OeBB Railjet WiFi second, even bigger security problem

November 5, 2013

Yesterday I wrote about the the information leak at the Railjet Wifi. Today I’m traveling back to Tirol again with a Railjet and I found something other disturbing. I believe its even more problematic as it concerns the mail system. I used a openssl client to check various SSL and TLS connections to my servers, and when I called following:

$ openssl s_client -connect smtp.xxx.at:25 -starttls smtp

I got something I didn’t expect:

CONNECTED(00000003)
didn't found starttls in server response, try anyway...

Hey, my server does not support STARTTLS? I’m sure it does. I did a SSH to a server of mine and checked typed the same command and got my server certificate complete with chain. So something is not right here. I switched to Wireshark (which is running all the time … Ok, I launched it 😉 ) and looked at the traffic:

server: 220 profinet.at SurgeSMTP (Version 6.3c2-2) http://surgemail.com
client: EHLO openssl.client.net
server: 250-profinet.at. Hello openssl.client.net (194.112.182.213)
server: 250-AUTH LOGIN PLAIN
server: 250-ETRN
server: 250-X-ID 5043455352563431333833323030373135
server: 250-SIZE 50000000
server: 250 HELP
client: STARTTLS
server: 500 Sorry SSL/TLS not allowed from (194.112.182.213)

Hey? Thats not my mail server. Its not my IP address and its sure not the mail server software I use. WTF?

Someone is intercepting my SMTP traffic and if my mail clients would use the default setting (use TLS if possible) I would now send my login data (which is for most people the same as for fetching mails) in the clear over an unprotected WiFi. Block port 25 if you have fear of spammers, but don’t force unencrypted traffic over a open wifi.

Anyway whats that profinet.at stuff …. can’t be profi as in professionals. The Whois tells following:

Domaininhaber:
Organisationsname:       OeBB Telekom Service GmbH
Strasse:         Bruenner Strasse 20
PLZ:     1210
Stadt:   Wien
Land:    AT

Ok, thats the OeBB by itself. Real experts. 😉

So keep an eye on your SMTP/IMAP configuration and make sure you’re forcing TLS/SSL otherwise someone in the same train is seeing your data.

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Not sure, what they are trying to do here. I assume they don’t want you to use their Wi-Fi for spam. You shouldn’t use port 25 anyway, use the “submission” port 587 (according to RFC 2476!) and you don’t have any problems.
    See also: http://www.pcmag.com/article2/0,2817,1838667,00.asp

    The server on the train seems to not accept mail by the way, I get “500 Unknown command” all the time.

    Comment by Daniel — March 15, 2015 #

  2. By the way, I just tested this: The Wi-Fi of ÖBB’s competitor “Westbahn” does the same thing: If I use the Westbahn’s Wi-Fi to contact my own mail server on port 25, it greets me with “220 westmail.westbahn.at ESMTP Postfix (Debian/GNU)”.
    But also here: Switching to port 587 solves the problem.

    Comment by Daniel — March 15, 2015 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 36 queries. 0.053 seconds.