Another authentication bypass in public Wi-Fi networks

    There have already been several articles on this topic - How to bypass SMS identification when connecting to public Wi-Fi networks? And And again: do not use public WiFi , but new authorization methods appear, so it's time to talk about it again. Recently, in a Moscow cafe, I came across an unfamiliar way of logging in to the network. Immediately there was a desire to check whether this authorization can be circumvented, and how it threatens ordinary people.



    Verification of identity when connecting to public Wi-Fi networks in Russia is a legal requirement. There are several ways, the most popular of them - entering a code from SMS or entering the last digits of the phone number from which the call was received. However, the authorization provided by the wifi-way.ru service, which works a little differently, was used in this cafe. The user is asked to indicate his phone number, and then make a call from him to the number of this service. After the connection is established, the call will be dropped, and the user will be authorized.

    It seems that this is a convenient way: the company does not spend money on sending SMS, just buy a phone number and track incoming calls. However, there is at least one serious pitfall - the fundamental possibility of making calls with a number change.

    The existing implementation of mobile networks allows you to start a call with an arbitrary Caller ID (caller’s phone number), after which the called subscriber will receive a call with the caller’s number replaced. This is due to the fact that mobile networks are built on trust. The details are beyond the scope of this article; here it’s enough to mention that to make such calls you can either dig into the PBX settings for a long time, or just use some kind of service for calls with a number change and a bit of “magic” to call Russian numbers.

    An extremely complicated authorization bypass looks like this:

    1. Network connection
    2. Phone Number Indication
    3. Call with substitution of Caller ID for the number from the previous paragraph

    It seems that this is a rather complicated way to access the Internet, it is easier to buy a SIM card without a passport if you do not want to give the phone number to such companies (and they also sell them to the owners of establishments, welcome to the world of potential spam). But the main thing is not access to the Internet itself, but access using someone else's phone number. The two previous articles described the ways in which you can access existing “session” connections, so you can simply not use public Wi-Fi and live in peace. In this case, the attacker can specify any phone number, publish somewhere an appeal for extremism or the work of Japanese artists, and then it all depends on luck.

    If a foreign, non-existent or "elite" number was used, then no one will suffer, although the company may get many interesting questions about why they have this number in their database. But if they use this method of authorization and sell it, then they are clearly ready for it.

    But if the official owner of the number lives in this city, then everything is much more interesting. It is possible that the only chance is to try to convince investigators and the court to check by the logs of the mobile operator whether this call was actually made using the subscriber's SIM card. But already this can make you spend a lot of time and effort.

    An additional interesting point is that the owner of the number cannot find out that his number was used for authorization: he does not receive a suspicious message with a code or a call from an unknown number. In the worst case, the investigator will say this.

    I wrote to wifi-way.ru mail to find out what they think about it. The answer was quite expected: we know about the possibility of a number change, the system will save the number that came from the mobile network.

    It is difficult to add something to this, I can only wish everyone good luck and happy phone numbers that will not be used by attackers during authorization.

    A deeply personal opinion about the responsibility of companies for the safety of people (not users)
    It is necessary to clearly separate companies depending on whether they work only with their users or with an unlimited circle of people. If the service is offered only to those who have registered and accepted an agreement such as “We don’t do security, use leaky technologies, hacking is possible, welcome to the club of humiliation lovers”, then the company has every right not to fix vulnerabilities and potential problems. Although in some cases they can be punished by law, but this is another story.

    However, there are other companies: if vulnerabilities are used in such services, anyone can suffer, even if he himself did not use such a service. This includes government services, cursed by many paid subscriptions, and systems for authorization in public networks. Although I have not heard about the punishment of those on whose behalf appeals to extremism were written through public networks, attacks were carried out on some systems, or, worst of all, the works of Japanese artists were published, I absolutely cannot guarantee that this will not happen , and the victim will have the opportunity to make excuses.

    Therefore, I am convinced that companies whose actions or omissions may affect those who did not conclude an agreement with them should either use safe technologies as much as possible or be punished by society. Unfortunately, one should not forget about the inertia of people and their readiness to ignore all security problems until they touch them themselves. This shows companies that it is possible to score on the safety of everyone, people shat and forget in a couple of days. But this is a topic for a separate sad article.

    Also popular now: