Vulnerability Development: RE: Cell phone access to email

["David B. Harrison" <hdavid11580 () qwest net>]

The problem is that the customer never gave out the passwords and the 
server is behind a firewall not controlled by Qwest so how do the phones 
have access to the server for email without ever asking for a password 
during setup or at time of request?
Dave H

-----Original Message-----
From:   Stephen A Santos [SMTP:steve () java2000 com]
Sent:   Wednesday, August 22, 2001 6:26 AM
To:     'David B. Harrison'; vuln-dev () securityfocus com
Subject:        RE: Cell phone access to email

If it is anything like Nextels system the password information is stored
on their end and authentication is made the same way the system knows
which number goes with which phone.  So yes, anyone with a cloned cell
can get the email.


===================
Stephen A Santos
63 W Fountainhead Dr #107
Westmont, IL 60559
H: 630-241-0493
M: 630-561-9368

-----Original Message-----
From: David B. Harrison [mailto:hdavid11580 () qwest net]
Sent: Tuesday, August 21, 2001 11:07 PM
To: vuln-dev () securityfocus com
Subject: Cell phone access to email


I am hoping someone can answer a question for me.  A customer of mine is

testing a new cell phone from Qwest.  It gives them access to cheap cell

phone connection and Internet mail.  The problem is it connects to
exchange
without a password.  I can see if qwest was the server location and they

were doing a copy of some sort, but the server is behind a firewall from

Qwest yet they are getting email to the phone both external and local.

Any Ideas?
Dave H