Another authorization bypass in public Wi-Fi networks
There have already been several articles on this topic - How to bypass SMS identification when connecting to public Wi-Fi networks? And And once again: do not use public WiFi , but new authorization methods appear, so it's time to talk about it again. Recently, in a Moscow cafe, I came across an unfamiliar method of authorization in the network. Immediately there was a desire to check whether it is possible to bypass this authorization, and how it threatens ordinary people.
Proof of identity when connecting to public Wi-Fi networks in Russia is a requirement of the law. There are several ways, the most popular of them is to enter a code from an SMS or enter the last digits of the phone number from which the call was received. However, in this cafe the authorization provided by the wifi-way.ru service was used, which works a little differently. The user is prompted to provide his phone number, and then make a call from him to the number of this service. After the connection is established, the call will be reset, and the user is authorized.
It seems that this is a convenient way: the company does not spend money on sending SMS, it is enough to buy a phone number and track incoming calls. However, there is at least one serious pitfall - the principal possibility of making calls with the substitution of numbers.
')
The existing implementation of mobile networks allows you to start a call with an arbitrary Caller ID (caller’s phone number), after which the called party will receive a call with the changed caller's number. This is due to the fact that mobile networks are built on trust. Details are a bit beyond the scope of this article, but it’s enough to mention that to make such calls, you can either dig into the PBX settings for quite a long time, or just use some kind of service for calling with number substitution and a bit of “magic” to call Russian numbers.
Extremely complex authorization bypass looks like this:
It seems that this is a rather complicated way of accessing the Internet, it is easier to buy a SIM card without a passport, if you do not want to give a phone number to similar companies (and they also sell them to owners of establishments, welcome to the world of potential spam). But the main thing is not the access to the Internet itself, but access using another's phone number. The two previous articles described ways in which you can gain access to existing “sessions” of a connection, so you can simply not use public Wi-Fi and live in peace. In this case, the attacker can indicate any phone number, publish somewhere a call for extremism or the work of Japanese artists, and then everything depends on luck.
If a foreign, non-existent or “elite” number was used, no one will suffer, although the company may get a lot of interesting questions as to why this particular number is recorded in their database. But if they use such an authorization method and sell it, then they are clearly ready for it.
But if the official owner of the room lives in this city, then everything is much more interesting. It is possible that the only chance is to try to convince investigators and the court to check in the logs of the mobile operator whether this call was actually made using the subscriber's SIM card. But already this can make you spend a lot of time and effort.
An additional interesting point is that the owner of the number cannot find out that his number was used for authorization: he does not receive either a suspicious message with a code or a call from an unknown number. In the worst case, the investigator will say this.
I wrote on wifi-way.ru mail to find out what they think about it. The answer was quite expected: we know about the possibility of replacing the number, the system will keep the number that came from the mobile network.
It's hard to add something to this, I can only wish everyone good luck and lucky phone numbers that will not be used by intruders during authorization.
Proof of identity when connecting to public Wi-Fi networks in Russia is a requirement of the law. There are several ways, the most popular of them is to enter a code from an SMS or enter the last digits of the phone number from which the call was received. However, in this cafe the authorization provided by the wifi-way.ru service was used, which works a little differently. The user is prompted to provide his phone number, and then make a call from him to the number of this service. After the connection is established, the call will be reset, and the user is authorized.
It seems that this is a convenient way: the company does not spend money on sending SMS, it is enough to buy a phone number and track incoming calls. However, there is at least one serious pitfall - the principal possibility of making calls with the substitution of numbers.
')
The existing implementation of mobile networks allows you to start a call with an arbitrary Caller ID (caller’s phone number), after which the called party will receive a call with the changed caller's number. This is due to the fact that mobile networks are built on trust. Details are a bit beyond the scope of this article, but it’s enough to mention that to make such calls, you can either dig into the PBX settings for quite a long time, or just use some kind of service for calling with number substitution and a bit of “magic” to call Russian numbers.
Extremely complex authorization bypass looks like this:
- Network connection
- Specify a phone number
- Call from Caller ID to the number from the previous item
It seems that this is a rather complicated way of accessing the Internet, it is easier to buy a SIM card without a passport, if you do not want to give a phone number to similar companies (and they also sell them to owners of establishments, welcome to the world of potential spam). But the main thing is not the access to the Internet itself, but access using another's phone number. The two previous articles described ways in which you can gain access to existing “sessions” of a connection, so you can simply not use public Wi-Fi and live in peace. In this case, the attacker can indicate any phone number, publish somewhere a call for extremism or the work of Japanese artists, and then everything depends on luck.
If a foreign, non-existent or “elite” number was used, no one will suffer, although the company may get a lot of interesting questions as to why this particular number is recorded in their database. But if they use such an authorization method and sell it, then they are clearly ready for it.
But if the official owner of the room lives in this city, then everything is much more interesting. It is possible that the only chance is to try to convince investigators and the court to check in the logs of the mobile operator whether this call was actually made using the subscriber's SIM card. But already this can make you spend a lot of time and effort.
An additional interesting point is that the owner of the number cannot find out that his number was used for authorization: he does not receive either a suspicious message with a code or a call from an unknown number. In the worst case, the investigator will say this.
I wrote on wifi-way.ru mail to find out what they think about it. The answer was quite expected: we know about the possibility of replacing the number, the system will keep the number that came from the mobile network.
It's hard to add something to this, I can only wish everyone good luck and lucky phone numbers that will not be used by intruders during authorization.
Deeply personal opinion about the responsibility of companies for the safety of people (and not users)
It is necessary to clearly separate companies depending on whether they work only with their users or with an unlimited number of people. If the service is offered only to those who have registered and accepted the agreement of the type “We are not engaged in safety, we use leaky technologies, hacking is possible, welcome to the club of humiliation,” then the company has every right not to fix vulnerabilities and potential problems. Although in some cases they can be punished by the law, but this is another story.
However, there are other companies: in the case of the use of vulnerabilities in such services, any person may suffer, even if he did not use such a service. This includes both public services, and paid by many subscriptions, and systems for authorization in public networks. Although I have not heard about the punishment of those on whose behalf appeals to extremism were written through public networks, some systems were attacked, or, worst of all, works by Japanese artists were published, I absolutely cannot guarantee that this will not happen , and the victim will be able to justify.
Therefore, I am convinced that companies whose action or inaction may affect someone who has not entered into an agreement with them should either use safe technologies as far as possible or be punished by society. Unfortunately, one should not forget about the inertia of people and the readiness to ignore all security problems until they touch them. This shows the companies that it is possible to hammer on the safety of all, the people will eat and forget in a couple of days. But this is a topic for a separate sad article.
However, there are other companies: in the case of the use of vulnerabilities in such services, any person may suffer, even if he did not use such a service. This includes both public services, and paid by many subscriptions, and systems for authorization in public networks. Although I have not heard about the punishment of those on whose behalf appeals to extremism were written through public networks, some systems were attacked, or, worst of all, works by Japanese artists were published, I absolutely cannot guarantee that this will not happen , and the victim will be able to justify.
Therefore, I am convinced that companies whose action or inaction may affect someone who has not entered into an agreement with them should either use safe technologies as far as possible or be punished by society. Unfortunately, one should not forget about the inertia of people and the readiness to ignore all security problems until they touch them. This shows the companies that it is possible to hammer on the safety of all, the people will eat and forget in a couple of days. But this is a topic for a separate sad article.
Source: https://habr.com/ru/post/459348/
All Articles