In-brief: Rapid7 said it found a number of flaws that leaked data on users of collaboration technology by Fuze. In an increasingly common finding: poorly secured cloud resources, not the handsets, were the problem.
The security firm Rapid7 unveiled a series of security flaws in collaboration technology by the firm Fuze, underscoring the risks posed by cloud-based administration tools that backstop many mobile and connected device platforms.
On Tuesday, Rapid7 unveiled three vulnerabilities within Fuze’s TPN Handset Portal that would allow hackers to gather information on specific Fuze handsets and their owners, including phone numbers, email addresses, parent account names and links to administrative interfaces.
The flaws discovered by Rapid7 were not in the Fuze phones, which include both office- and mobile devices, but in web pages served up by Fuze servers. Pages identified by Rapid7 researchers exposed user- and phone-specific information and contained an administration URL http://mb.thinkingphones.com/ that was accessible to the public Internet, according to Rapid7 researcher Samuel Huckins, who discovered the flaws.
According to Huckins, Fuze (formerly “Thinkingphones”) made the mistake of using the phone’s physical, machine (or MAC) address to create unique administrative URLs for each device. So, the web address http://mb.thinkingphones.com/stuff/morestuff/0123456789ab, would provide information about a (fictional) Fuze phone with MAC “0123456789ab”. That would seem to be OK, given that the number of possible, unique MAC addresses is huge. Except that Fuze handsets are only manufactured by a couple of companies, and each networking hardware manufacturer is assigned a range of MAC addresses to use with their hardware. That makes the possible population of Fuze MAC addresses much, much smaller, Rapid7 discovered. “The beginning of the MAC address indicates the vendor, so one could attempt hitting URL format above for each MAC address in the ranges assigned to the handful of vendors of phone models that Fuze deploys,” Huckins wrote.
That underlying weakness was worsened by other insecure practices. Fuze was not using HTTPS for its admin interface nor limiting login attempts to the admin consoles on its phones, making so-called “brute force” password guessing attacks all the easier.
Ironically, Rapid7 uses Fuze phones and desktop software for internal telecommunication and meetings, which is what may have earned Fuze the extra attention from one of its customers. But Huckins said the kinds of flaws the company found – including spotty use of encryption for web-based services – isn’t so unusual. “It’s still not very uncommon for services to communicate sensitive information over HTTP,” he told Security Ledger in an email. “It’s easier to miss when the resources aren’t something users hit directly, such as the URLs involved here.”
Fuze has issued a fix for the flaws Rapid7 discovered, though no user action is required to implement it. The company introduced rate limiting authentication attempts to the administration portal. That also takes care of the problem with the MAC enumeration of device URLs, as doing so would require too many login attempts.
In a statement, Fuze’s CEO said the company doesn’t have any evidence of “bad actors exploiting this vulnerability to compromise customer data.” “Fuze is grateful to Rapid7 for its continued partnership in responsibly sharing security information, and believes in its larger mission to normalize the vulnerability disclosure process across the entire software industry,” said Chris Conry, CIO of Fuze in a statement.
The issue points to the larger questions around the security of cloud based assets and applications that typically serve as the back-end of Internet of Things and mobile device deployments. The New York Times wrote on Monday about how cyber criminals are gaming support personnel and web sites to transfer mobile device numbers and defeat so-called “two factor authentication” solutions. Firms like Dow Jones have also been dismayed to learn that customer data was exposed through improperly configured Amazon Web Services (AWS) accounts.