Abusing the Cloud

by riemann

The following article relates to a very simple hack of Internet service provider The Cloud's public Wi-Fi network.

Please, please don't do anything that would get you into trouble such as accessing their Wi-Fi routers without permission; this article is written only to flag up the potentially weak vulnerability of their login process.

Some background first: The Cloud sells itself as one of Europe's biggest public Wi-Fi providers, which you can sign up for on a monthly contract, or on a pay-as-you-go policy.  When connected, it allows a subscriber unlimited Internet access when their smart phone is used within the range of an establishment such as a restaurant or cafe.

In my case, the local McDonald's was where I found myself bored and chomping on a Big Mac.  I fired up my iPhone's Safari browser, and the only Wi-Fi access in the area was given as "The Cloud."

As expected, this automatically navigated me to the sign-in window for accessing The Cloud services.  The "login" had automatically put my phone down as being on the Vodafone network (correct), though to my surprise the only security/password required was my mobile phone number!

Just to check all was well, I inserted my own mobile number and this was quickly rejected as I am not a member of The Cloud.

However, this did get me thinking...  I quickly opened my contacts list on my phone with the hope that one of my contacts had an account with The Cloud.  It was easy to filter the list of numbers into friends who had business phones or did a lot of business traveling.

It was now simply a matter of copying and pasting each mobile number (thanks iOS 3) into The Cloud's login screen to see if they were accepted.  With much amazement, on the third such entry, I succeeded in being accepted by the router!

It was then a matter of navigating to a web page (Google in this case - sorry!) to show I was really connected.

In conclusion, it is clear that The Cloud has a vulnerability in their network which could allow unauthorized access to their services by jumping onto someone else's account.

Once accessed, it could allow a malicious user to tether up their mobile phone to a laptop and abuse this access (multiple The Pirate Bay torrents?).  As for your friends' phones, I believe they would not necessarily be charged any extra as The Cloud offers unlimited downloads on its monthly subscription.

However, they might be cut off due to your dubious online activities under their name!

References
Return to $2600 Index