Slashdot Mirror

← Back to Stories (view on slashdot.org)

Southwest Airlines iPhone App Unencrypted, Vulnerable To Eavesdroppers

Posted by timothy on from the one-more-path-to-id-theft dept.

New submitter davidstites writes "I am a masters computer science student at University of Colorado at Colorado Springs, and in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are. I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines' iPhone app leaves a user's information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream! If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name." (Read on below for more details.) davidstites continues: "This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of terrorist threats in air travel.

The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.

Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped.

I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.

I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.

A full list of applications with vulnerabilities can be found here. Additionally, some local NBC and ABC news stations and the Denver Post covered this story."

14 of 139 comments (clear)

  1. I blame Denver Internation Airport ... by Skapare · · Score: 4, Insightful

    ... because I'm just looking for someone else to blame, too. But there is this big WTF:

    The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network.

    It doesn't have to be unencrypted to be free.

    --
    now we need to go OSS in diesel cars
    1. Re:I blame Denver Internation Airport ... by hawguy · · Score: 5, Informative

      ... because I'm just looking for someone else to blame, too. But there is this big WTF:

      The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network.

      It doesn't have to be unencrypted to be free.

      Well, if you want a secure encrypted network, it's probably not going to be free.

      There's only moderate additional security gained by having a WPA encrypted network where everyone has the same PSK since it's trivial to capture the association handshake (by forcing them to reassociate if neccessary) and steal the session key from anyone's session - Wireshark will do this for you. Alternatively, you can set up a hotspot on your laptop called "SouthwestAirlines" and nearby clients will connect to your laptop instead of the real Southwest network and you can capture all of their packets.

      To make a secure encrypted network, they'd need to implement something like 802.1x security with unique username/passwords for each user and with Wifi clients configured to authenticate the network's 802.1x certificate (to prevent someone from setting up a rogue SouthwestAirlines access point).

      Few providers of free Wifi service are going to be willing to run a helpdesk to assist all of the users with setting this up - it's not always trivial (depending on the device). So it's probably better to not provide the illusion of a secure encrypted network when it's not. The users that are sophisticated enough to set up 802.1x authentication on their device are probably also sophisticated to use a VPN to secure their data.

      When I connect via an open Wifi network, I always VPN to my company or my home internet router so all of my wifi traffic is encrypted.

    2. Re:I blame Denver Internation Airport ... by LurkerXXX · · Score: 4, Insightful

      The discussion is about encryption to Southwest, not to the nearest wifi router. Only encrypting to the nearest router would be equally stupid. They are talking about SSL, not WPA.

  2. Part of this is because of US Export Restrictions by spac · · Score: 5, Informative

    It's a pain in the behind to distribute apps with encryption code (even if all your app does is use SSL!) on the app store.

    You need to go through hoops registering with the US government for an export license for every app you publish. When we built our software, we got hit with these requirements and had to go through a bunch of paperwork that really slowed us down and gave us a headache all because we communicate with only communicate with our web service via SSL.

    It's ridiculous that there's no exemption for SSL usage on US export controls. It's just a pain in the ass for everyone in the process and you can't honestly claim that it prevents awfully dangerous tech from getting into the enemy's hands.

  3. New Slogan? by A10Mechanic · · Score: 4, Funny

    You are now free to have your identity stolen

  4. What about the review process. by mr_lizard13 · · Score: 4, Insightful

    Strictly from a non-technical, user's point of view, this stuff shouldn't happen precicely because of the app review process. That screening process is supposed to give the user the confidence that the app is going to be a good actor, and not do a bunch of stuff its not supposed to. It essentially tells the user "trust Apple to keep a look out for you".

    I don't expect to hear that a vetted app throws my login credentials out there in plain text for all to see. Things like this, along with finding out that iOS gives up my entire address book to an app without asking me first, leaves a bad taste in my mouth and makes me question that review process.

    --
    "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
    1. Re:What about the review process. by Ethanol-fueled · · Score: 4, Insightful

      The app review process is about making sure the application conforms to Apple's prettiness standards and is free of sex, controversy, or 4-letter words.

    2. Re:What about the review process. by mr_lizard13 · · Score: 4, Insightful

      We both understand that, because we both take more of an interest in this stuff than the average joe.

      But from the non technical user's POV, they trust Apple to look out for them. They see the app right there in the store, and rightly make an assumption that Apple have made all the neccessary checks of that app to ensure the user is kept out of harms way.

      The curated environment Apple has crafted gives the impression of safety, security and trustworthiness. Incidents like this make people question that trust.

      --
      "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
  5. Re:Part of this is because of US Export Restrictio by sgt+scrub · · Score: 4, Informative

    Yep. You can't even preconfigure a server with openssl and ssl enabled if it is sold outside of the U.S. Pretty funny huh?

    --
    Having to work for a living is the root of all evil.
  6. Re:Part of this is because of US Export Restrictio by benjamindees · · Score: 5, Insightful

    You're interpreting it correctly. The rest of the world, including terrorists living in caves, are perfectly capable of implementing encryption on their own. And instead of helping or protecting Americans, so-called "export controls" are aimed squarely at the US populace. US companies are prevented from taking basic steps to protect online privacy for exactly the same reason that mild external threats are hyped and used as justification to strip other rights from US citizens -- the US is a fascist, occupation government with absolutely no regard for the rule of law.

    --
    "I assumed blithely that there were no elves out there in the darkness"
  7. That's nothing. Evernote syncs in the clear! by Anonymous Coward · · Score: 4, Interesting

    That's nothing. The very popular note taking app Evernote syncs in the clear.

    I was going to use it to store my big list of passwords, bank account numbers, etc. Lucky for me, I checked it out using Wireshark - it syncs everything in the clear! Anybody on the WiFi network with a packet sniffer can see all your stuff!

    I posted about this on by blog way back in 2009... http://nerdfever.com/?p=311

  8. Re:why make this public? by Khyber · · Score: 4, Insightful

    Why make it public?

    Because people using this app should know, since the company behind the app isn't doing shit to remedy what could be a serious problem.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  9. Re:this isnt new by Anonymous Coward · · Score: 5, Funny

    Yeah, I know. Look at all the people using my credentials to log into Slashdot. And I get the blame for all the stupid 'In Soviet Russia' crap.

  10. Re:Secret lists by tqk · · Score: 4, Informative

    Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security's 'No-Fly' list. If this person were able to capture a victim's credentials and create a fake ID, he could pass through TSA security without being stopped

    Oh, please. Fuck off with the fearmongering. Even the DHS knows that the threat of terrorism is a bunch of bullshit.

    Not to mention the fact that the TSA has never stopped anything. Quadrupled boarding times, humiliated grannies, scared children, yes, but stopped anything? Oh wait, Ted Kennedy and Rand Paul. "Brillant!" [sic]

    --
    "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.