Dave Marcus has more than twelve years of technical experience in information security, and network and host ...
One of the perks of travel is access to Executive Lounges. One of the perks of Executive Lounges is that they often have VERY cool devices on display for the weary traveler to use. In one particular lounge I am currently in resides a very nifty Motorola XOOM:
As I am in Korea at the moment the first thing I had to do was change the default language to English (which I admit took more than a few minutes) and then I decided that I would try to take a LONG stroll through the inner workings of this ‘droid. I had figured the device would be locked down to some extent and that I would have to get a bit creative….
Talk about being wrong.
I am kinda torn on the idea of shared devices. It’s great to have access to cool technology in a lounge or a store but you would kind of hope there would be SOME kind of protection or device management/lockdown going on. Who in their right mind would log into a wide open device and use it for their private email, twitter or Facebook use right? I think you guessed…. quite a few people.
This particular XOOM (and there were several in this lounge as well as at least one Motorola ATRIX) had what you would expect: Twitter, YouTube, FaceBook and such. All of these has multiple logins with the account data saved (which I will NOT show for obvious reasons) but in truth this was not what surprised me. Poking around I quickly noticed that I had full access to the main account that the device used:
Accessing the account settings I could have easily reset the password:
I also, however had access to the Marketplace account billing information:
Now remember that as I also had access to the main gmail account (the same the Marketplace used) I could have changed the password and began using this account on any Android device I wanted. Marketplace app 0wnage awaits! I should also note that all the devices in this lounge used the same account.
It would have been easy to lay waste to these devices and the pilfer the account used but I am a hacker and I have ethics. Think of the the flip side.
Let this be a lesson to you road warrior travelers out there – be VERY careful when using shared devices in lounges. They are wide open. In many cases they save account information (this one did): email, social media, website logins, etc… So it might be better to avoid using them at all and waiting to use your own devices. If you are going to let others use your device, lock it down!! There are quite a few apps and guides that can walk users of all levels through at least deploying these devices with some level of control.
Time to change language from Korean to English – 5 minutes. Time to get device main account access and full info – less than 1 minute. Advice? Spend MORE than 5 minutes and learn how to manage your devices and its settings. The identity you save just might be your own.
Tags: credit card fraud and protection, Cybercrime, data breach, Data Protection, Endpoint Protection, facebook, Family Safety, identity fraud, identity protection, identity theft, personal information protection