A lesson from an answering machine: the importance of input anchoring in password recognition
I recently made a discovery that shows theimportance of anchoring the input when trying to match a password. Bythis I mean that there should be no extra characters accepted eitherbefore or after the password (i.e., no extra characters that could bepart of the password). Unanchored matching greatly weakens the defenseagainst brute forcing the password.
My wife and I were driving back from dinner when we decided to trythe remote message check feature of our new home phone answeringmachine. I had set the two digit password (let's pretend it is "54")but we hadn't read the directions on how to check messages remotely. Itold my wife our code and she tried just entering the two digits "5-4"and it worked. I had expected that we'd at least have to enter "#"first. That the machine was just listening to the incoming call for thepasscode made me wonder. Playing a hunch, I had my wife call back andenter "1-5-4-0", a four digit passcode with our actual passcode in themiddle. To her surprise (but not mine), the answering machine acceptedthis! However, a four digit code that did not contain our passcode("1-2-3-4") did not work.
I immediately knew the security implications of this: Compared to acase where the passcode had to be anchored, someone trying to bruteforce the passcode would have a much easier time. Counting the numberof passcodes we had thus far tried (3), and assuming there was no limitto the number of digits the answering machine would tolerate, Iextrapolated that someone would just need to enter a 101 digit numberand be guaranteed acceptance. (Ask me about how playing the dominosgame of Mexican Train helped me assure myself that 101 is the correctlength.)
Here is one example of such a 101 digit number that contains all two digit numbers as a substring:
Further testing with the answering machine showed that the passcodemust be entered while the outgoing message is playing and that that youcould enter at least 50 digits followed by the passcode and it would beaccepted. As soon as the second digit of the correct passcode is hit,it starts informing you of your messages (so you can stop punchingdigits).
If the answering machine had required that the two digit code be thefirst thing entered, then someone trying to gain access by bruteforcing the passcode would have to make up to 100 phone calls. Comparethis with a single call. Note also that unsuccessful guesses may leavea message.
Of course, an answering machine allowing only two digit passcodes ispretty lame. Each additional digit adds ten times as many possiblepasscodes. Although the lack of anchoring would still weaken security,a three digit code would require (I think) up to 1002 digits to beentered; beyond the realm of a single call, but within range formultiple calls.
For consumers with such an answering machine, I suggest:
1. Contacting the vendor to complain about the weak security;
2. Exchange your answering machine for one with better security;
3. If possible, turn off the remote access feature except when you need it;
4. Keep your outgoing message short;
5. Increase the number of rings before the machine picks up to slow down the attacker.