Monday, February 19, 2018

About the Freedom Mobile Hack


Mobile syrup reported last week that an anonymous hacker posted a very detailed post on Freedom Mobile's subreddit about how they managed to access customer sensitive data on FreedomMobile.ca.

While this wasn't confirmed, let's stop and evaluate certain aspects of the hack from different sources.

The Code

According to the report, the hacker mentioned it only took them 23 lines of code:

Source: https://mobilesyrup.com/2018/02/12/freedom-mobile-security-breach/

The Login Widget

I inspected the code very quickly and, let's review how can one login on FreedomMobile.ca. This is their login screen:

Source: FreedomMobile.ca, Feb 15, 2018

Interesting, apart from the traditional username/password, we have Phone number / PIN. How does that work? Let's take a look.

Reviewing the Phone Number / PIN widget

I'm interested about this Phone number / PIN thing because PINs are usually simple and often are used to access your device from the phone. So, they should be numerical. Let's see what the source tells us:



From the screenshot we see that:
  • they're using Angular which has its flaws. Are they running the latest version?
  • some validations happen in the front-end (I hope they revalidate in the the web server);
  • that specific validation is done using Regex (pinRegEx).
  • the min/max length: 4 chars (see the red box on the right there);
  • the "PIN not valid" on the left shows up for non-numeric chars;

So, a mobile number and 4 numeric chars. How complex can that be?
  • mobile numbers are public.
  • PIN requires 4 numeric characters. So, in total, the permutations are 10 ^ 4 = 10,000

One have to guess is 10k combinations to hack your account

Brute Force

So, knowing your phone number, it takes the hacker, on the worst case, only 10,000 guesses. And it can get better (for him, worse for you)!!! For example, if your pin started with 0 (zero), that's already 999 guesses on the worst case. 00, 99 guesses.

That's not so complicated to guess, right?

So I assume they have some sort of brute force prevention like Asp.Net's RequestForgeryToken and follow OWASP's CSRF Prevention guide. According to the "hacker":
Source: https://mobilesyrup.com/2018/02/12/freedom-mobile-security-breach/

No Brute Force

Sight. No brute force prevention. No account lockout? No MFA authentication? No alerts.

As common, the company ignores the issue, states the corporate jargon and returns the responsibility to the users. As if a system based on 4 digit numeric PINs were secure enough:
“We continue to strongly encourage our customers to use unique PIN numbers that are not easy to guess, and to change their PINs frequently to best protect their personal account information.”

“meeting customer demands for a resonable login process.”
Read more at MobileSyrup.com: Hacker uncovers Freedom Mobile customer login vulnerability

Shared Responsibility

Before we wrap up, there are two more things about this hack that we should add, the failing points:
  • who's responsible the decision to simplify the login by using the phone/PIN widget?
  • who's responsible for not preventing brute force without any lockout mechanism or alert on the login operation?

While I don't want to discuss who's responsible for what, I don't see the developers deciding how people should perform the login on the company's website, certainly the ability to brute force such a crucial aspect of the application was missed. It's definitely a shared responsibility.

Conclusion

So, even if we assume that the hack didn't happen, 10k combinations without any sort of cross-site request forgery is not acceptable.

That's certainly how not to do security. Everyone loses when companies try to simplify security aspects for its users but do it wrong ignoring the most critical web application security risks.

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Integrated security vulnerability alerts on GitHub - Why it matters
For more security posts on this blog, please click here.

References

/r/freedommobile - Security Breach
Mobile Syroup - Hacker uncovers Freedom Mobile customer login vulnerability
Cross-site request forgery