If you posted your iLiad MAC address read this.

scotty1024 · 10-04-2006, 06:31 PM

There is a potential flaw in the iDS protocol that can possibly be exploited by someone whom has your iLiad's MAC address.

If you have posted your iLiad's MAC address anywhere on the Internet you might want to go remove it.

ali · 10-05-2006, 03:18 AM

How's that gonna work? I assumed you have to supply email address and password to iDS before it let's you in.

On the other hand - there are just two bytes of freedom in the mac addresses. Having a script running 65000 connection attempts shouldn't be difficult, so it doesn't matter anyway if you posted the mac, right?

jæd · 10-05-2006, 03:25 AM

Quote:

Originally Posted by scotty1024

There is a potential flaw in the iDS protocol that can possibly be exploited by someone whom has your iLiad's MAC address.

If you have posted your iLiad's MAC address anywhere on the Internet you might want to go remove it.

So... Have you informed Irex, or is this another bug you will keep to yourself...?

Alexander Turcic · 10-05-2006, 04:44 AM

Quote:

Originally Posted by ali

How's that gonna work? I assumed you have to supply email address and password to iDS before it let's you in.

On the other hand - there are just two bytes of freedom in the mac addresses. Having a script running 65000 connection attempts shouldn't be difficult, so it doesn't matter anyway if you posted the mac, right?

Plus, the two bytes are distributed in consecutive order. You can find more about it here.

Alexander Turcic · 10-05-2006, 04:45 AM

Quote:

Originally Posted by scotty1024

There is a potential flaw in the iDS protocol that can possibly be exploited by someone whom has your iLiad's MAC address.

If you have posted your iLiad's MAC address anywhere on the Internet you might want to go remove it.

Scotty, the flaw you are speaking of could be seen as a flaw in the current implementation of the iDS. But since it's easy to guess given MAC addresses as they are distributed in consecutive order, there isn't any harm in posting your iLiad's MAC address. Of course you wouldn't want to share your user login/password with anyone.

TadW · 10-05-2006, 11:34 AM

Quote:

Originally Posted by scotty1024

There is a potential flaw in the iDS protocol that can possibly be exploited by someone whom has your iLiad's MAC address.

Scotty, could you PM me with the details? I have spent quite a lot of time with the iDS and I don't see how someone could harmfully exploit iDS through someone's MAC address. Note that the addresses are really just a series of consecutive numbers, probably distributed in the order the iLiads were shipped.

scotty1024 · 10-05-2006, 11:52 AM

Quote:

Originally Posted by Alexander Turcic

Scotty, the flaw you are speaking of could be seen as a flaw in the current implementation of the iDS. But since it's easy to guess given MAC addresses as they are distributed in consecutive order, there isn't any harm in posting your iLiad's MAC address. Of course you wouldn't want to share your user login/password with anyone.

Alexander,

There are two weak things iRex is doing.

1. They are doing as Ali suggested to a posting I made ont he iRex forum: using the MAC as a unit identifier in a situation where a cryptographically secure key of much longer bit length should have been used.

2. They are using a very short number as the authentication token for the user's account, where they should have been using a cryptographically secure number of much longer bit length.

There are in fact fewer MAC's to iterate than suggested above. iRex seems to be using around 512 active MAC's.

However, MAC scanning isn't the exploit I was advising about.

The exploit I was speaking to is this. If someone can lookup your MAC a person can then use that known MAC to find your userid. Once they have your userid they own your iRex account. You can change your password, change your email address, but they still own your account and they can use it from anywhere.

Not an issue right now, but in the future, when say you can purchase things or move sensitive information through your iDS account... they will fit the definition of "ghost in the shell" as far as your iLiad is concerned.

So like I said above, if you posted your MAC, I recommend you erase it, purge the Google cache... because whatever iRex does, there will need to be a bridge to get to the new improved means. If you have picked up a ghost, they could possibly follow you through the bridge into the new scheme...

Alexander Turcic · 10-05-2006, 12:03 PM

Ok, I didn't find out how you can reverse the UserID through the MAC address, but yes, if you can do this, I agree, it's an unnecessary risk.

Thanks for the warning, scotty

ali · 10-05-2006, 04:04 PM

Quote:

Originally Posted by scotty1024

The exploit I was speaking to is this. If someone can lookup your MAC a person can then use that known MAC to find your userid. Once they have your userid they own your iRex account. You can change your password, change your email address, but they still own your account and they can use it from anywhere.

I'm so absolutely lost here... Could you give a few more details.

What userid is this? The email adress used in registration? Something else? How does the mapping MAC -> userid work?

Assume someone has my userid - what account can he take over? And how? And where?

Why are there no passwords involved? I figured that you need the password to log into iDS - at least it didn't work with a password typo in the Iliad's preferences.

What secure keys? I always assumed that a pair of unsecure ID and secret password is a secure key.

yokos · 10-06-2006, 07:04 AM

I don't know what the mentioned userid is, too.
Your iLiad has a given MAC-Address, you haven choosen an username [email-account address] & a password for your MyiRex-Account.
The name in iLiad Settings [1st of 3 fields] is chooseable freely [not used in IDS].

TadW · 10-07-2006, 03:21 PM

It has to do with the Web2iDS tool Alex has posted some time earlier. A closer inspection reveals that one can do more with iDS than iRex probably had in mind. While there is currently nothing harmful really, if iRex plans to do more with iDS and doesn't change the way they authorize devices, then indeed it could be a problem.

pdam · 10-07-2006, 04:13 PM

From the general users point of view (e.g. me and other less technically endowed readers of the forum) it would be great to get an idea of the risk - in terms of potential damage and likelyhood of occurance?

From what I have read here and at iRex, from what I know about the user interaction with iDS and the potential damage to the individual in real terms (assuming good practises like backing up and due dilligence) ... this is more of a technical issue and minor worry - right?

Alexander Turcic · 10-07-2006, 04:16 PM

Quote:

Originally Posted by pdam

...this is more of a technical issue and minor worry - right?

Yes (unless Scotty disagrees with me).

10-04-2006, 06:31 PM	#1
scotty1024 Banned Posts: 1,300 Karma: 1479 Join Date: Jul 2006 Location: Peoples Republic of Washington Device: Reader / iPhone / Librie / Kindle	If you posted your iLiad MAC address read this. There is a potential flaw in the iDS protocol that can possibly be exploited by someone whom has your iLiad's MAC address. If you have posted your iLiad's MAC address anywhere on the Internet you might want to go remove it.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
IDS and MAC address	miguel.ossa	iRex	13	11-19-2010 10:23 AM
Spoofing a Wifi MAC Address on Kindle 3?	Trickery	Kindle Developer's Corner	1	09-06-2010 04:57 PM
SmartQ 7 MAC address	talaivan	Alternative Devices	3	09-11-2009 09:24 AM
iLiad Deconstructing your iLiad's MAC address and serial number	TadW	iRex Developer's Corner	7	10-04-2006 06:15 PM
Wireless MAC address?	scotty1024	iRex	18	08-08-2006 12:12 PM

10-05-2006, 03:18 AM	#2
ali Addict Posts: 302 Karma: 116 Join Date: May 2006 Device: Iliad, dude!	How's that gonna work? I assumed you have to supply email address and password to iDS before it let's you in. On the other hand - there are just two bytes of freedom in the mac addresses. Having a script running 65000 connection attempts shouldn't be difficult, so it doesn't matter anyway if you posted the mac, right?

10-05-2006, 12:03 PM	#8
Alexander Turcic Fully Converged Posts: 18,163 Karma: 14021202 Join Date: Oct 2002 Location: Switzerland Device: Too many to count here.	Ok, I didn't find out how you can reverse the UserID through the MAC address, but yes, if you can do this, I agree, it's an unnecessary risk. Thanks for the warning, scotty

10-06-2006, 07:04 AM	#10
yokos Pac-Man caught my iLiad. Posts: 807 Karma: 3595 Join Date: Apr 2006 Location: Germany; next to Baltic Sea Device: Boox Max Lumi, iRex iLiad (RIP)	I don't know what the mentioned userid is, too. Your iLiad has a given MAC-Address, you haven choosen an username [email-account address] & a password for your MyiRex-Account. The name in iLiad Settings [1st of 3 fields] is chooseable freely [not used in IDS].

10-07-2006, 03:21 PM	#11
TadW Uebermensch Posts: 2,583 Karma: 1094606 Join Date: Jul 2003 Location: Italy Device: Kindle	It has to do with the Web2iDS tool Alex has posted some time earlier. A closer inspection reveals that one can do more with iDS than iRex probably had in mind. While there is currently nothing harmful really, if iRex plans to do more with iDS and doesn't change the way they authorize devices, then indeed it could be a problem.

10-07-2006, 04:13 PM	#12
pdam Groupie Posts: 199 Karma: 100 Join Date: Aug 2006 Device: iLiad, iPaq, Psion5&7, Blackberry	From the general users point of view (e.g. me and other less technically endowed readers of the forum) it would be great to get an idea of the risk - in terms of potential damage and likelyhood of occurance? From what I have read here and at iRex, from what I know about the user interaction with iDS and the potential damage to the individual in real terms (assuming good practises like backing up and due dilligence) ... this is more of a technical issue and minor worry - right?

Advert

Advert