Category Archives: Internet

Vodafone voicemail uses caller ID for authentication

Posted on by
2

This article is about a security risk that I found while using Skype and Vodafone voicemail. In this article I will dive into a specific situation concerning the security of one’s Vodafone voicemail (Netherlands) in combination with Skype‘s ability to spoof the caller ID. Besides that I look at the main concern: trusting a caller ID for authentication purposes.

Vodafone voicemail and Skype

The problem is simple. Vodafone NL offers their customers a voicemail service. If you call the voicemail service from your own mobile phone, you get direct access to the voicemail inbox without needing any form of authorization. It seems the mobile’s caller ID is used for authentication.
Skype, on the other hand, has a ‘feature’ that allows you to assign your own mobile number as a caller ID for Skype-Out calls. This means you can spoof your caller ID, if you authorize it with Skype, for which you only need to respond to an SMS sent to the device once.

So, if I could trick a victim into lending me his/her mobile for only 5 minutes, I could abuse that moment to register the mobile number with a Skype account. This would allow me to access the victim’s Vodafone voicemail, because Skype allows you to spoof the number, and Vodafone authenticates you to a voicemail box based on the caller ID. So, I only need my Skype account to access the victim’s voicemail. An even simpler method could be by using a service provider that allows me to spoof a mobile number, like SpoofCard claims to do. You would then only require the victims mobile phone number. Scary!

Other services at risk?

So Vodafone voicemail (NL) is vulnerable for this “hack”. But what about other service providers that rely on the caller ID?

For example the ‘ABN AMRO Saldo voor de iPhone‘ [iTunes], a banking applications for the dutch ABN Amro bank that allows you to see your bank account’ balance (requires a 4-digit PIN).
Or what about the ‘Rabo Bankieren‘ [iTunes] used for banking with the dutch Rabobank that only requires a 5-digit PIN to see your bank account’ balance?
By circumventing the caller ID as being part of the authorization of these applications, the only security layer left is a 4 -or 5-digit PIN code, which IMHO is not enough any more.

Of course, the same principle applies to SMS text messages, like described in the article Twitter and Jott Vulnerable to SMS and Caller ID Spoofing by dhanjani.com, but for the sake of simplicity I will not go into that right now.

Questions and conclusion

So what do you think?

  • Do you think this is a security risk or not?
  • Is the caller ID something that is easy to fake?
  • Why is Skype allowed to spoof the caller ID? Is this something anyone can do on any phone network?
  • Should service providers be allowed to trust the caller ID for authentication purposes?
  • Have you seen service providers using the caller ID for authentication purposes?

In my opinion trusting the called id for authentication purposes imposes a security risk. Developers should be aware that trusting a caller ID should not be an authentication method solely by itself, but always as an addition to another. In my opinion, service providers should not use the caller ID alone for authentication!

And remember, if Paris Hilton can hack into a voicemail, anyone can! ;-)

Update 24-03-2011: I merely used the examples of the ABN Amro and the Rabo Bankieren application as an example to think deeper about security and privacy concerning the use of these (very handy!) financial applications, but its clear that they do not rely (and probably also not even send) the caller ID to the bank’ server, so a probable risk with using the caller ID as authentication for these applications is irrelevant.

Issues with Dutch cable provider UPC

Posted on by
3

UPC unhappy logoUPC is a service provider for Internet, television and telephone in the Netherlands. I don’t like UPC and I’m going to tell you why. If you are not interested you can stop reading now, but I need to get this of my chest.


Why UPC is a bad service provider (in random order)…

  • Since recently, UPC forces non-resolving domain requests to their default(!) DNS servers with a request that resolves to a web page that 302 http redirects you to their own “search” engine. So if you mistype a domain name, your browser redirects you, thereby invading your privacy and providing you with their full-banner “helper”-webpage. This is against the DNS protocol.
    You can solve it by forcing your IP’s to use another set of DNS servers. For me this means I have to manually configure each network device because I cannot make my Thomson router distribute specific DNS host adresses via DHCP :(
    This site tells you more about the solution where you have to manually set your DNS servers.
  • I have a ‘royal subscription’ which means I get nine HD (High Definition) channels for 10 euro/month extra. UPC offers you another feature with this Royal subscription that is called Video On Demand (VOD). The feature is nice because they provide you with a lot of nice content (like series) that are watchable on demand, just like a dvd.
    The problem is that it  often doesn’t work for me, giving me a VOD 103 exception. I’ve contacted support three times now about this issue and they still haven’t manage to locate the problem. Every time I have to convince them my signal is ok (using a special test-channel). The problem is probably caused due to a under capacity at their streaming servers, but people at the support desk simply follow protocol and never find the problem so it never gets fixed.
  • I have a subscription where I have a combined box for telephone, internet (24 MBit) and (HD) television. I don’t want the phone, but I cannot just order only internet and television. I don’t want to pay for this crappy phone line that doesn’t allow me to dial +31(0)87 numbers (voip phone land-lines in the Netherlands). Another irritating issue is that when your broadband cable modem has no connection, people calling your number get a normal “phone is ringing”-tone on their side, and not a “number not reachable”-tone, which doesn’t help finding the problem.
    Besides that UPC tries to sell this product as a normal phone line, but instead it’s a very error-prone telephone line that you should not primarily rely on when you might need to call the alarm-number.
  • My (brand new) black colored ‘Media Box’ that provides me with HD television seems unstable. Sometimes – out of nothing – the screen just turns black, while sounds continues. Remote control activities don’t work any more and the device get’s locked. In this case the device needs a power-cable off and on, which costs me at least 60 seconds before the television get’s back. Not funny when you were watching ‘time shifted’.
    I’ve also seen issues where the device automatically switches to the (of all channels) interactive ‘UPC’ channel, functionally “disabling” the number pad on your remote control so it will take you some time to get back to the non-interactive TV channels, while losing ‘time-shifted’ data as well. The remote control is not the problem (I’m using the Logitech Harmony nowadays), and there are numerous people on forums complaining about issues with the UPC media devices as well.
    I’m silently hoping they push a ‘all-problems-fixing’-firmware update soon.
  • UPC poisons their DNS servers with a blacklist so they can block domains hosting child pornography. The problem with this is that they are not open about it, so they they manipulate your DNS requests without telling you about it. I wrote an article about that case specifically.
  • The Internet connection UPC provides is slow during evening hours and has connection dropouts very often. When I switch my Internet connection to another provider to check if it’s a local network issue, the connection is always back and better.
  • With my subscription, they do not allow me to pay ‘manually’ with so called ‘accept giros’, instead they forced my to use automatic credit payment where they are in complete control. So if they make a mistake, It’s up to me to get the money back. Isn’t this against the law?
  • UPC violates your privacy. When you keep your default password, they get it in clear text on their screen at the help desk. If you play it nice, they’ll tell it to you. This endangers your privacy because it is the password that is also used for the mail account they offer you and provides you access to their service center where you can order new services as well. Don’t use their mail account if you  are concerned about your privacy.
  • Something positive on the contrary is that they offer a very fast internet connection for almost the same price as you were already paying, an action that was just launched recently. The disadvantage of this is that their network gets more load, something that could explain the continuous connection drop-outs I’m continuously experiencing. They don’t seem to be prepared for Internet speed upgrades with their network.
  • When you call UPC on their special 0900-number, they charge a high price, especially when calling from a mobile phone. When you telephone line from UPC is dead, you cannot use their phone, so you are mostly stuck to a mobile phone.
    The high calling rate is not fancy, but I find it quite ok, because it prevents the waiting time due to customers only calling when they really have to. Still, their waiting time on average is too long, in my experience (> 5 minutes average).
    Besides that, when you call them, it takes you at least 2 minutes before you get through their menu, every time. Sigh.
    A refund for callers – if the problem is theirs – would be nice.
  • You cannot quit your contract with UPC whenever you want, you are stuck with them for at least one year. It’s not only UPC that plays this trick on you, there are other providers that do this to you as well.

So why do I still use UPC?

The reason for me still using UPC  is that they are the only provider offering HD television to my home. Besides that my ADSL line doesn’t seem to be capable for high speed Internet access (meaning 8 MBit+ downstream), and I want a reasonable upload speed as well.

If there is another provider for my region available that includes HD television and fast internet access, I’ll switch immediately.

Using multiple GPS tracklogs to create artistic views in Google Earth

Posted on by
5

Since June 2005, I’ve been collecting tracklog data using my Garmin GPS 60 (CSx). This means that every time I go cycle racing, walking, sailing, ice skating or even flying, I bring my Garmin, turn it on and (automatically) log the track.

After the track is completed for that activity, I archive it at home, as a GPX file, using Garmin’s MapSource.
I initially bought the GPS for tracklogging and navigational purposes for my bike trip from Arnhem (Netherlands) to Paris, but keeping all tracklogs did give me some other cool opportunity that I didn’t think of back then.
One example of that is gathering statistics about my cycleracing and mountainbiking trips, thereby motivating me to break new records and discover new terrain. Another cool purpose for all my tracklogs, and what this blog is about, is that I can visualize them (all at once) on Google Earth!

With Google Earth and converting tools like GPSBabel at our disposal, it’s possible to create a (big) Google Earth file of all tracklogs combined. When I try to combine, for example, the activities for which I have the most tracklogs available (cycle racing, mountainbiking, walking, cycling on my hybrid bike and sailing), I assign them a color so I can differentiate between different types of activities and create really cool and insightful maps, like this:

Combined tracklog view of the southern Veluwezoom area

In this picture, the red colored line stands for mountainbiking, purple stands for cycling with my hybrid bike, blue is used for cycle racing and green is for walking. If you look carefully, you can also guess where I must live somewhere :-)

This map might look not very organized or useful to other people, but for me, there are many, many stories and new ideas hidden in it.

There are a lot of interesting views possible, seen my pretty large collection of tracklogs. This one for example is from my holiday last September in and around Cassis (south France):

Combined tracklog from holiday in Cassis, France; viewed in Google Earth

The pink line show a sailing trip we’ve taken. The green line shows the walk we took to Calanque d’En-vau and the blue line shows a cycle racing trip over the Route du Crête. If you ever want to visit this area, it’s a good thing idea to take my tracklogs, put them on your GPS and do the activities while you are in the area, so you don’t miss the ‘must-have-done’s’.

This whole thing looks somewhat like everytrail.com, where one can create some sort of “trackblog”, including photo’s that can be linked to the track. But an overview, loadable in Google Earth is not one of the options they offer (yet). But maybe they add it in the future, so, if you start uploading your tracks at everytrail.com now, an easy total view in Google Earth might not be so far away at all :)

Luckily you can create such a combined track yourself as well, however it requires some scripting knowledge. To combine the (GPX) files you can use gpsbabel, remove all but the track-information from the tracklog, for each of the tracklogs from a certain category, and output them to a kml or kmz file, a command that looks like this on unix:

/usr/local/bin/gpsbabel -i gpx -f "Tracklogs Varen/20080611_Drangey_Sauðárkrókur.gpx" -x nuketypes,waypoints,routes -i gpx -f "Tracklogs Varen/20080611_Sauðárkrókur_Drangey.gpx" -x nuketypes,waypoints,routes -i gpx -f "Tracklogs Varen/20080824_RoelofarendsveenLeiden.gpx" -x nuketypes,waypoints,routes -i gpx -f "Tracklogs Varen/20080908_CalanqueDePortMiou.gpx" -x nuketypes,waypoints,routes -o kml,floating=0,labels=1,trackdata=1,line_color=FF00FF00,points=0,line_width=2 -F "combined_varen.kml"

After that I load each kml file in Google Earth separately and assign it a unique color. By moving the track to the same folder in Google Earth, I can combine them to one track, with multiple colors per category. That’s all it takes.

The most actual version of all my tracks in the categories cycleracing, ‘Cycleracing with hybrid bike’, sailing, mountainbiking, walking, ice skating and flying can be found in this automatically updated Kml file.

Some more screenshots that I’ve taken are available here: http://public.hendricksen.eu/GpsArt/

combined tracklog view of 'de Liemers'

I hope I can inspire people to do the same, or at least motivate them to start collecting and archiving their own tracklogs, so at some point, they can create some cool maps just like I did with my tracklogs, and who knows, maybe start comparing those tracks.

Update 2009-12-03:
The latest combined tracks file (automatically updated) with all my cycling, walking, sailing and skating tracklogs are available here.

The world from a bird’s eye view

Posted on by
Reply

Did you ever wanted to be able to have a bird’s eye view of an area? Now you can!, when simply using Microsoft’s bird eye view available from Live Maps. The quality of the images is pretty detailed and you (currently) have a four-angle view at your disposal. Isn’t that just cool?

Kasteel Rozendaal, VELP GLD, Netherlands

The technique behind this is from a company called Pictometry International. The images are taken at a 40 degree angle from low-flying airplanes and each spot in the picture is overlapped in as many as 12 to 30 images of the same location. Luckily, storage space gets cheaper every day, but still.

So, it’s not that Microsoft gets the credits for this, but at least they are making it publicly available to the common people, and not only limiting this data to the IRS’es and CTU’s, for which i am grateful.

However, as an inhabitant of the Netherlands and a frequent visitor of the Veluwe, i wonder how far the Dutch (and European governments in general) are with technique’s like these, because, for example i believe they cannot yet handle emergency calls in which you give your location by a GPS coordinate, or am i wrong about that?

So while Google is busy mapping streets with their StreetView project, the team behind Microsoft Live Maps did something cool as well. Though they still have a lot of area’s to cover, it will sooner or later be the future of our maps, available anyplace, anywhere and anytime.
I wonder how long will it take before we have near-live “pictometry-images”. It will happen, but the question is when. 2020? 2030? or maybe as fast as 2015? The least i hope is that I’ll still be here to be excited about it.