Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hijacking Mobile Data Connection 2.0

Mobile Security Lab
November 20, 2009
Research
1
150

Hijacking Mobile Data Connection 2.0

DeepSec Vienna 2009

Mobile Security Lab

November 20, 2009
Tweet

More Decks by Mobile Security Lab

See All by Mobile Security Lab
Android Lollipop for Enterprise
mseclab
2
160
Android Key Management
mseclab
2
210
Android Security Key Management Workshop
mseclab
1
120
Hijacking Mobile Data Connection: State Of Art
mseclab
1
130
Hijacking Mobile Data Connection
mseclab
0
96

Other Decks in Research

See All in Research
『組織として』顧客を理解するインタビュー習慣の作り方 #pmconf2022 / Continuous user interview habit
tktktks10
4
5.7k
Optimizing Electric Journal Subscriptions via Integer Programs
umepon
0
370
ランダム行列から深層学習へ
clustervr
PRO
0
480
[CFML勉強会#7] EconMLに実装されている異質処置効果の推定手法の紹介・再考
fullflu
0
410
テーブル・画像・テキストの反実仮想説明
masatoto
0
200
Phishing Hunging Operations (PHOps)
tatsui
0
280
SummerCake_pdf.pdf
lyh125
0
170
2022年度伊藤ゼミ紹介
imash
0
120
データ分析の進め方とニュースメディアでのデータ活用事例 / data-analysis-in-kaggle-and-news-media
upura
0
490
Self-Supervised Learning
naok615
4
2.5k
CNNによる画像認識の基礎
sgnm
0
120
フィッシング対策セミナー2022講演資料 / antiphishing-seminar2022-hasegawa
ayakohasegawa
0
1k

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
58
6k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.5k
The Pragmatic Product Professional
lauravandoore
21
3.5k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
Why You Should Never Use an ORM
jnunemaker
PRO
49
7.9k
Rebuilding a faster, lazier Slack
samanthasiow
69
7.6k
A better future with KSS
kneath
230
16k
We Have a Design System, Now What?
morganepeng
37
6k
Testing 201, or: Great Expectations
jmmastey
25
5.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
22
1.7k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k

Transcript

  1. None

  2.   Hijacking Mobile Data Connections 1.0 to 2.0 version  

    Provisioning   WAP Architecture primer   Forging a Provisioning Message   Provisioning: Process and Issues   Attack scenario and exploiting security issues   Final Demo   Wrap-Up

  3. •  In the previous work: –  Remote configuration of a

    device by SMS using OMA Provisioning protocol –  DNS subverting on certain mobile devices –  DNS fake server responds to the client’s request –  Transparent proxy using Apache powered by Mod-Security for traffic inspection •  We would now like to take a few extra steps: –  Automated attacks –  Sneakier attacks with a clever security mechanism –  General malicious configurations valid for most devices –  SSL connections

  4.   Mobile Equipment must be configured to inter-operate with mobile

    infrastructures and services.   Standard Documentation: “Provisioning is the process by which a WAP client is configured with a minimum user interaction.”   Provisioning is performed using WAP architecture capabilities.   Normally performed by mobile operators...

  5.   “Wireless Application Protocol defines industry-wide specification for developing applications

    that operate over wireless communication networks”.   Which Applications use WAP architecture?   MMS   Web Browsing   Provisioning process   ...

  6.   WAP specifies the communication protocol framework.   WAP communication

    is based on two models:   Push Model is normally used to send unsolicited data from server to the client. Pull Push

  7. Application Session Service Transfer Service Transport Service Bearer Network

  8. Let's build a provisioning message!!!

  9.   A Provisioning Document provides parameters related to:   Network

    Access Points, application specific configuration etc.   When is it used?   Provide configuration to new customers   Reconfigure mis-configured phones   Enable new services   Provisioning Document is encoded in Wap Binary XML format (WBXML). Application Session Service Transfer Service Transport Service Bearer Network

  10. XML provisioning document is encoded in WBXML New Network Access

    Point

  11.   WSP provides connectionless service: PUSH.   Delivering a provisioning

    document requires:   Media type: application/vnd.wap.connectivity- wbxml   … security information is usually required:   SEC parameter to specify security mechanism   Security mechanism related information Application Session Service Transfer Service Transport Service Bearer Network

  12.   Message Authentication protects from accepting malicious messages from untrusted

    sources.   Messages with no authentication may be discarded.   Security mechanisms are based on HMAC to preserve sender authentication and document integrity.

  13.   Security mechanism used is typically based on “Shared Secret”

    USERPIN NETW PIN USERNET WPIN   “USERPIN”: key is numeric PIN code chosen by the sender   “NETWPIN”: key is IMSI ( International Mobile Subscriber Identity)   “USERNETWPIN”: hybrid approach

  14.   It's based on HMAC algorithm = K = M

  15. •  IMSI (International Mobile Subscriber Identity): Uniquely identifies a mobile

    user: –  Permanently stored in SIM card and HLR (Mobile Operator Database stores the pairs MSISDN-IMSI) –  Always associated with a MSISDN (association is made in the HLR) –  Used during subscriber authentication procedure –  Should be regarded as a confidential piece of information

  16. 15 digits IMSI MCC MNC MSIN •  MCC (Mobile Country

    Code) consists of three digits and uniquely identifies the home country of the mobile subscriber •  MNC (Mobile Network Code) consists of two or three digits and identifies the Public Land Mobile Network of the Mobile Subscriber •  MSIN (Mobile Subscriber Identification Number) identifies the Mobile Subscriber to the Public Land Mobile Network

  17. •  A lot of web sites offer very cheap IMSI

    Lookup services (in our case € 0,02 for each IMSI lookup) •  The service retrieves the IMSI from MSISDN and replies via mail or via HTTP Post IMSI request for a MSISDN IMSI successfully retrieved The IMSI should be a CONFIDENTIAL information

  18. 15 digits 2 2 2 0 1 3 6 5

    1 8 9 6 4 1 2 IMSI 9 2 2 2 0 1 3 6 5 1 8 9 6 4 1 2 16 digits Add control nibble = 9

  19. 9 2 2 2 0 1 3 6 5 1

    8 9 6 4 1 2 16 digits Semi-octet representation 2 9 2 2 1 0 6 3 1 5 9 8 4 6 2 1 16 digits HMAC(new_imsi,wbxml_provisioning_doc)

  20.   Primitive Push is used for sending unsolicited information from

    server to client 06 01 2f 1f 2d b6 91 80 92 30 44 38..... 37 44 Push Content MAC value Content-Type: application/vnd.wap.connectivity-wbxml Transaction ID Header Length

  21.   Transfer services provide reliable connection- oriented communications.   Offers

    services necessary for interactive request/ response applications   Transfer service is not required by the provisioning process.   Configurations are sent without using this layer Application Session Service Transfer Service Transport Service Bearer Network

  22.   WDP provides connectionless datagram transport service.   WDP support

    is mandatory on any WAP compatible handset.   WDP can be mapped onto a different bearer.   WDP over GSM SMS is used to send the message. Application Session Service Transfer Service Transport Service Bearer Network

  23.   WDP over GSM-SMS header is defined using UDH headers.

      UDH header contains information for port addressing and concatenated short messages UDH Length 05 04 0B 84 23 F0 00 03 EC 02 01 Application Port Addressing Scheme Concatenated SMS Total number of SMS ID of current SMS

  24.   GSM SMS PDU mode supports binary data transfer.  

    Uncompressed 8-bit encoding scheme is used.   Concatenated SMS is needed to send a payload larger than 140 bytes.   Performed tests suggest that no restrictions are imposed on sending SMS-encapsulated provisioning messages. Application Session Service Transfer Service Transport Service Bearer Network

  25. 00 41 00 0C 91 939393939393 00 F5 SMS-SUBMIT PDU

    message with UDH Header Receiver phone number length Receiver Phone Number UDL Receiver phone number type of address: 91 – International Format Message coding scheme: 8-bit encoding Message Body Length

  26. •  It’s very simple to send the forged provisioning SMS

    by Mobile Phone attached to a PC Services offered on the Web allow us to solve both problems •  We have two problems: –  Too expensive when the number of SMS increases –  Hard to hide the sender’s identity But…..

  27. SMS sender Recipient of SMS Binary encoding

  28. Provisioning Document can be easily created NETWPIN (IMSI) is used

    for MAC calculation We don't need it!! WDP support is mandatory on WAP compatible handsets SMS with Provisioning Documents are typically unfiltered Provisioning WSP Transfer Service WDP On line services
  29. None

  30. Provisioning Process

  31. •  Available on-line •  Automatically performed by the mobile operator

  32. An Info SMS carrying the USERPIN is sent A Provisioning

    document authenticated by the USERPIN is sent via SMS User inserts the USERPIN New configuration is installed

  33. An Info SMS is sent A Provisioning document authenticated by

    the NETWORKPIN is sent via SMS The user is NOT REQUESTED to insert the PIN New configuration is installed
  34. None

  35. •  Usually only the target number is known. •  IMSI

    Lookup service returns IMSI of a mobile number.

  36. Mobile Operator Service Number Mobile Operator

  37.   Message source may be hidden or reported incorrectly  

    Few technical details on provisioning content •  When received, the UI displays little and confusing information:

  38. •  Sending a binary SMS via web offers another interesting

    feature: Message sender (Max 14 digits or 11 Alfanumeric characters)

  39. •  Force all data connections to use the new malicious

    configuration •  There are several possibilities, depending on the handset:   New configuration is automatically installed as the default   User is asked at installation time if the configuration has to be installed as the default   User is asked at connection time which configuration should be used for connection   In some cases (eg: customized handsets) it may not be possible to change the default configuration   In other cases the default configuration is overwritten and impossible to remove!

  40. Send Attacker Provisioning SMS with new network settings Send fake

    Info SMS

  41. mobilejacking_2 as a function… It can be easily repeated with

    a list of phone numbers in order to execute a massive attack.

  42. Hijacking

  43.   DNS reconfiguration NOT supported by several brands of mobile

    phones.   External DNS queries could be blocked by mobile operators.   HTTPS traffic does not go through the Evil Proxy.
  44. None

  45. •  This tool performs the following actions: –  HTTPS links

    in cleartext traffic are “Downgraded” to HTTP. –  It channels an HTTP request from the victim to the real HTTPS ones. –  Returns the answer in HTTP. •  Presented by Moxie Marlinspike at BlackHat DC 2009. •  Requires hijacking traffic and diverting it toward the SSLSTRIP tool.

  46. The attack could be even more effective in the Mobile

    world: •  Few technical details are shown for encrypted connections (really tiny padlocks). •  Small and uncomfortable keyboards don’t lead to typing an HTTPS address but rather to “searching for” it. •  “Slow” mobile connections hide MITM attack delays. •  SSLSTRIP supports proxy chaining.

  47. GET / HTTP/1.1 HTTP/1.1 301 Moved Permanently Location: https://www.paypal.com/

  48. GET http://www.paypal.com/ HTTP/1.1 GET http://www.paypal.com/ HTTP/1.1

  49. Define Proxy Settings Force browser traffic through the evil proxy

    Allow it to work on many phones

  50. •  Based on Apache+Mod-Proxy. •  SSLSTRIP as a remote proxy

    for HTTP connections. •  Mod_Security Audit Feature for acquiring traffic in cleartext. Forwarding HTTP traffic to SSLSTRIP Allowing proxy CONNECT method for HTTPS connections Starting ModSecurity Engine Enabling ModSecurity Log Audit Engine
  51. None
  52. None

  53.   Monitor and profile user browsing •  Hijack browsing session

    –  Redirect to 3rd party sites –  Theft of Credentials •  Steal Application Data: –  IM and social network clients data –  POP3 and IMAP mail –  Others (localization services) •  Extrude Mobile Operator Data: –  The Mobile Operator’s internal traffic network can be accessed •  Inject Data: –  Phishing, Spamming –  Web Session Control (Botnets) –  Exploit injection

  54.   The attack does not rely on the exploitation of

    a single vulnerability   Issues at the 'system' level:   Lack of Provisioning message filtering   UIs do not provide a sufficient level of details   Mobile Operator Networks allow use of external DNS servers (mobilejacking_1)   HTTP traffic inspection is rarely carried out (mobilejacking_2)
  55. None
  56. None

  57.   OMA - Provisioning Architecture Overview v1.1   OMA -

    WAP Architecture v12   OMA - Push Architectural Overview v3   OMA - Provisioning Content v1.1   OMA – Provisioning Bootstrap v1.1   OMA - Binary XML Content Format Specification v1.3   OMA - Wireless Session Protocol Specification v5   OMA - OMNA WSP Content Type Numbers   OMA - Wireless Datagram Protocol Specification v14   3GPP - TS 03.40 Technical realization of the Short Message Service (SMS) v7.5.0   Apache HTTP Server Project   ModSecurity: Open Source Web Application Firewall