The Moscow developer found that the operator of Wi-Fi in the metro metro Maxima Telecom stored the data of its users in an unencrypted form, because of which any person could access them. Presumably, the vulnerability had been in effect for more than a year. Only after the resonance in the media, the operator announced the elimination of the error and the processing of the authorization system.
In the Moscow metro collect data for targeting
The Moscow Metro, as well as land transport and Aeroexpress, is serviced by the operator “MaximTelecom”. According to the company’s own data , the telephone network of more than 12 million users has been identified in the free MT_FREE network . The daily audience of the operator in the metro is up to 1.5 million unique users, about 150,000 of them buy packages to disable advertising.
Confidential data of Wi-Fi users in the metro are transmitted in encrypted form, assured the co-owner of “MaxTelecom” Alex Krikheli. He also called this information “unique wealth” of the operator and admitted that they are used to target advertising.
The developer found that the Wi-Fi operator put the user data at risk
To use free Wi-Fi in the Moscow metro, you need to enter the phone number or account information on the State Services on the authorization page of the network (auth.wi-fi.ru). This page opens automatically when connected to the network, and if the user does not have a paid subscription, then it contains an ad unit in which the targeting is configured.
In the Wi-Fi network of the Moscow Metro, the passenger data that form the “digital portrait” is tied to the MAC address of the device. Such a portrait is sex, approximate age, marital status, stations with supposedly home and work, and also prosperity. The law on personal data prohibits the operator from storing names and surnames, in addition, all personal information must be stored in an encrypted form.
In early March, Android developer Vladimir Serov published a study of the authorization page code, in which he concluded that the phone number and other data of the users of the Wi-Fi network were not encrypted . Any Metro passenger could check this by opening the page code and looking at the fragment after the userdata.
In fact, any person could collect the base of Moscow metro passengers for their own purposes.
To access the “digital portrait” of any passenger, it was enough to learn another’s MAC-address and replace it with your own or any other. To learn MAC-addresses of devices in the form of ready-made lists is real: Serov gave an example of how for just two stations using the program Airodump-ng collected “a thousand working poppies and looked at them sociology.”
The developer simplified the task and made a script to get rid of the manual search of MAC-addresses. The program allowed not only to receive passenger data, but also to track their movements in real time.
Vulnerability has been working for over a year
On March 5, Serov complained about vulnerability through the portal of the Moscow mayor’s office mos.ru, “because MaxTelecom does not have any normal tech support.” He did not receive an answer and a week later, on March 13, spoke about the situation at Habrahabra.
Two hours after the publication of Serov, phone numbers on the MT_FREE network were encrypted during transmission to prevent the possibility of their leakage. Judging by updates in the post on “Habrahabra”, in the next few days the operator tried to change the security system.
The developer stated that the code was still available for decryption. On April 9, he told The Village that the passengers of the Moscow metro are still under threat. Directly to “Maxima Telecom” Serov did not apply, which later was recognized as a “dull” decision.
The vulnerability worked in the Moscow metro Wi-Fi network from at least March 17, 2017, discovered The Village, having studied the authorization page code through its archival copy in the Wayback Machine service.
The operator reacted a month after the story of the vulnerability
First, representatives of MaximTelecom asked Serov to remove the publication on Habrahabra, but he refused: “And why should I remain silent about my personal data being treated like this?” The developer also did not agree to add an official comment of the operator to his post.
On April 9, Maxima Telecom, in a conversation with , admitted the fact of vulnerability. The company “turned off the storage of data” on the movement of users between stations and, according to her data, ruled out the possibility of tracking passengers. It is not known how many user numbers were available all this time.
“MaksimTelekom” intends to rework the authorization system so that it was impossible to learn other people’s data by substituting the MAC address of the device. Until this is done, the tracking data will be disabled.
According to MaximTelecom, large-scale data leakage of users was avoided. The only exception is the base that Serov personally collected, the other operators are “unknown”. About that now will be with this base, it was not mentioned. Mass attacks of this kind the company did not fix.
It is possible to decrypt already encrypted data using the statistical method and compare it with the phone number if the attacker has previously had information about the phone numbers of the subscribers stolen from us.