|
One of Australia's Largest Telco's Ignores Security Flaws
The potential loopholes that are left in Telco's security by using default systems or under-developed software is a hackers dream!
Australia (PRWEB) September 12, 2004 -- Overview: All users on the Optus network with voicemail at home have a remote access number, whether they want it or not, and three incorrect PIN attempts on this number will lock up their remote access as well as their home access to this service, occasioning them to have to ring Optus and wait for it to be unlocked.
Details: The potential for a denial of service attack on end users voicemails on the Optus network is exceptionally high and relatively easy. The basis of the attack is purely the ability to dial in remotely to VMB's which have usually four digit PIN's, therefore to catour for such lax security Optus will lock any VMB that gets it's pin wrong a consequtive amount of times.
The ability to use this to suspend a large amount of Optus users VMB's is quite easy using any old PC with a modem hooked up to any old phone line, taking out hundreds of users in no time at all. The potential to upscale the denial of service attack is even easier with a beige box and a payphone, thus giving you the ability to be more carefree with such an attack and war dialling with the syntax of: -
133321 (Phone Number) (PIN)
So in theory by dialling with a string of (For Hayes Chipset) ATDT1333210298641000#5#5#5# and rotating up through the Optus user exchange you will lock users out of their voicemail services. Now, why would this be high risk? Auto-diallers. The same little programs that the worlds sex industry have been filling their pockets with can be used locally as a major distributed denial of service attack on Optus.
Over one million people can be locked out in literally an hour with merely 500 auto-diallers running on infected machines.
Severe damage potential is also available due to the amount of users with rockwell chipset and other hayes command modems which are not patched against hexidecimally encoded ICMP packets, therefore a small script could be written which will sweep an IP subnet with the above AT string with a +++ath0 prefix and the phone number incrementing per IP.
The above estimate for the one million user effect speed would be infinately faster through the hex ICMP packet method, although the accuracy due to IP's being down would effect efficiency. One could wait for a ping reply from the host prior to incrementing the dial number but that would slow down the speed of the subnet sweep.
Regardless of it's inaccuracies, the latter method would decemate the Optus VMB network.
'The bottom line is that optus provides the service, it is up to the user to accept the risks involved.', Optus team leader in regards to the bug.
PLEASE NOTE: As a condition of use the publishers name of this article, 'ath0' and his group 'Halcon' and their URL www.halcon.com.au must at least be cited.
Corporation: Optus
Date: 8.16.2004
Risk: High
Target: End User VMB's
Type: Phone Based Denial of Service
# # #
|
