Developer Warns Millions of Virgin Mobile Subscribers About Authentication Flaw

An Alamo, Texas developer on Monday warned Virgin Mobile U.S. subscribers that their accounts can be hacked after the company failed to respond with a fix.”I reported the issue to Virgin Mobile a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly,” Kevin Burke said in a blog post.

Virgin MobileAn Alamo, Texas developer on Monday warned Virgin Mobile U.S. subscribers that their accounts can be hacked after the company failed to respond with a fix.

“I reported the issue to Virgin Mobile a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly,” Kevin Burke said in a blog post.

Burke said he discovered that the carrier’s current authentication method relied on the user’s phone number and a six-number PIN to access an account. One user later said in a comment the company recommends using birthdates for passcodes.

Using his own account, he created a script to more quickly narrow in on the one million possible passwords. Once the script unlocked his numeric PIN he realized “pretty much anyone can log into your Virgin Mobile account and wreak havoc, as long as they know your phone number.”

Attackers can snoop on call and SMS logs, lock out legitimate users, hijack the handset and purchase a new phone using the purloined account.

Burke said he contacted the company and its parent, Sprint, in August to alert them to the issue but became frustrated with the pace of the investigation and lack of communication. After several emails back and forth with a Sprint official, Burke was told Sept. 14 the company did not plan further action on Virgin Mobile’s end. That’s when he decided to go public since he thought the vulnerability might already be exploited in the wild.

On his blog, he suggests several steps Virgin Mobile can take to make it much harder to hack into accounts, including allowing more complex, alphanemeric passwords, freezing accounts after five failed attempts (currently, it’s unlimited) and requiring two-step authentication.

“There is currently no way to protect yourself from this attack. Changing your PIN doesn’t work, because the new one would be just as guessable as your current PIN,” he said. “If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you. For the moment I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier.”

 

 

Suggested articles