Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hijacking Mobile Data Connection 2.0

F65bbcd875fbe83770f5f2a02db18119?s=47 Mobile Security Lab
November 20, 2009
Research
1
110

Hijacking Mobile Data Connection 2.0

DeepSec Vienna 2009

F65bbcd875fbe83770f5f2a02db18119?s=128

Mobile Security Lab

November 20, 2009
Tweet

More Decks by Mobile Security Lab

See All by Mobile Security Lab
F65bbcd875fbe83770f5f2a02db18119?s=48 mseclab
2
120
F65bbcd875fbe83770f5f2a02db18119?s=48 mseclab
2
180
F65bbcd875fbe83770f5f2a02db18119?s=48 mseclab
1
92
F65bbcd875fbe83770f5f2a02db18119?s=48 mseclab
1
92
F65bbcd875fbe83770f5f2a02db18119?s=48 mseclab
0
73

Other Decks in Research

See All in Research
6027044e52fbcbc07f22d0235fc9da37?s=48 secondapunta
0
170
A5254c41183d955bee5281650a3013a8?s=48 robinchauhan
0
110
8834a79ab8e0412b2130131817be73d9?s=48 gtongy
0
1.6k
Bf12372d4cd555c92db727869f0c7c03?s=48 emmiartbook
0
210
059fb717431a8cd2b509ffebc57d905a?s=48 trycycle
0
160
0fee20d8bbb7283e1887e7075f638f59?s=48 eumesy
2
820
B701268b3779ca30005edcf4d1dc26c4?s=48 michaeloppermann
0
250
D50d47de32271093b714995cfd267fa9?s=48 questresearch
0
400
Beeb4cfb45c3fa586526aa131ea67683?s=48 sh01k
0
250
Da66788b8c49f71f91a69b8a8def10ad?s=48 anugrahsr
2
3.6k
6d667e747a4a1cda7d201c3358424257?s=48 digitalnaturegroup
0
390
0d4ef9af8e4f0cf5c162b48ba24faea6?s=48 ept
0
14k

Featured

See All Featured
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
633
49k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
85
8.1k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
3.8k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
302
40k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
10
730
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
171
7.6k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
107
6.5k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
496
110k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
78b475797a14c84799063c7cd073962f?s=48 holman
294
130k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
58
3.8k

Transcript

  1. None

  2.   Hijacking Mobile Data Connections 1.0 to 2.0 version  

    Provisioning   WAP Architecture primer   Forging a Provisioning Message   Provisioning: Process and Issues   Attack scenario and exploiting security issues   Final Demo   Wrap-Up

  3. •  In the previous work: –  Remote configuration of a

    device by SMS using OMA Provisioning protocol –  DNS subverting on certain mobile devices –  DNS fake server responds to the client’s request –  Transparent proxy using Apache powered by Mod-Security for traffic inspection •  We would now like to take a few extra steps: –  Automated attacks –  Sneakier attacks with a clever security mechanism –  General malicious configurations valid for most devices –  SSL connections

  4.   Mobile Equipment must be configured to inter-operate with mobile

    infrastructures and services.   Standard Documentation: “Provisioning is the process by which a WAP client is configured with a minimum user interaction.”   Provisioning is performed using WAP architecture capabilities.   Normally performed by mobile operators...

  5.   “Wireless Application Protocol defines industry-wide specification for developing applications

    that operate over wireless communication networks”.   Which Applications use WAP architecture?   MMS   Web Browsing   Provisioning process   ...

  6.   WAP specifies the communication protocol framework.   WAP communication

    is based on two models:   Push Model is normally used to send unsolicited data from server to the client. Pull Push

  7. Application Session Service Transfer Service Transport Service Bearer Network

  8. Let's build a provisioning message!!!

  9.   A Provisioning Document provides parameters related to:   Network

    Access Points, application specific configuration etc.   When is it used?   Provide configuration to new customers   Reconfigure mis-configured phones   Enable new services   Provisioning Document is encoded in Wap Binary XML format (WBXML). Application Session Service Transfer Service Transport Service Bearer Network

  10. XML provisioning document is encoded in WBXML New Network Access

    Point

  11.   WSP provides connectionless service: PUSH.   Delivering a provisioning

    document requires:   Media type: application/vnd.wap.connectivity- wbxml   … security information is usually required:   SEC parameter to specify security mechanism   Security mechanism related information Application Session Service Transfer Service Transport Service Bearer Network

  12.   Message Authentication protects from accepting malicious messages from untrusted

    sources.   Messages with no authentication may be discarded.   Security mechanisms are based on HMAC to preserve sender authentication and document integrity.

  13.   Security mechanism used is typically based on “Shared Secret”

    USERPIN NETW PIN USERNET WPIN   “USERPIN”: key is numeric PIN code chosen by the sender   “NETWPIN”: key is IMSI ( International Mobile Subscriber Identity)   “USERNETWPIN”: hybrid approach

  14.   It's based on HMAC algorithm = K = M

  15. •  IMSI (International Mobile Subscriber Identity): Uniquely identifies a mobile

    user: –  Permanently stored in SIM card and HLR (Mobile Operator Database stores the pairs MSISDN-IMSI) –  Always associated with a MSISDN (association is made in the HLR) –  Used during subscriber authentication procedure –  Should be regarded as a confidential piece of information

  16. 15 digits IMSI MCC MNC MSIN •  MCC (Mobile Country

    Code) consists of three digits and uniquely identifies the home country of the mobile subscriber •  MNC (Mobile Network Code) consists of two or three digits and identifies the Public Land Mobile Network of the Mobile Subscriber •  MSIN (Mobile Subscriber Identification Number) identifies the Mobile Subscriber to the Public Land Mobile Network

  17. •  A lot of web sites offer very cheap IMSI

    Lookup services (in our case € 0,02 for each IMSI lookup) •  The service retrieves the IMSI from MSISDN and replies via mail or via HTTP Post IMSI request for a MSISDN IMSI successfully retrieved The IMSI should be a CONFIDENTIAL information

  18. 15 digits 2 2 2 0 1 3 6 5

    1 8 9 6 4 1 2 IMSI 9 2 2 2 0 1 3 6 5 1 8 9 6 4 1 2 16 digits Add control nibble = 9

  19. 9 2 2 2 0 1 3 6 5 1

    8 9 6 4 1 2 16 digits Semi-octet representation 2 9 2 2 1 0 6 3 1 5 9 8 4 6 2 1 16 digits HMAC(new_imsi,wbxml_provisioning_doc)

  20.   Primitive Push is used for sending unsolicited information from

    server to client 06 01 2f 1f 2d b6 91 80 92 30 44 38..... 37 44 Push Content MAC value Content-Type: application/vnd.wap.connectivity-wbxml Transaction ID Header Length

  21.   Transfer services provide reliable connection- oriented communications.   Offers

    services necessary for interactive request/ response applications   Transfer service is not required by the provisioning process.   Configurations are sent without using this layer Application Session Service Transfer Service Transport Service Bearer Network

  22.   WDP provides connectionless datagram transport service.   WDP support

    is mandatory on any WAP compatible handset.   WDP can be mapped onto a different bearer.   WDP over GSM SMS is used to send the message. Application Session Service Transfer Service Transport Service Bearer Network

  23.   WDP over GSM-SMS header is defined using UDH headers.

      UDH header contains information for port addressing and concatenated short messages UDH Length 05 04 0B 84 23 F0 00 03 EC 02 01 Application Port Addressing Scheme Concatenated SMS Total number of SMS ID of current SMS

  24.   GSM SMS PDU mode supports binary data transfer.  

    Uncompressed 8-bit encoding scheme is used.   Concatenated SMS is needed to send a payload larger than 140 bytes.   Performed tests suggest that no restrictions are imposed on sending SMS-encapsulated provisioning messages. Application Session Service Transfer Service Transport Service Bearer Network

  25. 00 41 00 0C 91 939393939393 00 F5 SMS-SUBMIT PDU

    message with UDH Header Receiver phone number length Receiver Phone Number UDL Receiver phone number type of address: 91 – International Format Message coding scheme: 8-bit encoding Message Body Length

  26. •  It’s very simple to send the forged provisioning SMS

    by Mobile Phone attached to a PC Services offered on the Web allow us to solve both problems •  We have two problems: –  Too expensive when the number of SMS increases –  Hard to hide the sender’s identity But…..

  27. SMS sender Recipient of SMS Binary encoding

  28. Provisioning Document can be easily created NETWPIN (IMSI) is used

    for MAC calculation We don't need it!! WDP support is mandatory on WAP compatible handsets SMS with Provisioning Documents are typically unfiltered Provisioning WSP Transfer Service WDP On line services
  29. None

  30. Provisioning Process

  31. •  Available on-line •  Automatically performed by the mobile operator

  32. An Info SMS carrying the USERPIN is sent A Provisioning

    document authenticated by the USERPIN is sent via SMS User inserts the USERPIN New configuration is installed

  33. An Info SMS is sent A Provisioning document authenticated by

    the NETWORKPIN is sent via SMS The user is NOT REQUESTED to insert the PIN New configuration is installed
  34. None

  35. •  Usually only the target number is known. •  IMSI

    Lookup service returns IMSI of a mobile number.

  36. Mobile Operator Service Number Mobile Operator

  37.   Message source may be hidden or reported incorrectly  

    Few technical details on provisioning content •  When received, the UI displays little and confusing information:

  38. •  Sending a binary SMS via web offers another interesting

    feature: Message sender (Max 14 digits or 11 Alfanumeric characters)

  39. •  Force all data connections to use the new malicious

    configuration •  There are several possibilities, depending on the handset:   New configuration is automatically installed as the default   User is asked at installation time if the configuration has to be installed as the default   User is asked at connection time which configuration should be used for connection   In some cases (eg: customized handsets) it may not be possible to change the default configuration   In other cases the default configuration is overwritten and impossible to remove!

  40. Send Attacker Provisioning SMS with new network settings Send fake

    Info SMS

  41. mobilejacking_2 as a function… It can be easily repeated with

    a list of phone numbers in order to execute a massive attack.

  42. Hijacking

  43.   DNS reconfiguration NOT supported by several brands of mobile

    phones.   External DNS queries could be blocked by mobile operators.   HTTPS traffic does not go through the Evil Proxy.
  44. None

  45. •  This tool performs the following actions: –  HTTPS links

    in cleartext traffic are “Downgraded” to HTTP. –  It channels an HTTP request from the victim to the real HTTPS ones. –  Returns the answer in HTTP. •  Presented by Moxie Marlinspike at BlackHat DC 2009. •  Requires hijacking traffic and diverting it toward the SSLSTRIP tool.

  46. The attack could be even more effective in the Mobile

    world: •  Few technical details are shown for encrypted connections (really tiny padlocks). •  Small and uncomfortable keyboards don’t lead to typing an HTTPS address but rather to “searching for” it. •  “Slow” mobile connections hide MITM attack delays. •  SSLSTRIP supports proxy chaining.

  47. GET / HTTP/1.1 HTTP/1.1 301 Moved Permanently Location: https://www.paypal.com/

  48. GET http://www.paypal.com/ HTTP/1.1 GET http://www.paypal.com/ HTTP/1.1

  49. Define Proxy Settings Force browser traffic through the evil proxy

    Allow it to work on many phones

  50. •  Based on Apache+Mod-Proxy. •  SSLSTRIP as a remote proxy

    for HTTP connections. •  Mod_Security Audit Feature for acquiring traffic in cleartext. Forwarding HTTP traffic to SSLSTRIP Allowing proxy CONNECT method for HTTPS connections Starting ModSecurity Engine Enabling ModSecurity Log Audit Engine
  51. None
  52. None

  53.   Monitor and profile user browsing •  Hijack browsing session

    –  Redirect to 3rd party sites –  Theft of Credentials •  Steal Application Data: –  IM and social network clients data –  POP3 and IMAP mail –  Others (localization services) •  Extrude Mobile Operator Data: –  The Mobile Operator’s internal traffic network can be accessed •  Inject Data: –  Phishing, Spamming –  Web Session Control (Botnets) –  Exploit injection

  54.   The attack does not rely on the exploitation of

    a single vulnerability   Issues at the 'system' level:   Lack of Provisioning message filtering   UIs do not provide a sufficient level of details   Mobile Operator Networks allow use of external DNS servers (mobilejacking_1)   HTTP traffic inspection is rarely carried out (mobilejacking_2)
  55. None
  56. None

  57.   OMA - Provisioning Architecture Overview v1.1   OMA -

    WAP Architecture v12   OMA - Push Architectural Overview v3   OMA - Provisioning Content v1.1   OMA – Provisioning Bootstrap v1.1   OMA - Binary XML Content Format Specification v1.3   OMA - Wireless Session Protocol Specification v5   OMA - OMNA WSP Content Type Numbers   OMA - Wireless Datagram Protocol Specification v14   3GPP - TS 03.40 Technical realization of the Short Message Service (SMS) v7.5.0   Apache HTTP Server Project   ModSecurity: Open Source Web Application Firewall