Developer Warns Millions of Virgin Mobile Subscribers About Authentication Flaw

An Alamo, Texas developer on Monday warned Virgin Mobile U.S. subscribers that their accounts can be hacked after the company failed to respond with a fix.”I reported the issue to Virgin Mobile a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly,” Kevin Burke said in a blog post.

Virgin MobileAn Alamo, Texas developer on Monday warned Virgin Mobile U.S. subscribers that their accounts can be hacked after the company failed to respond with a fix.

“I reported the issue to Virgin Mobile a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly,” Kevin Burke said in a blog post.

Burke said he discovered that the carrier’s current authentication method relied on the user’s phone number and a six-number PIN to access an account. One user later said in a comment the company recommends using birthdates for passcodes.

Using his own account, he created a script to more quickly narrow in on the one million possible passwords. Once the script unlocked his numeric PIN he realized “pretty much anyone can log into your Virgin Mobile account and wreak havoc, as long as they know your phone number.”

Attackers can snoop on call and SMS logs, lock out legitimate users, hijack the handset and purchase a new phone using the purloined account.

Burke said he contacted the company and its parent, Sprint, in August to alert them to the issue but became frustrated with the pace of the investigation and lack of communication. After several emails back and forth with a Sprint official, Burke was told Sept. 14 the company did not plan further action on Virgin Mobile’s end. That’s when he decided to go public since he thought the vulnerability might already be exploited in the wild.

On his blog, he suggests several steps Virgin Mobile can take to make it much harder to hack into accounts, including allowing more complex, alphanemeric passwords, freezing accounts after five failed attempts (currently, it’s unlimited) and requiring two-step authentication.

“There is currently no way to protect yourself from this attack. Changing your PIN doesn’t work, because the new one would be just as guessable as your current PIN,” he said. “If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you. For the moment I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier.”

 

 

Suggested articles

Discussion

  • Richard S on

    It will serve them right if they get cracked and didn't do anything after being warned. Not that i am condoning any attacks but crackers are oppurtunistic and if you give yourself out as a sucker don't cry if you get licked.

  • Tiften on

     

    Thanks for the article. We all need to be more proactive about our personal account security. One thing I personally am encouraging people to do is when possible take advantage of the sites that offer Two-Factor Authentication. Although 2FA has been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication for email wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.