Quote:
|
Originally Posted by Alexander Turcic
Scotty, the flaw you are speaking of could be seen as a flaw in the current implementation of the iDS. But since it's easy to guess given MAC addresses as they are distributed in consecutive order, there isn't any harm in posting your iLiad's MAC address. Of course you wouldn't want to share your user login/password with anyone.
|
Alexander,
There are two weak things iRex is doing.
1. They are doing as Ali suggested to a posting I made ont he iRex forum: using the MAC as a unit identifier in a situation where a cryptographically secure key of much longer bit length should have been used.
2. They are using a very short number as the authentication token for the user's account, where they should have been using a cryptographically secure number of much longer bit length.
There are in fact fewer MAC's to iterate than suggested above. iRex seems to be using around 512 active MAC's.
However, MAC scanning isn't the exploit I was advising about.
The exploit I was speaking to is this. If someone can lookup your MAC a person can then use that known MAC to find your userid. Once they have your userid they own your iRex account. You can change your password, change your email address, but they still own your account and they can use it from anywhere.
Not an issue right now, but in the future, when say you can purchase things or move sensitive information through your iDS account... they will fit the definition of "ghost in the shell" as far as your iLiad is concerned.
So like I said above, if you posted your MAC, I recommend you erase it, purge the Google cache... because whatever iRex does, there will need to be a bridge to get to the new improved means. If you have picked up a ghost, they could possibly follow you through the bridge into the new scheme...