Biz & IT —

Millions of Virgin Mobile accounts at risk of password attacks

A customer who cracked his password shows just how easy account takeovers are.

A policy enforced on customers of Virgin Mobile USA permits passwords no longer than six digits. That means there are only 1 million valid combinations.
A policy enforced on customers of Virgin Mobile USA permits passwords no longer than six digits. That means there are only 1 million valid combinations.

Millions of cellphone users who subscribe to Virgin Mobile risk having their online accounts compromised because of a draconian password policy enforced by the US wireless provider, a software developer said.

Kevin Burke, a Virgin subscriber and a developer for cloud communications company Twilio, said the insecurity is the result of an authentication system customers must use when logging into their accounts on Virgin Mobile USA. Passwords must be all numbers and can be no longer than must be six digits long, meaning there are no more than 1 million possible valid combinations. By contrast, allowing subscribers to use eight-character passwords that included numbers, capital and lower-case letters would require 218.3 trillion—or 628—valid combinations.

That means all an attacker needs to access a Virgin account is an account holder's phone number, an Internet connection, and the ability to cycle through 1 million possible guesses. Once accessed, the account shows a history of calls and texts and allows attackers to make unauthorized changes and charges to the account holder.

To demonstrate the risk, Burke wrote a custom script that attempted to brute-force crack the password for his own Virgin Mobile account. He wanted to avoid putting any undue strain on the Virgin servers, so he limited the attack to one request per second for a few hours, or a little more than 10,000 requests in three hours. When he finally entered the correct combination, he logged in just fine.

"They didn't lock me out, throttle my IP, implement exponential backoff or any other techniques I expected they'd have in place," he told Ars in an e-mail. He said his script automatically cleared a browser cookie Virgin Mobile set after each login attempt. "Obviously, clearing your cookies gets around this issue—it's like Virgin asking me to tell them how many times I've failed to log in before."

A spokeswoman for Sprint, the company that owns Virgin Mobile, wrote in an e-mail: "A lockout feature for multiple password attempts is part of Sprint's standard procedures. We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile." She didn't respond to a follow-up e-mail asking if Sprint officials think the lockout mechanism is sufficient given the success of Burke's script.

The attack Burke carried out on his Virgin Mobile account is what's known as an "online" attack, meaning hackers must submit each guess individually to the online server that authenticates the targeted user. That's different from many of the "offline" password cracking hacks Ars has recently chronicled. Unlike many offline attacks—in which attackers try to crack thousands or millions of one-way cryptographic hashes that are fetched off compromised servers—online attacks can try to crack only one account at a time. Once one is correctly guessed, the attacker must start all over again.

Assuming it takes one second for a script to submit each password guess to a Virgin Mobile server, that means it would take no more than 12 days—or a little less than 278 hours—to correctly guess an account holder's passcode. (Burke said it's probably possible to design a platform that submits hundreds of password guesses per second, but to avoid running afoul of laws prohibiting denial-of-service attacks, he didn't try). To gain unauthorized access to another mobile account, the attacker would have to repeat the process again.

This technique doesn't seem particularly suited to profit-driven attackers who want to break into as many accounts as possible in a short period and with a minimal amount of resources. But for attackers motivated by something other than the goal of financial gain—a spiteful ex-spouse, for instance, a member of the Anonymous hacking collective, or a state-sponsored hacker conducting an espionage campaign—an online attack on Virgin's servers seems to be a perfectly feasible way to gain access to an adversary's account. Freely available programs such as THC-Hydra can make such attacks practical even for programming novices.

Burke has listed a variety of suggestions Virgin Mobile engineers could follow to improve their current authentication system. They include displaying a standard login error message regardless of whether the phone number entered is valid or invalid, sending an alert message whenever e-mail addresses or other important account details are changed, and requiring users to enter additional information before a handset associated with an account can be changed.

In 2012, there's no technical justification for limiting login codes to just six digits. In an age when companies such as Google and Facebook are embracing two-factor authentication, it's unacceptable for online providers to rely on protections that lock out users who have too many incorrect guesses. Virgin Mobile subscribers who are concerned about the privacy of their accounts may want to register their displeasure with the lax password policy that's imposed on them.

Update

As reported in Ars comments, the Virgin Mobile login page is not available for many users. When this reporter attempted to access the page, it returned a ServletException error, an indication that the servers may be under heavy load or are experiencing other technical problems.

In an update posted on Wednesday morning, Burke said Virgin Mobile appears to have fixed the brute-force vulnerability. "After about 20 incorrect logins from one IP address, every request to their servers returns 404 Not Found," he wrote. "It appears they’re implementing some kind of exponential backoff at the IP address level. Which is good; it means they’ve probably fixed the main vulnerability I reported yesterday."

Channel Ars Technica