Friday, February 22, 2008

JoikuSpot and MSISDN authentication

Some weeks ago a JoikuSpot application was launched - this is an application that allows users to turn their 3G/WIFI enabled terminals to WIFI hotspots. Application is currently in beta phase but it is still very usable; when you launch the application in your smartphone, you can connect to new Joiku hotspot with any WIFI enabled laptop, internet tablet, iPod Touch ... whatever you use. Nice and easy. 

For those who have been working with mobile applications know that user authentication is a big problem. Usernames and passwords are difficult to type with small keyboard, client-side certificates are not trivial to implement and so on. One solution that is used (if operator allows) is that user is authenticated with terminal's MSISDN. This is nice solution, because user is effectively authenticated with PIN code: if user can turn on the terminal, that identity is used when he opens a connection to back-end server. 

What you get if you combine JoikuSpot and MSISDN authentication? Security hole.

Today I tried this combination and result was just as expected. I installed Joiku to my terminal and let it publish a WIFI hotspot. Then I connected to that hotspot with a laptop and tried to access an MSISDN authenticated service. As you might guess, service authenticated me (or the Joiku terminal user) and let me in without any passwords asked.

Luckily this is quite difficult security hole to exploit. In order to do that following criteria must be met:
  • Joiku is running in a terminal that belongs to user who has access to MSISDN authenticated services
  • Attacker is close enough to connect to Joiku hotspot
  • Attacker knows which resource to access through the hotspot
Good news is also that Joiku people have announced that final version of Joiku will include WEP/WPA/WPA2 encryption. Hopefully all over 15.000 users who have downloaded Joiku will update when final version is available!

Update 25.2.2008
Just caught my mind that this same security hole applies also if somebody has Mobile VPN installed and connection opened from terminal to enterprise back-end systems. Then Joiku will publish this connection to everybody who is close enough, right? At the moment I don't have a VPN enabled device to verify this, but I can't see any reason why this wouldn't work. Scary.


No comments: