Hijacking Mobile Data Connection

Hijacking Mobile Data Connection

Black Hat Europe Amsterdam 2009

F65bbcd875fbe83770f5f2a02db18119?s=128

Mobile Security Lab

April 17, 2009
Tweet

Transcript

  1. 1 Mobile Security Lab Hijacking Mobile Data Connections Hijacking mobile

    data connections Cristofaro Mune Roberto Gassirà Roberto Piccirillo Black Hat Europe 2009
  2. Agenda l  Provisioning & WAP primer l  Forging Messages l 

    Demo: Remote provisioning l  Provisioning: Process and Issues l  Attack scenario and exploiting l  Final Demo l  Wrap-Up
  3. Poll Who, among the audience, has an Internet capable phone?

    Please raise your hands!!
  4. Net in your hands...et l  Business: Mobile Operators business models

    mostly based on data revenues. l  Users: Information reachability everywhere l  Technical: Faster speeds, improved UIs l  Social: Smartphones are cool !!!
  5. Provisioning l  Mobile Equipment must be configured to inter-operate with

    mobile infrastructures and services. l  “Provisioning is the process by which a WAP client is configured with a minimum user interaction.” l  Provisioning is performed using WAP architecture capabilities. l  Normally performed by mobile operators...
  6. WAP Architecture l  “Wireless Application Protocol defines industry-wide specification for

    developing applications that operate over wireless communication networks”. l  Application? -  MMS -  Web Browsing -  Provisioning -  ...
  7. WAP Communication l  WAP specifies communication protocol framework. l  WAP

    communication is based on two models: l  Push Model is normally used to send unsolicited data from server to the client. Pull Push
  8. Protocol Framework Application Session Service Transfer Service Transport Service Bearer

    Network
  9. Let's build a provisioning message

  10. Application - Provisioning Document l  A Provisioning Document provides parameters

    related to: -  Network Access Points, application specific configuration etc. l  Use cases: -  Provide configuration to new customers -  Reconfigure mis-configured phones -  Enable new services l  Provisioning Document is encoded in Wap Binary XML format (WBXML). WBXML Application Session Service Transfer Service Transport Service Bearer Network
  11. Binary Encoding Example WBXML XML provisioning document is encoded in

    WBXML
  12. Session Service - WSP l  WSP provides connectionless service PUSH.

    l  Delivering provisioning document requires: -  Media type: application/vnd.wap.connectivity- wbxml l  … security information is usually required: -  SEC parameter to specify security mechanism -  Security mechanism related information WBXML WSP Header Application Session Service Transfer Service Transport Service Bearer Network
  13. Security Purpose l  Message Authentication protects from accepting malicious messages

    from untrusted sources. l  Messages with no authentication may be discarded. l  Security based on HMAC to preserve sender authentication and document integrity.
  14. Security Mechanism l  Security mechanism used is typically based on

    “Shared Secret” Based on “Shared Secret” USERP IN NETW PIN USERNET WPIN l  “USERPIN”: key is numeric PIN code chosen by the sender l  “NETWPIN”: key is IMSI l  “USERNETWPIN”: hybrid approach
  15. Security Mechanism: USERPIN l  It's based on HMAC algorithm =

    K = M
  16. WSP Primitive Push WBXML WSP Header l  Push primitive is

    used for sending unsolicited information from server to client 06 01 Transaction ID PDU type Push 2f 1f 2d b6 91 81 92 30 44 38..... 37 44 Push Content Header Length SEC=USERPIN MAC value Content-Type: application/vnd.wap.connectivity-wbxml MAC
  17. Transfer Service l  Transfer services provide reliable connection- oriented communications.

    -  Offers services necessary for interactive request/ response applications l  Transfer service is not required by provisioning process. -  Configurations are sent without using this layer WBXML Application Session Service Transfer Service Transport Service Bearer Network WSP Header
  18. Transport Service - WDP l  WDP provides connectionless datagram transport

    service. l  WDP support is mandatory on any WAP compatible handset. l  WDP can be mapped onto a different bearer. l  WDP over GSM SMS is used to send the message. Application Session Service Transfer Service Transport Service Bearer Network WBXML WSP Header WDP Header
  19. l  WDP over GSM-SMS header is defined using UDH headers.

    l  UDH header contains information for port addressing and concatenated short messages WDP over GSM-SMS WBXML WSP Header UDH Header UDH Length 05 04 0B 84 23 F0 00 03 ... Application Port Addressing Scheme Destination Port 2948 Wap-Push Concatenated SMS
  20. Bearer Network – GSM SMS l  GSM SMS PDU mode

    supports binary data transfer. l  Uncompressed 8-bit encoding scheme is used. l  Concatenated SMS is needed to send a payload larger than 140 bytes. l  Performed tests suggest that no restrictions are imposed on sending SMS-encapsulated provisioning messages. Application Session Service Transfer Service Transport Service Bearer Network WBXML WSP Header UDH Header GSM SMS Header
  21. GSM SMS Header WBXML WSP Header UDH Header GSM SMS

    Header 00 41 00 0C 91 939393939393 00 F5 SMS-SUBMIT PDU message with UDH Header Receiver phone number length Receiver Phone Number UDL Receiver phone number type of address: 91 – International Format Message coding scheme: 8-bit encoding Message Body Length
  22. Building a message And now??? Provisioning Document can be easily

    created USERPIN is defined by the sender We don't need it!! WDP support mandatory on WAP compatible handsets SMS with Provisioning Document are typically unfiltered Provisioning WSP Transfer Service WDP GSM SMS
  23. Demo: Profile Installation

  24. Provisioning Process

  25. Mobile Operator Provisioning l  Many operators use USERPIN shared secret.

    An Info SMS carrying the shared PIN is sent A Provisioning SMS with network configuration details is sent after Info SMS 1 2
  26. Info SMS User takes a note of the pin Operator

    Number used when sending Info SMS
  27. Provisioning SMS The device receives a new SMS notification. User

    types PIN provided by the Info SMS. New settings overview is showed to the user. 1 2 3
  28. Provisioning SMS UI asks to use the new settings as

    default. Settings are installed as a new Access Point. 4 5
  29. Provisioning Issues l  User relies mostly on visual information to

    trust the received Info SMS. l  Info SMS content can be easily forged. Mobile Operator Service Number Mobile Operator Provisioning SMS typically not filtered!
  30. UI Issues l  UI designed to be user friendly …

    l  … but this could lead to confusing or hidden information: -  Few technical details on provisioning content -  Message source may be hidden or wrongly reported
  31. Attack for L(a)unch

  32. Appetizer Preparation Issue: Handset displays phone number of Info SMS

    sender Suspicious users may not accept the configuration message Solution: SMS sender spoofing Info SMS could appear as legitimate and sent by Operator
  33. Cooking: SMS spoofing

  34. Attack Scheme Spoofed Info SMS carrying the PIN is sent

    (with Mobile Operator Service number) 1 2 Attacker Provisioning SMS is sent after Info SMS
  35. Variations and Issues •  Different attack “flavours”, depending on the

    handset: -  Attacker configuration is automatically installed as the default -  User is asked at installation time if the configuration has to be installed as the default -  User is asked at connection time which configuration should be used for connection l  In some cases (eg: customized handsets) it may not be possible to change the default configuration l  Additional operations may be required from user
  36. Appetizer Recipe No Push Messages filtering in place: both on

    handset and network Some UIs do not show enough information to users + = Tricks users into accepting malicious configurations
  37. Next choice... l  Provisioning message provides data connection parameters. l 

    If a victim accepts a malicious message, connection parameters are under attacker control l  Multiple interesting choices : -  APN -  DNS address -  Proxy Which is the best one???
  38. Main Course Preparation The parameter that seems to provide the

    best control of a victim is... “DNS-ADDR” Let's start cooking...
  39. DNS Subverting l  “Domain Name System (DNS) is used to

    map between hostnames and IP addresses.” l  “DNS-ADDR” parameter indicates the DNS IP address used by the data connections. l  By adding the DNS-ADDR parameter to the default data connection, the DNS can be subverted. l  Victim DNS queries are then directed toward an attacker-chosen DNS server.
  40. XML example with DNS Network Access Point Name APN Address

    for Data Connection DNS Address NAPDEF Reference Network Type Format of the Address in NAP-ADDRESS
  41. But... Are DNS queries allowed to exit an Operator Network??

    Tests have been performed on all the Operator Networks we had access to … -  The operator may force the use of specific DNS server and the answer is...
  42. Escaping the matrix Definitely YES!!! Dial-up using Handset as Modem

    Default route via Mobile Operator Network Successful query to external DNS server (OpenDNS)
  43. Main Course Recipe Modify default DNS in victim's phone Operator

    networks allow queries to external DNS server + = Redirection of victim DNS queries
  44. 0wning DNS l  Subverting DNS query toward attacker controlled DNS

    server yields the same effects of DNS poisoning attack. l  DNS poisoning threats have been widely explored: -  Traffic redirection -  Phishing -  MITM attack -  SSL attack l  All DNS queries, for ANY domain (!!), are completely under attacker control.
  45. Next choice Let's focus on HTTP traffic redirection and MITM

    attack!!! l  Most inviting options is HTTP: l  Many mobile applications and services are based on HTTP protocols: -  Browsers -  Messaging -  ... l  Some Mobile Operators business models are based on providing services via internal HTTP web sites.
  46. Standard HTTP transaction Mobile user wants to visit www.mseclab.com DNS

    Query DNS Answer GET / HTTP/1.1 Mobile Operator Network Internet
  47. Redirect HTTP transaction Mobile user wants to visit www.mseclab.com DNS

    Query GET / HTTP/1.1 Mobile Operator Network Internet DNS Answer (Evil Proxy IP)
  48. XML with APPLICATION settings Used to define Application Parameters DNS

    Address Link to APN defined Browsing Applications Identifier defined by OMNA
  49. Dessert Recipe Fake DNS (answering any query with Evil Proxy

    IP Address) WBXML provisioning message (setting handset DNS address to Fake DNS) + = Owning victim data traffic by means of DNS control Evil Proxy (intercepting and forwarding the HTTP traffic) +
  50. Serving the meal ...

  51. Evil Proxy How-to l  Transparent proxy is just what we

    need. l  Apache+Mod-Proxy is a good starting point: l  Mod-Rewrite is used for proper redirection.
  52. Mod-Security Power l  Now we are able to redirect the

    HTTP traffic as we want! l  It would be cool to access the traffic... l  … Mod-Security Audit feature is the solution!
  53. Demo [Hijacking remote mobile user browsing] WARNING: Mobile connections on

    the test handsets will be monitored!!! so… Do NOT enter personal information or URL!!!
  54. What can be achieved? l  User monitor and profiling l 

    Hijacking and control of application specific data traffic -  IM, VoIP, Social Networks l  Traffic Injection -  Redirection to 3rd party websites -  Advertisements (→ Spamming) -  Modification of served web pages
  55. Focus on Issues l  The attack does not rely on

    the exploitation of a single vulnerability l  Issue at the 'system' level: -  Small overlooked details concur in allowing a deeper exploitation l  The following made this attack possible: -  Lack of Provisioning message filtering -  UIs do not provide a sufficient level of details l  Spoofing sharpen the issue! -  Mobile Operator Networks allow use of external DNS servers
  56. Countermeasures l  Filter external provisioning messages: -  Network side - 

    Handset Side (may be ineffective in case of spoofing) l  UI Improvements: -  Provide proper detail level and warnings -  May be ineffective in case of message spoofing l  Deny access to external DNS servers: -  Could make the attack more difficult -  May be unsuitable for some Operators -  If used alone may cause massive connectivity DoS
  57. Future Research l  Future research will focus on: -  Application

    Data Hijacking -  HTTPS traffic snooping -  Malicious Payload Injection -  Targeting Mobile Operator internal networks -  Botnets
  58. Q&A Thanks !!! Mobile Security Lab research@mseclab.com

  59. References l  OMA - Provisioning Architecture Overview v1.1 l  OMA

    - WAP Architecture v12 l  OMA - Push Architectural Overview v3 l  OMA - Provisioning Content v1.1 l  OMA – Provisioning Bootstrap v1.1 l  OMA - Binary XML Content Format Specification v1.3 l  OMA - Wireless Session Protocol Specification v5 l  OMA - OMNA WSP Content Type Numbers l  OMA - Wireless Datagram Protocol Specification v14 l  3GPP - TS 03.40 Technical realization of the Short Message Service (SMS) v7.5.0 l  Apache HTTP Server Project l  ModSecurity: Open Source Web Application Firewall