… Clear Text Authentication
Back in June I got a Suricata alert saying a local computer was authenticating using clear text. That computer was my son’s Nintendo Wii.
Security Onion is an open source network based intrusion detection system. There is a Linux distribution you can install that is pretty easy to configure, considering its complexity. It sees all traffic on my network and generates Suricata alerts. It does much more than that, but I’ll dive deeper in a future post.
Looking at the traffic and destination IP address, I identified the server and emailed their support team. I have kept some details vague to avoid backlash to the company, insecure as it is. You’ll see what I mean.
“I wanted to bring to your attention that my son’s Wii authenticates to your servers using a password in clear text. I can provide you with network traffic if you are interested. It seems like a pretty easy thing to fix.”
I received a very quick reply:
“Good catch. Unfortunately, you are correct. Nintendo sent the password through plain text. However, our server stores the passwords as salted SHA512 hashes.
We can’t use HTTPS either since the Wii uses such an outdated HTTPS framework that would require patches for every IOS in order to use mail.
Sorry about this, I hope you understand that a 15 year old console isn’t optimized for any sort of security nowadays… the Internet has changed a lot. I think you’re the only person to email us about this, as most people don’t know how to do packet sniffing.”
He then followed up with:
“What I meant to say is that Nintendo designed the passwords to be used as clear text, and it’s not an easy fix…
I hope people don’t send banking info or anything like that with Wii Mail :P”
I replied saying I understood and thanked him for the quick reply.
I learned that this company provides a service that replaces one sunset by Nintendo a few years ago. I was very misguided thinking this was easy to fix. I failed to take into account the age of the Wii operating system, which supports the TLS framework. The specific protocols implemented by the Wii were obsoleted many years ago. No modern system would be able to communicate using them. While using deprecated encryption is not an option, using no encryption always is. My son did not recognize the 16 character random alphanumeric password so I assume it was generated by the service. Under the circumstances, this is the best that can be done. And more companies should store passwords as salted SHA512.