Virgin Media Wi-Free certificates

h57xiucj2z946q

In the interest of security and to make you aware, it looks like Virgin Media don't provide certificates to ensure their clients are connecting to an authenticate Wi-Free network anymore.

Click the question "How can I tell if the Horizon Wi-Free network that I’m connecting to is a genuine Virgin Media network?" here

I have created a thread about it here and provided a cert I found in their old application and some instructions on installing on an Android device if anyone is interested: http://www.boards.ie/ttfthread/2057637939/

Here is some other links on why certificatin valiation is important in WPA Enterprise networks:
https://www.itinsight.hu/blog/posts/2015-01-12-the-tale-of-a-rogue-access-point.html
https://en.wikipedia.org/wiki/MS-CHAP
https://www.mocana.com/blog/2012/08/22/microsoft-responds-to-ms-chap-v2-cracking
http://blog.zoller.lu/2012/08/what-you-need-to-know-about.html

syklops

So Horizon Wi-Free is vulnerable to Wifi Pineapples. Oh dear oh dear oh dear.

I loved that VM thread. VM: Its ok, our team has advised us we arent doing certificates any more. Kthxbye!

h57xiucj2z946q

syklops wrote: »

So Horizon Wi-Free is vulnerable to Wifi Pineapples. Oh dear oh dear oh dear.

I loved that VM thread. VM: Its ok, our team has advised us we arent doing certificates any more. Kthxbye!

Haha yeah, they don't give a damn!

LoLth

Raelyn Future Casket wrote: »

Haha yeah, they don't give a damn!

there are some very intelligent and gifted techies working in VM (ex UPC) so I would be concerned about why they have let this vulnerability emerge. I cant imagine any security bod being happy to be associated with something this careless.

new cert rollouts to come? some alternative setup? A new app? or a press release about improvements to security that is really just a return to the old security that was allowed lapse...

syklops

LoLth wrote: »

there are some very intelligent and gifted techies working in VM (ex UPC) so I would be concerned about why they have let this vulnerability emerge. I cant imagine any security bod being happy to be associated with something this careless.

new cert rollouts to come? some alternative setup? A new app? or a press release about improvements to security that is really just a return to the old security that was allowed lapse...

At an educated guess I'd say a project manager somewhere who doesnt grasp the seriousness decided the certificates were a hindrance and in a meeting it was decided they wouldn't do them anymore. Happens all the time.

h57xiucj2z946q

I went onto their live chat to ask the same question with a famous actors name. You can see they aren't too bothered. I don't know why I blurred out their name. I guess I'd feel bad if they lost their job over me posting this!

LoLth

:O William Robert is a Virgin Media customer! cool!

if they only use account notes (I did say "if") then how do they track issues?

I'm going to guess that this now constitutes being made aware of the security issue. Does this open them up to liability if a customer suffers a breach from exploitation of this flaw?

h57xiucj2z946q

It's hard to know what to make of it!

syklops

You should have used the name Gerry McCarthy. That way when they said, "I've put a note on your account", you could ask them how did they know which Gerry McCarthy to put the note on. Sure theres 17 Gerry McCarthys in my parish alone.

h57xiucj2z946q

syklops wrote: »

You should have used the name Gerry McCarthy. That way when they said, "I've put a note on your account", you could ask them how did they know which Gerry McCarthy to put the note on. Sure theres 17 Gerry McCarthys in my parish alone.

Hahah good idea!

IamMetaldave

Even reading that back infuriates me!