Slashdot Mirror
Southwest Airlines iPhone App Unencrypted, Vulnerable To Eavesdroppers
New submitter davidstites writes "I am a masters computer science student at University of Colorado at Colorado Springs, and in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are. I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines' iPhone app leaves a user's information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream! If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name." (Read on below for more details.)
davidstites continues: "This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of terrorist threats in air travel.
The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.
Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped.
I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.
I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.
A full list of applications with vulnerabilities can be found here. Additionally, some local NBC and ABC news stations and the Denver Post covered this story."
The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.
Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped.
I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.
I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.
A full list of applications with vulnerabilities can be found here. Additionally, some local NBC and ABC news stations and the Denver Post covered this story."
So "Rapid Rewards" becomes "Raped Rewards". So it goes.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
... because I'm just looking for someone else to blame, too. But there is this big WTF:
The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network.
It doesn't have to be unencrypted to be free.
now we need to go OSS in diesel cars
It's a pain in the behind to distribute apps with encryption code (even if all your app does is use SSL!) on the app store.
You need to go through hoops registering with the US government for an export license for every app you publish. When we built our software, we got hit with these requirements and had to go through a bunch of paperwork that really slowed us down and gave us a headache all because we communicate with only communicate with our web service via SSL.
It's ridiculous that there's no exemption for SSL usage on US export controls. It's just a pain in the ass for everyone in the process and you can't honestly claim that it prevents awfully dangerous tech from getting into the enemy's hands.
You are now free to have your identity stolen
Strictly from a non-technical, user's point of view, this stuff shouldn't happen precicely because of the app review process. That screening process is supposed to give the user the confidence that the app is going to be a good actor, and not do a bunch of stuff its not supposed to. It essentially tells the user "trust Apple to keep a look out for you".
I don't expect to hear that a vetted app throws my login credentials out there in plain text for all to see. Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
Does the operating system not provide the SSL libraries? Or do you actually have to code the encryption routines into each application on iOS?
I would have thought the export restrictions would only apply to the SSL libraries, not the application that uses them.
There is an exemption for Free Software. I agree that the controls are asinine, though.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Yep. You can't even preconfigure a server with openssl and ssl enabled if it is sold outside of the U.S. Pretty funny huh?
Having to work for a living is the root of all evil.
a ton of programs and websites transmit your stuff in clear text. this isnt new.
This may be true, but cannot be considered an acceptable excuse for a multibillion dollar corporation like Southwest.
And to get back to OP's findings...I hesitate to downplay this since it's fundamentally bad security, and I love a good public flogging as much as the next security nerd, but calling this "shocking" and speculating on how it could facilitate terrorism is a little bit extra.
You're interpreting it correctly. The rest of the world, including terrorists living in caves, are perfectly capable of implementing encryption on their own. And instead of helping or protecting Americans, so-called "export controls" are aimed squarely at the US populace. US companies are prevented from taking basic steps to protect online privacy for exactly the same reason that mild external threats are hyped and used as justification to strip other rights from US citizens -- the US is a fascist, occupation government with absolutely no regard for the rule of law.
"I assumed blithely that there were no elves out there in the darkness"
>> This situation is a hackers dream!
No, not really. A hackers dream usually involves a game of Global Thermonuclear War or a nice game of Chess.
There is no economic incentive for them to build security into the app. Until we have mandatory fines for shit like this, it means nothing.
Southwest needs to recoup money lost from free checked bags, so they will now start to charge you to keep your data secure. The board meeting where they decided this was a doozy.
Silence is a state of mime.
That's nothing. The very popular note taking app Evernote syncs in the clear.
I was going to use it to store my big list of passwords, bank account numbers, etc. Lucky for me, I checked it out using Wireshark - it syncs everything in the clear! Anybody on the WiFi network with a packet sniffer can see all your stuff!
I posted about this on by blog way back in 2009... http://nerdfever.com/?p=311
Why make it public?
Because people using this app should know, since the company behind the app isn't doing shit to remedy what could be a serious problem.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
why not? Step one was tell the company, the company decided to not update the application which is a goldmine for hackers. He than has 2 options
prove it, by going to denver and stealing the information and seeing how far he can take it.
he can make it public, and by doing so southwest has 2 options, fix it and save face
face a lot of angry passengers as the script kiddies move in to start stealing information
have you seen my sig? there are many others like it but none that are the same
Just to check I'm interpreting this correctly: a well-defined algorithm in daily use across the globe is 'export controlled' if it happens to be implemented by a US company?
Yes. See the Electronic Code of Federal Regulations (eCFR), Part 774 (Commerce Control List), Category 5, Part 2 (Information Security).
What I do wonder with regards to SSL or TLS is if you can get away with using it as long as your limit the key length? Is it possible to limit key lengths used to encrypt the data traffic on an SSL or TLS connection?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
It seems that if you let the user transmit or receive encrypted data (even if it's just a login!) you need to get a license.
We use the built in iOS classes for HTTP requests that support SSL transparently. The US government still required us to register for export compliance. It's really senseless.
The only portion they encrypt is when you're entering your credit card number.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
My boss at the time told me to drop it, after he took them to dinner... told me a great story about it:
After discussing the issue over dinner, I dropped my credit card on the table to pay. The Southwest guy asked me "Do you know what you just did?"
I replied "I'm paying for our dinner!"
Southwest guy chuckles and said "you just handed your credit card to a 19 year old girl who probably has a crack head biker boyfriend waiting behind the restaurant to take your credit card number. Do you feel at risk?"
Boss man chuckles and said "not really, no"
Credit card companies take the heat when you expose CC info.
Not saying Southwest is right here, but there are security risks and business risks. If southwest thinks soaking the credit card companies vs spending money on something that isn't going to be on them in the first place makes sense, thats what they are going to do, and all the scary security talk in the world isn't going to change that.
Besides, evaluating an app isn't the same as looking at the entire process behind what goes on behind the curtain. Maybe the app is insecure with your account login info, but what does that actually get you if you log in as someone else? Your going to buy tickets under someone else's name, and not be able to use them because faking your ID to get on a plane now brings you to the attention of home land security ?
IMHO, app security will always be a joke, because it's an app. If your going to assume it's used in an uncontrolled environment, it shouldn't have access to sensitive information in the first place. So, not an 'app' issue, so much as poorly conceived workflow and architecture issue.
If a "hacker" can log in to your airline account and book a flight in your name, then all they need is to present a fake drivers license in your name to take the flight... and so once again we see that the TSA is actually only a ludicrous theatrical production being staged in Airports nationwide. Thanks for nothing.
if your life is such a big joke then why should I care?
They were lifted a decade ago as the web took off. True Korea and China still use activeX in any banking or ecom site but that is because users still use IE 6 so why bother changing to SSL? The same users still use IE because EBAY and their bank still require activeX because users still use it in a viscious cycle etc.
WTF? eBay requires ActiveX? Since when? I don't recall PayPal ever requiring installation of an ActiveX control, much less eBay. I really think you're spreading misinformation...
I suspect that he/she meant in South Korea. Until recently, IE6 had a ludicrously high (98.6%) market share there. This is because around a decade back they got tired of waiting for the improved version of SSL and designed their own encryption called SEED instead, which virtually all online commerce in the country used.
The Netscape SEED plugin was abandoned early on, leaving only the IE ActiveX SEED control supported. Hence everyone had to use IE. Since (for good security reasons), ActiveX use is more fiddly with later versions of IE, everyone there stuck with IE6.
Apparently this *has* started to change, and IE6's share has fallen drastically in the past 2 or 3 years, though IIRC it was still in the twentysomething percent range the last time I checked.
(Not sure what China has to do with it- SEED is pretty much only used in South Korea. Maybe the OP was getting confused)
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Goddamnit /., this sucks:
"One of the most overlooked advantages to computers is... If they do foul up, there's no law against whacking them around a little. -- Joe Martin"
Computers don't "foul up". Computers do exactly what they're told to do, to a fault!
Go watch 2010:A Space Oddyssey again until you get it, damnit!
[Grumble, mumble, rassafrackin', jiggafriggin', ...]
"Tongue tied and twisted, just an Earth bound misfit
Chiming in here to agree with spac.
This is another annoying grey area with Apple's rules. When you submit an app to the App Store, it asks you if you use encryption, and if you do, you have to have an export license from the USA government. I don't believe there's anything that specifically addresses SSL/TLS in Apple's documentation. If you contact Apple, they usually tell you that you need a license for it, even if you use the features built into iOS. If you don't contact Apple and say that you don't use encryption, sometimes you can get through the approval process. I think it's a case of the Apple employees who you contact playing it safe while reviewers can be a bit sloppy.
I've personally been involved with an app that transmits personal information including GPS coordinates, names and telephone numbers, and it does so without using SSL/TLS for precisely this reason - the company wanted to release as quickly as possible without waiting to get an export license. I didn't like that, but unfortunately, the decision was out of my hands.
I think the best thing Apple could do, assuming that there is no way around the law, is to make it more clear to developers that this is required in their rules, to automatically scan apps for SSL/TLS use to reject apps without a license consistently, and to reject apps that don't use SSL/TLS to transmit personal information.
Bogtha Bogtha Bogtha
Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped
Oh, please. Fuck off with the fearmongering. Even the DHS knows that the threat of terrorism is a bunch of bullshit.
Not to mention the fact that the TSA has never stopped anything. Quadrupled boarding times, humiliated grannies, scared children, yes, but stopped anything? Oh wait, Ted Kennedy and Rand Paul. "Brillant!" [sic]
"Tongue tied and twisted, just an Earth bound misfit
Evernote has encryption:
https://support.evernote.com/link/portal/16051/16058/Article/549/Overview-of-Encryption-in-Evernote
Of course then you have to decide if you trust them. Personally I use PGP to encrypt before I sync.
blindly antisocialist = antisocial