“The demo laptops in question are located in an independently owned/operated reseller location, and are not configured or maintained by Verizon Wireless. Verizon Wireless is committed to the security of its customers and is working with the reseller to resolve this issue.”

Usually when working with vendors, the company’s lawyers immediately respond to any potential problems with security systems. Verizon did not respond this way. Instead, they began by asking a bunch of questions about the store locations and what security breaches were compromised. Further, they said that they could understand the confusion because the third party resellers have huge Verizon signs on their store. In short, they acknowledge that it can be very difficult to distinguish between the real Verizon stores and the resellers.

I was also very happy to see that they were interested in solving the issue. You see, even though the stores are not theirs, there is still damage that can be done if something hideous was to happen on one of the terminals.

I will keep you all posted on how the fix goes. I am planning on hitting a few of the stores later today just to see.
 

Last week I was plucking around at my local Verizon Wireless store looking for a power adapter for my i760. Apparently, this task is far harder then I thought it would be. The gentleman behind the counter said, “Whoa! That is a very old phone.”

I bought it last year.

Anyway, he disappeared into the back like he was hunting for the store’s last mogwai and left me, alone, in the store with their demo EVDO computer terminal.

So I started playing around with the Windows XP system they allow their customers to test the EVDO speed. Which I think is a great idea. However, there was a sign that said, “Please, check your email here!!” I don’t think so.

So I got curious as to what kind of security they put on these systems. I was hoping for at least a partially locked down terminal. At the very least, I was sure they would not leave an open system logged in with Administrator privileges for the whole world to use.

I was wrong.

As you can see the system is logged in with an account that has Administrator Privileges. There is no “hacking” this box…. You just walk up to it.

 
When he returned, without the adapter I needed, he noticed that I had the command prompt up. He asked me the basic questions like, “What the hell are you doing?” Which I answered truthfully with the necessary mitigation steps. You see, I am a pathetic, hopeless white hat. I spent a few seconds re-explaining the problem to him while his eyes glassed over. When I was done he said that he would need to take my name and a copy of my drivers license so he could run this “incident” by the management and possibly the police. It was my turn for my eyes to glass over and quickly leave the store. The irate store clerk was shocked that I would just walk away without complying with a perfectly sound and logical request to hand over my PII to a store that cannot secure a simple terminal.

To my horror, all of the Verizon stores in my area were set up the exact same way.

There are two issues here. First, these terminals are insecure by design and replicated. Second, they encourage their potential customers to use these insecure systems to do potentially sensitive activities.

Why should Verizon care? The single biggest thing I can think of is liability. If you’re an attacker why would you keep your illegal files on your system? It seems so much better to store them on a random Verizon demo system. Next, think about the consistency. It is trivial to dump the password hashes from a system when you have Administrator access to the box. Where else are those passwords used?

The point is that we need to start securing things even if you don’t think there is a need. There are liability issues that come with having open systems so insecure. Further, it is just these types of things that can be catastrophic for an organization. The sad part is many organizations would say they never saw it coming.

We can say it again and again, organizations need to be a bit more protective of their customers data. Also, I think it would be a step in the right direction to not openly suggest that customers should check their email.

Until then… Buyer beware.