everyone with multi-mode phones automatically switch back to AMPS. Doesn't seem like it'd be too hard to force digital down intentionally with some willful interference.
Only the nerds among us are going to see the AMPS icon lit and think "oh, I better not say anything secret."
guess I should have used the preview button.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
Yes you can break the encryption, but it is not totally trivial. Can the government do it? Yes. Could you build a scanner to do this ? Possibly. I suspect that governments DO NOT want strong encryption on mobile calls.
i have them as a cellphone provider right now.
i chose them because of their inexpensive data rates and being the first on the market with the hp6315 ipaq phone. however they end up charging you minutes for calls that you don't answer and so many other miscellaneous things that i've already paid them the money to cancel my contract.
can one of you cell phone providers not suck?
Not a handheld scanner. Note the size of the disks - you will accumulate a lot of data. Yes you can break ANYTHING with enough time, but my point here is that GSM traffic is not easily intercetpted by script kiddies. Note that first you need a certain amount of data to retreive the key. This leads to post processing not real time. Many people suspect that past releases of Princess Diana mobile phones conversations were done by MI5. There is not much eveidence I have seen of people building GSM "scanners". But yes it can be done. Of course governments and script writers for "24" have such scanners.
Thankfully Europe has no AMPS. Only GSM.
http://www.cgisecurity.com/articles/xss-faq.shtml
I've been reading slashdot stories about USian mobile providers for a while and i still don't understand.
Whats this thing that i had to sign up with provider X because i want a phone Y?
So tell me what's the catch - is there no way to just buy a phone from the shop and sign a service contract with them? Do you have to rent it from your connection provider? Or lease it?
Why don't you just buy the phone you like and choose the provider you like?
In europe - where i'm from - it works like this: If you're not piss-poor, you buy a phone you want and choose a provider you like. If you're piss-poor, you sign some crappy contract with provider for some set time and they lease you a phone with some 200% markup.
Here excellent nokia models (400h standby time) start from about $80 here and will last for about 5 years at least- so surely it can't be the money issue...
http://www.cgisecurity.com/questions/sql.shtml
T-Mobile go to great pains to publish a privacy policy which claims they use industry standard practices such as SSL to protect private customer data, yet, when one tries to get customer support via their website they *require* your social security number on a non-SSL encrypted page.
If you make one up because the question is fairly general (like "when will Danger's servers come back up so I can get email again, I've been watching the 2 dot dance for 12 hours now") they will refuse to answer it and request your 'social' via email (also unencrypted).
After 12 round trip emails (I should stick them on my web site, they are fairly classic) it is clear they realize they have a privacy policy but they refuse to follow it.
I'm not surprised with the attitude and general ignorance I've encountered so far that they're having problems of a more serious nature.
Offtopic rant:
I've had my Sidekick Color for 1.5 yrs or so and the service has gone way downhill in the last 3-4 months or so. The connection to Danger's servers via GPRS is snappy, but it can take their server 1-2mins to fetch a web page and render it down (say, slashdot) -- even with images turned off.
Email also recently has gone suck: it used to be your email was pushed to the handheld realtime and you could read it when out of range, now it only pulls the email down when you open the email app and try to read (meaning you can't read email when out of range and have to wait for downloads when in range, which is quite slow due to the overloaded servers).
Overall my satisfaction with them has just about dipped to the point its worth buying new cell phones/pda's and finding another GPRS carrier. I think I'm stuck with a Palm thing though if I want to keep ssh over gprs (which I use a lot).
Asp.net 1.1 by default blocks the submission of form variables that contain html tags. Thats the error you get back, the developers didn't even bother to check it themselves. This check didn't exists in version 1.0 which makes me wonder how old this page is. But due to the stupidity of web developers, Microsoft added it.
Have you ever been to a turkish prison?
Um, and all this means what? That with thousands of dollars of equipment and a few phd's working on it, you may be able to listen to a person's cell call? Of course it's not secure, Bush's pals have plenty of backdoors in... if they make it easy, it's more plausibly deniable.
www.InGratia.org - Gratitude, Memorials and Giving
That last line should be:
A system in which an attacker can only cause a failure of which one party will be notified is more secure than a system in which an attacker can cause a failure of which neither party is notified.
Numerous reasons the US wireless telecom industry sucks.
The main reason for what you're seeing, though, is that unlike Europe, we have several competing standards. GSM is finally starting to spread, but additional standards are still common.
So 1: your phone has to match your network standard. If you're not using a GSM provider, you're pretty much left with nowhere but the provider (or an authorized reseller, which just sells the same phones anyway) to buy a phone. And even if you could buy a phone elsewhere for a non-GSM network, it would still have to be programmed by your provider to work.
1a: Not all GSM providers are using the same frequency. And in the case of Cingular, they're not even always using the same frequency across their entire service area.
2: Providers are all over exclusivity contracts. Cingular, for example, is the only provider that can offer the Motorola RAZR V3. When Cingular merged with AT&T, Sony-Ericsson phones mysteriously disappeared from the other providers. In some cases, the manufacturer is still able to offer the phone unlocked and without activation to the general public. But...
3: Unlocked phone prices are outrageous. The US providers heavily subsidize the phones they sell (and SIM lock them). Without activation, the RAZR V3 is $600. With activation, it's $260. Prices for other phones are similarly disparate. Nokia's N-Gage runs $200 unlocked. Up until recently, you could get it for between $0 and -$150 (you made $150 by buying the phone) if you shopped around and signed into a new contract. And all this is assuming you can find a handset that's offered unlocked and without a plan. Most models simply aren't available that way. (For reference, the cheapest handset Nokia offers here "handset only" is $130.)
You buy the phone, you pay for the service, and unless you want to hemorrhage at the wallet, you select from the phones offered by your provider.
I and many others wish the wireless here was more like it is in Europe, but we're damn well screwed in the mean time.
i recall that at least 4 types of radio transmissions are illegal to intercept: cell phone calls, point-to-point microwave links ... and i forget the other two.
The bottom line is that a corporation T-Mobile or otherwise should perform due diligence to protect its customers from security threats. Period. Especially in terms of information involving personal information, and /or credit cards etc. T-Mobile and like companies should be compelled to pay its customers for each security breach.
Hit them in the balance sheet.
We'll never see this happen in the U.S. though because it will cost companies' money.
Dood they are Germans, they got better things to do like dance and touch monkeys.
T-Mobile Anyone Minutes
*yawn*
When I signed up to T-Mobile. They were VoiceStream at the time. There was a huge flaw. To to create an account they would SMS the password to your phone AND show it in a popup dialog on screen. It looked like some debug code made it to production. I had fun all weekended playing with peoples accounts.
Since then I have assumed there security was very bottom rung.
http://img.prod1.dngr.net/img/voicestream/componen ts/header/prepay_masthead.bmp
That's pretty sad when the web developer doesn't even know how to create a basic website correctly. I only noticed this because when pages load, BMP's load from the bottom up, not top down because the format is backwards.
In this case it is not up to the compay but up to the GSM organization, since in a encrpted cnversation the stream transits many manufactures equipment, it is not just the SIM or the phone.... Of course governments are listening if they choose. Our only security of the vast amounts of raw data that they have to sift. My mother is a left wing protester, so when I call het I always use nasty keywords to attract the keyword searches ( Ossama Ossama Bomb Bomb etc). I remember a case where a couple wanted to "fix" their car, and in a private exchange refered to "lets do the bitch tonight". This was intercepted by their employer and he called the police and they were arrested falsely. Sadly nothing is private anymore unless you are a mute who lives in a Faraday cage ( so they can't listen to your thoughts)
It's funny that the so-called security expert can't tell the difference between sites running on IIS and on servlet containers.
His very last example exploit showed clearly that the support.t-mobile.com site was in fact running on Resin, and the NumberFormatException indicates that at least in this case, the input parameters were being validated. You should notice that there is not a single class in the stack trace from a JDBC driver, and that the parameter was being converted to an integer. Hence no danger of an SQL injection attack. I'm not saying that it was handled 100% correctly by the app's programmer -- you should never let the user see that kind of error page. In any case, I would honestly expect that an expert such as the author of that article would have at least a little experience writing servlet-based apps and knowlege of how to read a Java stack trace.
I'll probably be kicked from slashdot, since I violated its code of conduct by actually reading the article, but since when is a java parseInt Exception an SQL Injection opportunity?
In fact, the parseInt may protect the SQL from being manipulated. Likewise with the script tag injection. He tries it, it doesn't work. Admittely there is no nice errors message, but it still doesn't work.
This is just a tailgating article.
I'm still trying to figure out what people mean by 'social skills' here.
Very likely I am wrong, and they do use alternative or additional measures...and maybe it was a personal account that was handled. But in the age of Homeland Security and all that, I am left with curiosity.
I took this as a que to scan some of the local providers.. Be very afraid..
Privacy is a myth anyways, get over it.
"A learning experience is one of those things that says, 'You know that thing you just did? Don't do that.'" - DNA