Experts criticize security holes in MNsure

Loggin on to MNSure
Matt Willis, vice president of security services for Computer Forensic Services, sets up a demonstration of the MNsure security flaw for Elizabeth Stawicki.
Bill Catlin / MPR News

When Minnesota's online health insurance marketplace unveiled its website in October, state I.T. officials described MNsure's security measures as "state of the art."

But Internet security experts have identified flaws in MNsure's website that could compromise sensitive consumer data. They say the site is vulnerable to "rogue access points," devices that can masquerade as a standard wireless connection to the Internet.

As people access a website, there's a lot of communication that occurs between their computer or smartphones and the site's servers. When sensitive information is involved, such as a credit card number, typically websites offer a secure encrypted connection so no one can eavesdrop and steal the information.

If for some reason the device doesn't use wind up using encryption, some websites will sever the connection. But in those instances, MNsure's website will continue working.

Create a More Connected Minnesota

MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.

A "rogue access point"
A "rogue access point" is a device that can masquerade as a standard wireless connection to the Internet.
Bill Catlin / MPR News

Security experts say allowing private data to come through unencrypted leaves consumers vulnerable to rogue access points that allow hackers to capture the information coming from computers or smartphones of people within a range of as much as 150 yards.

The device, which MPR News is not identifying by name, offers up what appears to be a standard Wi-Fi connection to the Internet. But when a user connects to the device it strips away security measures, allowing the hacker to see the information passing between the user and MNsure's site.

"The problem is fairly simple," said Mark Lanterman, a forensic computer security analyst in Minnetonka, Minn. "A relatively inexpensive device is capable of preventing a secure connection to the MNsure webpage and the webpage is allowing that to happen."

Security vulnerability
If a hacker captures a user's log on information due to MNsure's security vulnerabilities, it can have a lasting effect as people inevitably reuse passwords for multiple accounts.
Bill Catlin/MPR News

Minnesota's Legislative Auditor's office also considers MNsure's vulnerability to the device a serious concern that needs to be acknowledged and addressed by the state. State Legislative Auditor Jim Nobles has said if the issue is not addressed adequately, his office will examine the issue when it conducts an I.T. security audit of MNsure next year.

With enough battery power to operate for several days, the less-than $100 device can capture a user's password or any other private data entered over a WiFi network.

Forensic professionals legally use the device to detect security weaknesses in wireless networks. But in the wrong hands, it's a hacker's best friend.

Watching as a login is revealed
Mark Lanterman, CEO and CTO of Computer Forensic Services, watches as the rogue access device reveals the user name and password as Elizabeth Stawicki logs in to MNsure in another room.
Bill Catlin / MPR News

"Because of this vulnerability, anything that you're typing into that webpage can be read by the bad guy," Lanterman said. "So that could be your username, password. And once he or she has your log in credentials, they then have access to the same exact information that you would have on your own account."

The device works by tricking computer users into thinking their laptop or smartphone is connected to a known WiFi hotspot. It strips away the safety measures but still shows a little key or lock that typically signals that a website is secure.

MNsure received about $151 million in federal funding to design create the state's online insurance marketplace.

The money also pays for ongoing operations and for "navigators" -- people MNsure certifies to help others use the site to pick insurance plans.

MNsure officials directed questions about the site's security to state MN.IT, which in 2011 consolidated the I.T. functions of 95 state agencies, boards and commissions. MN.IT took the lead in developing and managing MNsure's security.

Chris Buse, the state's chief information security officer, said the MNsure site is safe and always has been. He said people should feel comfortable using it to buy their health insurance.

"We've done our own testing," Buse said. "We've tried to replicate what we think Mr. Lanternman did and I believe we've fixed the problem."

Still, Buse called website security an ongoing journey. He said although new threats appear daily, chances are slim that a hacker could use a device to convince a computer is connected to MNsure. He said a successful attack requires several elements, among them a high level of sophistication, the right tools and close proximity to the user.

"So when you think of all these things happening in the real world, this type of attack has a pretty low probability of actually occurring to anybody that's planning to go to the MNsure site," Buse said.

Lanterman, however said, there's no way to know how widespread of a security problem the device in question presents as an attack using it leaves no trace.

Despite the state's assurances, Lanterman said MNsure is still vulnerable - as are at least seven other state-based insurance exchanges. He said the federal exchange is not.

Lanterman said the MNsure site's vulnerability to unencrypted information would be relatively simple to fix. Less than a half-dozen I.T. experts could prepare a remedy for about $10,000, he said.

A solution could come soon, as Buse and a team from his office plan to meet Monday with Lanterman.

Other forensic analysts see another problem connected with MNsure's site.

Users don't just load a webpage by clicking on a website; they load a page and as many as 40 other elements that go on the webpage. Every one of those items should load securely, but MNsure's sign-on page leaves parts unencrypted, said Troy Hunt, a software architect in Sydney, Australia, who specializes in computer security for the Pfizer pharmaceuticals company.

"The log-in page looks secure, the surface veneer," Hunt said. "Then it puts other things on the page that are not secure."

Internet security
Internet security experts have identified flaws in MNsure's website that could compromise sensitive consumer data. MNsure maintains it has state-of-the-art security.
Bill Catlin/MPR News

At least three browsers alert consumers to the problem through security icons on the address bar. When consumers click on Firefox's security icon for example, under the headings of More Information, Technical Details, it reads, "Parts of the page are not encrypted before being transmitted over the Internet. Information sent over the Internet without encryption can be seen by other people while it is in transit."

Hunt said that's a problem.

"By the time you're actually entering a username and a password, the page could already be compromised and every key you type could be sent off to an attacker somewhere."

Hunt said if a hacker captures a user's log on information due to MNsure's security vulnerabilities, it can have a lasting effect as people inevitably reuse passwords for multiple accounts. He said each website has a responsibility to not only protect its own content but the content on other sites.

Buse, of MN.IT, said the mix of encrypted and unencrypted parts of the site isn't a security risk but a usability issue.

"All the pieces of the site that needed to be encrypted are encrypted so we're working on some fixes to the site to bring all content in from a secure site because it results in helpdesk calls," he said. "It's not a security issue but it certainly confuses users and that's what we're trying to address right now."

Buse said the need for such a fix came to light at the last minute during the final testing of the system.

"There were some extremely stringent deadlines to get this system up and running by Oct. 1st and there were some pieces like this that are look-and-feel type of issues that still need to be taken care of," he said.

Editor's note: This story has been updated with information received following initial publication about the range of the rogue access points; and to reflect that the meeting between Mark Lanterman and state IT officials has been rescheduled for Monday.