mostly based on data revenues. l Users: Information reachability everywhere l Technical: Faster speeds, improved UIs l Social: Smartphones are cool !!!
mobile infrastructures and services. l “Provisioning is the process by which a WAP client is configured with a minimum user interaction.” l Provisioning is performed using WAP architecture capabilities. l Normally performed by mobile operators...
related to: - Network Access Points, application specific configuration etc. l Use cases: - Provide configuration to new customers - Reconfigure mis-configured phones - Enable new services l Provisioning Document is encoded in Wap Binary XML format (WBXML). WBXML Application Session Service Transfer Service Transport Service Bearer Network
l Delivering provisioning document requires: - Media type: application/vnd.wap.connectivity- wbxml l … security information is usually required: - SEC parameter to specify security mechanism - Security mechanism related information WBXML WSP Header Application Session Service Transfer Service Transport Service Bearer Network
from untrusted sources. l Messages with no authentication may be discarded. l Security based on HMAC to preserve sender authentication and document integrity.
“Shared Secret” Based on “Shared Secret” USERP IN NETW PIN USERNET WPIN l “USERPIN”: key is numeric PIN code chosen by the sender l “NETWPIN”: key is IMSI l “USERNETWPIN”: hybrid approach
used for sending unsolicited information from server to client 06 01 Transaction ID PDU type Push 2f 1f 2d b6 91 81 92 30 44 38..... 37 44 Push Content Header Length SEC=USERPIN MAC value Content-Type: application/vnd.wap.connectivity-wbxml MAC
- Offers services necessary for interactive request/ response applications l Transfer service is not required by provisioning process. - Configurations are sent without using this layer WBXML Application Session Service Transfer Service Transport Service Bearer Network WSP Header
service. l WDP support is mandatory on any WAP compatible handset. l WDP can be mapped onto a different bearer. l WDP over GSM SMS is used to send the message. Application Session Service Transfer Service Transport Service Bearer Network WBXML WSP Header WDP Header
supports binary data transfer. l Uncompressed 8-bit encoding scheme is used. l Concatenated SMS is needed to send a payload larger than 140 bytes. l Performed tests suggest that no restrictions are imposed on sending SMS-encapsulated provisioning messages. Application Session Service Transfer Service Transport Service Bearer Network WBXML WSP Header UDH Header GSM SMS Header
Header 00 41 00 0C 91 939393939393 00 F5 SMS-SUBMIT PDU message with UDH Header Receiver phone number length Receiver Phone Number UDL Receiver phone number type of address: 91 – International Format Message coding scheme: 8-bit encoding Message Body Length
created USERPIN is defined by the sender We don't need it!! WDP support mandatory on WAP compatible handsets SMS with Provisioning Document are typically unfiltered Provisioning WSP Transfer Service WDP GSM SMS
trust the received Info SMS. l Info SMS content can be easily forged. Mobile Operator Service Number Mobile Operator Provisioning SMS typically not filtered!
l … but this could lead to confusing or hidden information: - Few technical details on provisioning content - Message source may be hidden or wrongly reported
sender Suspicious users may not accept the configuration message Solution: SMS sender spoofing Info SMS could appear as legitimate and sent by Operator
handset: - Attacker configuration is automatically installed as the default - User is asked at installation time if the configuration has to be installed as the default - User is asked at connection time which configuration should be used for connection l In some cases (eg: customized handsets) it may not be possible to change the default configuration l Additional operations may be required from user
If a victim accepts a malicious message, connection parameters are under attacker control l Multiple interesting choices : - APN - DNS address - Proxy Which is the best one???
map between hostnames and IP addresses.” l “DNS-ADDR” parameter indicates the DNS IP address used by the data connections. l By adding the DNS-ADDR parameter to the default data connection, the DNS can be subverted. l Victim DNS queries are then directed toward an attacker-chosen DNS server.
server yields the same effects of DNS poisoning attack. l DNS poisoning threats have been widely explored: - Traffic redirection - Phishing - MITM attack - SSL attack l All DNS queries, for ANY domain (!!), are completely under attacker control.
attack!!! l Most inviting options is HTTP: l Many mobile applications and services are based on HTTP protocols: - Browsers - Messaging - ... l Some Mobile Operators business models are based on providing services via internal HTTP web sites.
IP Address) WBXML provisioning message (setting handset DNS address to Fake DNS) + = Owning victim data traffic by means of DNS control Evil Proxy (intercepting and forwarding the HTTP traffic) +
Hijacking and control of application specific data traffic - IM, VoIP, Social Networks l Traffic Injection - Redirection to 3rd party websites - Advertisements (→ Spamming) - Modification of served web pages
the exploitation of a single vulnerability l Issue at the 'system' level: - Small overlooked details concur in allowing a deeper exploitation l The following made this attack possible: - Lack of Provisioning message filtering - UIs do not provide a sufficient level of details l Spoofing sharpen the issue! - Mobile Operator Networks allow use of external DNS servers
Handset Side (may be ineffective in case of spoofing) l UI Improvements: - Provide proper detail level and warnings - May be ineffective in case of message spoofing l Deny access to external DNS servers: - Could make the attack more difficult - May be unsuitable for some Operators - If used alone may cause massive connectivity DoS
- WAP Architecture v12 l OMA - Push Architectural Overview v3 l OMA - Provisioning Content v1.1 l OMA – Provisioning Bootstrap v1.1 l OMA - Binary XML Content Format Specification v1.3 l OMA - Wireless Session Protocol Specification v5 l OMA - OMNA WSP Content Type Numbers l OMA - Wireless Datagram Protocol Specification v14 l 3GPP - TS 03.40 Technical realization of the Short Message Service (SMS) v7.5.0 l Apache HTTP Server Project l ModSecurity: Open Source Web Application Firewall
mseclab
okoso
yumulab
yuyay
abap34
monochromegane
signer
tsantalis
kurita
circulation
yuta0306
ryomasumura
philhawksworth
orderedlist
scottboms
wjessup
keavy
tammyeverts
csswizardry
maggiecrowley
destraynor
edds
keathley
ammeep
![Demo [Hijacking remote mobile user browsing] WARNING: Mobile connections on](https://files.speakerdeck.com/presentations/f9e8c8548109404a9d33ca778313fffd/slide_52.jpg){kind=link}
![Q&A Thanks !!! Mobile Security Lab [email protected]](https://files.speakerdeck.com/presentations/f9e8c8548109404a9d33ca778313fffd/slide_57.jpg){kind=link}
