On September 11, 2015 I visited MediaMarkt in Utrecht Hoog Catherijne, a well-known electronics shop in The Netherlands. Since summer 2014, the biggest independent Dutch phone retail company Phone House also operates (white labeled) from within MediaMarkt locations as a store-in-a-store concept. I had a few questions about my phone subscription so I talked to a Phone House employee. We were discussing the new Samsung Galaxy S6 Edge phone and I was thinking about buying one.

Somewhere in the conversation the service & sales guy asked me what I did for a living so I told him I earned my money as a freelancer by hacking (with authorization) into computer systems of businesses and writing security reports about it. He thought that was cool so we talked a few more minutes about this subject. I even told him I had noticed some months ago that one of his MediaMarkt colleagues had written a password on a post-it and attached it onto a computer monitor near a cash desk, in plain sight where any customer could see it :

As you can see, the password to unlock MediaMarkt computers was media321. A very strong one!

We both laughed about how irresponsible and naive that was.

The conversation continued about my desire for a new phone and about all associated kinds of subscriptions I could choose of. After about ten minutes I made up my mind and ordered a new phone and a new subscription. I’m still in shock about what happened next!

Context

But first two things about the context:

As Phone House is not a telecom operator itself, it functions as a dealer for telecom operators in The Netherlands such as Vodafone, KPN, Telfort, T-Mobile, Tele2, UPC and others. So, they can basically cover the complete Dutch telecom market. The telecom service & sales desk is located in the middle of the MediaMarkt store and designed in such a way, that customers can look at the computer monitors used by the employees. No effort is made to block your view on the monitor and customers can look straight in on MediaMarkt’s service computers.

Opening up the password file

The sales guy started renewing my Vodafone subscription and therefor needed to log in at a dealer portal from Vodafone. He didn’t remember the login password, and, here it comes, on the screen he opened an Excel file which contained *all* their passwords.

Is this happening for real? I had just told him minutes ago I’m an experienced professional hacker and we had both laughed about the password-taped-on-monitor leak.

Curiously and intensively I looked on the screen to get a picture of the treasure trove that was in front of me. Passwords to view and modify customer data of KPN, Vodafone, Telfort, T-Mobile, UPC, Tele2 and other companies were in plain view.

A curious detail was that the Excel password database was stored on Google Docs and the login details of their Google Account were also in front of me. Neat! I could look up their passwords anytime I wanted from any computer in the world.

Passwords stored unencrypted on Google Docs

As Google is a company located in the United States, the Google Docs servers are probably also located there, or at least subject to the Patriot Act. I think it’s safe to say the NSA probably (still) has direct access to documents stored in Google Docs. The password database is stored without encryption in the cloud so it can be assumed the NSA has access to it. So much for all the encryption effort made by Dutch telecom providers after the Edward Snowden leaks: Phone House is trusting their passwords to an American company.

Leaving the file open

The sales & service guy who assists me is frequently approached by his colleagues for help. Apparently he’s the senior of the telecom department.

He printed a renewal contract for me which I had to sign. I told him I first wanted to read it. He said: “You’re the first person in years who wants to read the contract”. I often hear that. Apparently nobody takes time to read only one page of small text. Most people seem to blindly trust companies, but I’m not like that. The sales guy said: “Take your time”, and then moved away from his desk to reorganize products in his part of the shop. He left the password sheet open right in front of me. I couldn’t believe what he had just done. Was he testing me?

The battery of my old phone had died (hence I wanted a new phone) and unfortunately I couldn’t take a picture of what had just happened. I silently cursed. Without any evidence, would a stranger believe me if I told him what had just happened? I think it’s a small chance: seeing is believing.

Documenting the password gate

I left the shop and returned three weeks later on October 3rd (2015) curious to see if the same employee I spoke to in September was working there again. But he wasn’t! Well, let’s try with his colleague to see if I could social engineer him in such a way that he would open the password file again. I asked him something about my subscription. To answer that, he needed to login to the Vodafone portal, and yeah, there we meet again, my precious password file:

I also made a high resolution photo of the screen:

It was not just an incident in which one employee was careless with the company password database, apparently multiple employees were. Seems like a structural problem and a fundamental lack of security and privacy awareness within Phone House and MediaMarkt.

Password strength analysis

As a customer you would expect the company you trust your personal data to, to make the utmost effort in protecting those, right? Doesn’t seem to be the case here. Your personal details were protected via passwords such as:

m 12345678 Utrecht beginnen01 Utrecht12345 upc12345 Welkom03 Mediautr03

For the non Dutch readers, I’ll translate the following Dutch words:

‘beginnen’ means ‘to begin’.

‘welkom’ means ‘welcome’.

‘utrecht’ is the city the shop is located in, sometimes abbreviated as ‘utr’.

As you can see, there is even an account that has an one-character password and the password 12345678 is used in multiple accounts. And that last password is the fourth most used password in 2014. Phone House employees must lack creativity or just don’t care. Also the dealer portals don’t enforce strong passwords.

Looking at the passwords Welkom03 and Mediautr03 it seemed that a password change policy was active on some systems that forces users to regularly change their passwords. It seems like Phone House employees have found a system to circumvent that protection by incrementing the digit of their password each time. They have probably already done so twice. Giving user accounts the initial password Welcome01 is de facto standard in companies, as this one complies to most password policies: it consists of upper and lower case characters, and also contains multiple digits. You should welcome your new users, right?

User name analysis

All the user names in the password file are non-personal. This means that telecom providers and Phone House can’t hold account of who exactly logged in with a given user account. Also, if a Phone House employee quits the company, all passwords of the shared non-personal accounts should be changed. Given the circumstances I highly doubt this to be the case.

Even if the passwords for some accounts are regularly changed, the most important password, that of the Google Account in which the password database is stored, seems to be static: Utrecht12345.

Opening up the dealer portals

The password sheet contained all kinds of portal names, but their internet addresses weren’t located in the file. In order to estimate the risk involved, I needed to find out if these portals were freely accessible over the internet, so I started googling them. Within a minute I found that the employees of a Phone House store located in the city of Joure created a public link directory with all locations of the dealer portals they use:

I clicked on all dealer portals to see if they were freely accessible via internet, and quite a lot of them actually were:

ADSL/Digitenne/IPB KPN : Login screen visible ADSL/Digitenne/IPB Overig : Login screen visible BEN : Just links to the main Ben website Dynafix : Login screen visible HSF verzekeringen : Login screen visible Klantvoordeel KPN/Hi/Telfort : Error message is shown KPN Compleet indicatie : Error message is shown KPN Deal-It : Login screen for business market visible.

Login screen for customer markted protected via IP address whitelisting KPN Vamos : Error message is shown KPN Verkopers informatietool : Link redirects to main KPN website T-Mobile TAS : Login screen visible Tele2 Nieuw : Login screen visible Tele2 Verlenging : Login screen visible Telfort : Error message is shown Vodafone U-Buy (Spice) : Error message is shown Vodafone Distrubutie support : Login screen visible Yes Telecom Business : Login screen visible Youfone : Login screen visible Ziggo : Login screen visible Ziggo Mobiel : Link redirects to main Ziggo website

Six portals seemed to use mutual SSL/TLS authentication and/or IP address restriction, like it should be, but twelve portals were freely accessible. This means that I could log in as a Phone House employee on those dealer portals and manage the configuration of customers. I didn’t log in. If I had done so, I would have broken the law and I never do this.

I could use the easy to use Tor Browser Bundle in order to masquerade my IP address. That way I could perform the unauthorized access completely anonymous, leaving no traces. That ‘crime’ would be hard to solve.

Circumventing IP address restriction

The portals that have IP address range restriction set-up, can easily be defeated by covertly installing a LAN Turtle or mobile broadband enabled WiFi Pineapple in one of the MediaMarkt shops, so remote access is gained to their internal network and thus the IP address restriction can be circumvented.

Finding a network cable or socket to attach the remote access device to is fairly simple, as MediaMarkt is an electronics shop, and customers have easy access to all kinds of occasional unmanned support desks which are located everywhere in the shop. I had quickly located several vulnerable spots.

Impact of leak

My personal estimation is that Phone House, via dealerships, has access to personal data of basically all Dutch citizens who own a mobile phone. That would be somewhere between 10 and 14 million people; only counting the people who are alive. But I guess these portals also contain data of deceased people. Black hat private detectives, stalkers and fraudsters would love to have direct internet access to such a trove of personal data.

I discovered my findings had been applicable to all MediaMarkt and Phone House stores for over a very long period of time. More on that later.

Back to Phone House Joure

The Phone House store in Joure created a Google Sites website in order to host their links on. Wondering how recent the link directory was, I clicked on the ‘recent site activity’ link in the footer:

The complete history of all site modifications was shown. Including a change to a specific file that had nothing to do with the link directory:

I clicked on that specific file to see what it could contain:

Things were getting weirder. What I saw seemed to be internal financial administration of Phone House Joure. Somehow I got the feeling this was private company data and not meant to be seen by others. Or has Phone House got a really transparent policy towards their provision and sales data? Okay, I’m not to investigate this particular matter any further. I digress. Back to the password story.

Computers are never locked

What I noticed as well, was that every time service & sales employees leave their computers, they never-ever lock it. So people walking by have full and easy access to it. Furthermore, on all occasions that I was able to look at the password file, it had already been opened by the employee. They just had to press ALT + TAB to re-activate it.

Leaving a computer unlocked when walking away makes it very easy for an attacker to obtain passwords. Also, I noticed this specific computer had easy-to-reach USB ports. I could perform a USB drive by attack with a prepared Rubber Ducky or Teensy, with which I could have gained remote access to the computer within 10 seconds.

Auto completion of passwords

Web browsers of Phone House computers are configured to save user names and passwords and pre-fill them (most of the times) whenever they’re navigating to a login screen. A computer user only has to press the ‘login’ button to enter the system. Permanently storing passwords in browsers is risky as they are by default stored non-encrypted on the computer. A master password could be configured to open the browser password store (and add encryption), but practice unfortunately shows that most users never configure one.

Opening up a customer file

Another remarkable thing I noticed, was that I only had to give my telephone number to the Phone House employee and subsequently my Vodafone file would be opened. No other security questions were asked to validate my identity. However, a reverse validation question was indeed asked: “Do you live at address [..]?”. I malicious person would of course reply: “Yeah I definitely live there”.

What should have been the case

Summarizing the situation; how should it have been done ideally?

Improvement points for Phone House and MediaMarkt:

Don’t write passwords on post-its stuck onto monitors. Don’t let (potential) customers look in on the screen an employee operates on. Physically shield the viewing angle of the computer monitor. Apply a privacy screen on the monitor to further minimize the viewing angle. Create strong passwords. Change passwords frequently. Lock computer screens when leaving the computer. Never use a non-personal account with multiple people. Create individual user accounts for all employees. Change the passwords of non-personal accounts when an employee who had access to those accounts quits the company. Use a safe password store, such as KeePass, that shields passwords and uses strong file encryption. Don’t store the password database in the cloud. If a cloud solution is nevertheless used (and still, keep your password database out of it), use a cloud provider with a data center in The Netherlands so that intelligence agencies such as NSA and GCHQ don’t have direct access to your files. Never store passwords on a computer without encrypting them. Always close the password database file after coping the password that was needed. Protect user accounts (such as the Google Account) with multi-factor authentication (such as Google Authenticator). Don’t publish links to dealer portals publicly on the internet and also shield your financial administration. Perform decent checks to validate if a customer is really who he says he is: When working with personal data in a store, always ask to see the customer’s identity card. It’s mandatory in The Netherlands to have one on you at all times. If a customer calls the service desk, call him back on the telephone number that is linked to the customer’s account. Disable USB ports on computers via a software or hardware solution. Train your employees in IT security and privacy practices. Create the right corporate culture so that security and privacy is propagated by your employees.

Improvement points for telecom operators:

Make sure dealers have the possibility to create individual user accounts for their employees. Apply IP address restriction on dealer web portals. Require a client HTTPS (X.509) certificate when setting up a connection to a dealer web portal. Enforce a strong password policy, such as: a minimum password strength of eight characters; a password that isn’t known in brute force password lists; add custom complexity rules: enforce the use of upper, lower case, numbers and special characters; passwords can’t be the same as user names; enforce that passwords are regularly changed; enforce that changed passwords aren’t re-used and are substantially different in comparison to previously configured passwords. Make sure that your web portal supports multi-factor authentication. Disable the HTML AutoComplete option in web forms that process authentication data such as passwords.

When summing it all up, you see it’s quite a list of things that went wrong (!).

It makes me very sad that all mentioned above still isn’t regular practice for businesses in 2015.

MediaMarkt threatens to sue me and denies everything

It’s time to contact Phone House and MediaMarkt and tell them about my findings (October 4, 2015). As I had the direct e-mail address of the responsible MediaMarkt department in Utrecht (it was visible in the password file), I mailed them my findings. They didn’t respond.

A few days later I got an e-mail from the store manager of MediaMarkt Utrecht Hoog Catherijne and he threatened to sue me if I went public. There you stand as a good willing civilian just wanting to make the world a safer place. I think it’s childish and also a very hostile response towards someone who simply notifies you of a critical security vulnerability that your company is responsible for. It’s like shooting the messenger.

To go even further, MediaMarkt denied I could get access to web portals which are hooked up to the internet with the captured login details. This response demonstrates the fundamental lack of knowledge about how the internet works. I’m not crazy: if I have login details and if the login screen is accessible over the internet, then I can log in with those credentials. Simple as that. But I didn’t do so, since it’s illegal.

MediaMarkt dismissed all my findings as “appearance of insecurity”. Talking about ignorance … They concluded their e-mail demanding I destroy the pictures I took of their passwords within 24 hours.

I replied explaining how responsible disclosures work and that this attitude towards me is damaging their own company. To eliminate any possible anxiety people have when in contact with a hacker, I clearly stated my intentions were good. This luckily had a positive effect and the next day I was invited for a cup of coffee. More on that later.

Contacting the affected telecom providers

As I had anticipated such a lame initial response from MediaMarkt and Phone House to be possible, I had also taken time to inform the telecom providers involved. These providers are very important stakeholders for Phone House and can apply the right company-pressure in order to fundamentally improve security and privacy practices. In comparison to MediaMarkt, all involved providers were very polite towards me.

I have to give special credits to the KPN computer emergency response (CERT) team. They contacted me frequently about their progress and also immediately set a minimum password strength policy on their dealer portal, so one character passwords weren’t possible anymore. KPN has become very capable of handling responsible disclosures ever since they were badly hacked in 2012. Kudos for them. They were also the only party involved to give me a nice bounty:

The Vodafone security guy also was very kind towards me, as well as Tele2, who took time to learn about the whole story.

Status: two weeks after disclosure

Two weeks after I had contacted all parties involved, I went back to the MediaMarkt store, cause I was in need of a birthday present for a friend. I also had a genuine question about my Vodafone subscription.

When entering the shop, I saw no more passwords written on post-its stuck onto monitors. Things were looking better! So I went to the telecom desk with my question. The employee logged in on Windows with a password that ended with 1234. I couldn’t see it clearly, but I think the first password part was media. Cool, they had also changed their main Windows password and made it more secure by adding an additional character. media1234 is so much more secure compared to media321. Good job!

Then the employee logged in on another system. He hit character 1 and with one smooth and fluent movement only stopped his finger at character 8. I’ve never before seen anyone entering password 12345678 in one smooth swipe like this. It really looked cool!

Subsequently, he opened up the notorious Excel password file in front of my eyes. Some passwords had been changed, many had not. Actually, nothing really had changed.

MediaMarkt, we need to talk.

Having coffee together

A few days later (October 22nd, 2015) I went to meet the store director face-to-face. Given the circumstances, the start of the conversation was slightly uncomfortable. I was told they initially misinterpreted my intentions and had seen me as a bad hacker.

Once the ice had been broken, I told him password gate had not yet been fixed and urged him to take action immediately. He said he was waiting for Phone House to act since it was their infrastructure and personnel. I told him I wanted the vulnerabilities to be fixed before I was going to publish this story. To add pressure, I added that I didn’t want to wait very long with this publication.

As a quick and dirty fix that would close the most important gate in five minutes, I suggested they make the font color of the passwords in the Excel file black, as well as the background color of the cell. This would still enable the telecom employee to copy the password to the clipboard, but the password would not be visible anymore when shoulder surfing. I told him to apply this patch himself and shouldn’t wait for Phone House to do so.

A week later

Curious to see if progress had been made, I sat down with the director a week later (October 28th, 2015). Our earlier conversation had impact since directly afterwards various actions had been performed and internal company pressure had increased to set priorities right:

All my recommendations (as mentioned above) had been sent to all fifty MediaMarkt stores in The Netherlands and to Phone House as well. They had chosen a safe software product to store their passwords on. A lengthy manual had been written (they even showed it to me); so their employees would know how to use it. Privacy screens had been installed and the secure password database was now implemented in the MediaMarkt store in Utrecht.

The director asked me to wait with publication for a few more weeks as Phone House had planned a road trip to install their new password store software in all their shops, of which there are quite a lot.

I told the director I had not heard anything from Phone House yet and given the circumstances I felt as if I was being ignored. He relayed that feeling and the next day I got a friendly call from Phone House.

Having coffee together helps!

TalkTalk gets hacked

As I first began writing this story, the large British telecom provider TalkTalk got hacked. On October 30, 2015 they confirmed the following numbers:

Total number of customers whose personal details were accessed is 156,959;

Of these customers, 15,656 bank account numbers and sort codes were accessed;

28,000 obscured credit and debit card numbers were accessed.

According to TalkTalk “these criminals were very smart” and the attacks were “sophisticated”.

A week later the BBC reported that four people have been arrested over the hack so far: a boy of 15 in Northern Ireland, a 16-year-old boy from west London, a 20-year-old Staffordshire man, and a 16-year-old boy in Norwich.

When it can be performed by teenagers, I wouldn’t call a cyber attack very smart and sophisticated. But, perhaps calling it that way says more about the competence of the telecom company than about the perpetrators.

Controversial detail is that this is the third hack on the TalkTalk website since February this year.

Apparently TalkTalk is not the only telecom provider with bad IT security.

Final words

The password database gate of Phone House could be exploited by anyone with basic computer skills. You only needed a camera and knowledge of how to use a login form. I hope this story is a wake-up call for everyone who works with computers and handles personal data of others.

As an IT security consultant and professional ethical hacker, I work for many different kinds of businesses every week and analyse their security. I won’t (specifically) name my customers as I’m very loyal to them. But believe me when I say that Phone House and MediaMarkt aren’t the only big companies with terrible IT security. Nowadays it’s actually standard (really!). Only banks and the military have the budget to get the right IT security. Unfortunately even they get very vulnerable on occasion.

Should things be fundamentally changed in our society regarding IT security? Or do we accept the fact that we’re inherently insecure? How about in 10 years time when our houses, cars and human bodies are hooked up to the internet? And what about our critical water, food and energy infrastructures? Oh uh, those have already been connected to the internet.

Update, December 10th, 2015

Via a trusted friend I heard that not too long ago, he noticed that the MediaMarkt in the city of Drachten also uses a very weak password, a similar numeric password as used by MediaMarkt Utrecht. One that can be entered with a fluent finger swipe as well and which isn’t eight characters long ;-)

Also, from another trusted source, I heard MediaMarkt Utrecht still uses weak passwords. Phone House seems to be incorrigible on this matter. Or perhaps strong passwords are simply too difficult?

Furthermore, a lot of journalists have recently contacted Phone House to verify my story. Their initial response on the first day of the publication was complete denial; a typical example of damage control by large companies. As media picked up on my story (despite the denial), Phone House soon realized the genie was out of the bottle and admitted to a journalist that names and addresses of customers, and also in some cases a copy of the drivers license and passport could be visible in customer files in internet-facing dealer portals.

The existence of the infamous password Excel file has been confirmed by various readers (#1, #2, #3, #4) on well known Dutch news site Tweakers and also on Twitter and Reddit. More shocking however, is the fact that one reader found out the Excel file was still being used at a particular location last week. Allegedly a MediaMarkt employee anonymously states on onemorething.nl that no security changes have been implemented by MediaMarkt yet (in the specific location he/she works in?). Despite all efforts, the security problem seems to be far from fixed! :-(

Anonymous comments on Tweakers from (ex) (dealer) telecom employees (#1, #2, #3 #4) who work with these vulnerable systems, show us that MediaMarkt employees were all shocked by the (easy) accessibility of personal details via their computers. They confirmed they had access to millions of records but stated that these records could only be retrieved one-by-one (after performing a simple search for a specific customer record). One comment named the following personal details to be visible in Phone House’s computer systems:

Name; Address; Telephone number; E-mail address; Date of birth; Bank account number (without the last three digits); (Often) a complete copy of an identity card including the personal state registration number (in Dutch: burgerservicenummer).

In reaction to this blog post many people point out that Phone House (as well as MediaMarkt, probably) is liable to receive a fine of up to ‚¬ 820.000 if this incorrect security situation is still persistent on January 1st, 2016. Since on this date new strict privacy legislation enters into force in The Netherlands which obliges companies to report security incidents. The government then subsequently has authorization to fine companies if a grave violation in protecting personal privacy indeed has been committed.

I might have saved MediaMarkt and Phone House quite a lot of money! Sebastiaan Pouyet suggests on Twitter Phone House should haven given me a ten minute free shopping spree in MediaMarkt. Of course I could never turn down such a tempting offer ;-)

Update, December 13th, 2015

It turns out MediaMarkt is not the only one with passwords attached to their monitors. The official Dutch state news organization (NOS) appears to be ‘guilty’ here as well. Luckily, this time I didn’t have to take a picture since a NOS employee had already done so himself and even posted it on Twitter on December 11th, 2015:

The password is Welkom01. The very same weak password Phone House used.

When someone on Twitter notified the NOS employee of this password leak and also alerted him to my (blog) story, he replied by saying that he had already read my story and thought it to be good. Although it had not immediately made him change his own weak password or remove the password-notice that was taped onto his monitor.

Timeline of notable events in password gate

September 11, 2015 First observation of the Phone House password gate. Can’t take photo of password file. October 3, 2015 Second observation of the Phone House password gate. Took a photo of password file. October 4, 2015 Report the vulnerability to MediaMarkt and telecom operators. October 6, 2015 MediaMarkt sends threatening (juridical) mail. October 17, 2015 Validate that password gate is not yet closed. October 22, 2015 Have coffee with MediaMarkt store director. October 28, 2015 Have coffee part two: “We patched one store, but we need weeks of more time because of a big patch road trip”. October 30, 2015 Details about the hacked British telecom provider TalkTalk are published. December 8, 2015 This story is published. December 11, 2015 NOS employee posts a picture on Twitter on which you can see his password taped onto his monitor.

Sites that link to this story