21 Feb 2009
Never Trust Clients
No, I’m not referring to those lovely people who give me money in return for pottering about with computers; that would be both unfounded and commercially suicidal. Here are some examples of systems making the mistake of trusting the client software that’s hooking into their network:
Unintentional Freedom of Information
In the late ’80s or early ’90s, British Telecom offered a service allowing businesses to connect via dial-up modem and do things like directory enquiries via their computers.
Unfortunately, their developers weren’t the most thorough when it came to security and the system leaked sensitive information. The crucial detail was that different error messages were displayed for finding no matches vs. finding restricted data. So you could look up restricted addresses (the example demonstrated by a journalist was finding Neil Kinnock’s London residence) by starting with a broad query (e.g. Neil Kinnock in London) and then progressively narrowing it down, using the error messages to know when you’re on the right track. BT initially denied there was a security hole until someone intelligent looked into it.
This issue often affects web sites’ authentication systems. If the login form (or password reissue form) displays different messages for login attempts with incorrect username and password vs. correct username and incorrect password then you’re allowing anyone to test whether a particular username (often an email address) is registered. This may not be considered a problem, but developers should be aware of the leakage.
Unintentional Free Internet Access
Sometime around 1997 Pipex offered an introduction to their dial-up internet service via retail boxes containing software, a manual and username/password for getting 3 months of access (after which you had to phone up and subscribe via credit card). The software was a crude front-end that launched dial-up networking, the web browser and email, and alerted the user to how much time was left on their subscription.
Not wanting to bother with unnecessary software, some people simply entered the network settings manually if reinstalling their operating system, and discovered that expiry was only enforced by Pipex’s software. There were no checks at the other end, so if you didn’t have the software you could keep connecting long after your subscription had ended.
I’m not sure exactly when the packs were launched or when the gaping loophole was closed, but I think it was open for at least 18 months and I got the impression it was fairly widely exploited.
Unintentional Free Mobile Calls
BT Cellnet (now O2) had a fundamental flaw in its mobile network around the turn of the millennium. It seems that PAYG phones were themselves responsible for monitoring the top-up balance and disabling calling, an insane decision that resulted in the availability of chipped phones that could be endlessly topped-up for free.
Eventually Cellnet noticed widespread fraud, sent out tactfully-worded text messages to some fraudulent users pointing out that they might want to top-up, and started disabling phones, but it must’ve been fairly costly overall.
Blunders like these happen when engineers either aren’t cautious and curious enough, or are overruled by managers who don’t understand the persistence and curiosity that leads to vulnerabilities being uncovered and exploited. It’s possible to be overly paranoid, but relying on people never tampering with their software or hardware is foolish.