A wireless vendor (who shall remain nameless) is selling its 3G cards to corporate networks as a secure means of remote communication. There’s only one problem with it; anyone that picks up one of these cards, pre-configured for accessing the corporate network by the vendor, can just plug it in and reach out and touch the corporate network. Not to mention being able to browse the Internet and use DNS and other things; more later.
We do need to download the software first, and it does ask for a phone number to do so. Fortunately, any phone number will work, and if they fix it so only their numbers work (impossible given number portability) then you would just need a network phone number. “Hey, Fred, you use vendor for your cell service?” Boom!
Once the software is downloaded and installed, it asks for the device phone number. Which it auto-populates for you by pulling the number off the device. Brilliant. We don’t even have to query the card to obtain the phone number.
Linking to the net is accomplished with the press of a button. Now here, the vendor has limited what protocols and destinations are acceptable, so when we fire up a browser, it fails everywhere you look. Or does it. What actually happens is it hangs. It doesn’t time out, and a look at netstat reveals that we are getting DNS information, and we are initiating connections. Checking DNS directly clearly indicates not everything is locked down tight, if at all. The vendor has put us in a tunnel of some type, so some stuff works, some stuff doesn’t. https also fails. A quick trip to Google revealed an http site on non-standard port 81, which worked fine, so we know we can pass http, just not on 80. The only thing we know for sure is that port 80/443 is not getting us where we want to go, but it seems everything else is.
A quick peek with Nessus (if they’d been using Counteract, that would have failed) reveals Microsoft destinations. From there, its a matter of using hydra and getting onto an M$ resource, at which point the network is an open book.
All from a single lost vendor 3g card.
Several layered security mechanisms would have prevented this, not the least is some form of authentication at the vendor border. From there, we could have been stopped with a certificate check, a Forescout detection and prevention, and worst of all, no free passing of any protocols without authentication to a valid VPN. Boom!
To be perfectly frank, if the vendor or the corporation is alerted quickly to the loss of a card, this is a very low probability attack. But if a corporation is targeted, its much more likely to succeed. Your risk may vary. If alerting is a non-priority, as it is in many places, this is a serious problem. Once inside, hostile forces will plant the seeds that give them continuous access without the 3g card.
Play it safe, make sure your 3g cards are secure. Use layers to compensate for any single security failure. And most important, validate your assumptions when told something is “secure”.
This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any republication or reuse is forbidden if the Digital Trust name is removed.