Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
1. Internet Services
Mobile networks: exploiting HTTP
headers and data traffic
Bogdan ALECU
2. About me
• Independent security researcher
• Sysadmin
• Passionate about security, specially when it’s related to
mobile devices, CISSP, CEH, CISA,CCSP
• Started with NetMonitor (thanks Cosconor), continued
with VoIP and finally GSM networks / mobile phones
• @msecnet / www.m-sec.net
Bogdan Alecu December 2012
4. This talk is NOT about
• SQL Injection, Cross-Site Scripting (XSS), Cross-Site
Request Forgery (CSRF) or anything alike
ANY DEMO THAT WILL BE SHOWN HAS TO BE TREATED
JUST LIKE AN EXAMPLE AND NOTHING MORE
HAVE NO INTENT TO DISCREDIT ANY OF THE
OPERATORS
JUST A HEADS UP – RAISE SECURITY AWARENESS
AMONG USERS, PROGRAMMERS, MOBILE OPERATORS
Bogdan Alecu December 2012
5. Mobile operators have their own WAP / WEB page for
customers:
• Balance check
• Money transfer
• Download music, videos, wallpapers, etc
• Subscribe to services (eg. custom ringback tones)
Usually the page is available only on the mobile phone
Bogdan Alecu December 2012
11. User Agent Switcher - https://addons.mozilla.org/en-
US/firefox/addon/user-agent-switcher/
Bogdan Alecu December 2012
12. User Agent Switcher – impersonate the browser to pretend
that you’re actually browsing from a phone
Description: NokiaE71
User Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71-
1/110.07.127; Profile/MIDP-2.0 Configuration/CLDC-1.1 )
AppleWebKit/413 (KHTML, like Gecko) Safari/413
App Code Name: Series 60
App Name: Browser
App Version: Series60/3.1
Platform: E71
Vendor: Nokia
Bogdan Alecu December 2012
13. User Agent Switcher
not much to do: just browse the mobile version of the site
could be used to overpass the mobile-only data traffic plan
no access to your subscriptions
Some sites provide with application/vnd.wap.xhtml+xml
content
XHTML Mobile Profile
https://addons.mozilla.org/en-US/firefox/addon/xhtml-
mobile-profile/
Bogdan Alecu December 2012
14. How the mobile operators know who should be
charged?
• Once you connect to the Internet, the operator knows your mobile
number
no attack here; can’t spoof the number
physical access necessary to another SIM
• They use specific HTTP headers to send the number
used specially for 3rd party websites
hard to find those headers
can be easily attacked / changed
Bogdan Alecu December 2012
15. How the mobile operators know who should be
charged? - HTTP headers
Where are the headers coming from?
1. Your phone’s browser
2. Operator’s proxy
Bogdan Alecu December 2012
16. Tested around 20 operators from Romania, Germany,
Austria, Italy, France, Poland, United Kingdom, Brazil,
Netherlands
No user has been affected as for most of the tests I had
my own SIM card
Some tests could not be fully performed
Bogdan Alecu December 2012
17. Discovered in January 2012
First report in March to an affected mobile operator
Reported to GSMA in April (later got confirmation
from different operators that GSMA issued a warning)
Most of the operators responded quickly and also
fixed the vulnerability
Informed operators and GSMA about this public
disclosure
Bogdan Alecu December 2012
18. How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
1st idea: - connect your phone to computer and sniff the traffic
- find the headers names where phone # is stored
- headers might be specific to each carrier
- find a way to modify the value of the headers
- ATTACK!
Bogdan Alecu December 2012
19. How the mobile operators know who should be
charged? - HTTP headers
1st idea: - Result
FAIL!
Bogdan Alecu December 2012
20. How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
2nd idea: - search the web for headers
- headers might be specific to each carrier
- find a way to modify the value of the headers
- ATTACK!
Bogdan Alecu December 2012
21. How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
2nd idea: - search the web for headers
That’s good, but there must be something more!
Bogdan Alecu December 2012
22. How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
2nd idea: - search the web for headers
Found a paper called “Privacy Leaks in Mobile Phone Internet
Access” by Collin Mulliner -
http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf
Bogdan Alecu December 2012
24. How the mobile operators know who should be
charged? - HTTP headers
Chosen HTTP headers:
o X-UP-CALLING-LINE-ID
o X_FH_MSISDN
o MSISDN
o X-MSISDN
o X-NOKIA-MSISDN
o M
o X_NETWORK_INFO
Bogdan Alecu December 2012
25. How the mobile operators know who should be
charged? - HTTP headers
- find a way to modify the value of the headers
Modify Headers – Firefox Extension
https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
Bogdan Alecu December 2012
26. Action: Modify Value: mobile number in E.164 format
Bogdan Alecu December 2012
27. We have the headers
We know how to change them
We know how to impersonate the browser
The attack:
1. From inside of the mobile operator network
2. From outside of the mobile operator network (2 types)
Bogdan Alecu December 2012
28. 1. From inside of the mobile operator network
Steps:
a) Use a GSM modem and SIM card
b) Configure the profile settings to match those of your
operator
c) Connect to the Internet and change the User Agent to
match a mobile phone browser
d) Inject HTTP headers with the MSISDN of the target
Bogdan Alecu December 2012
29. 1. From inside of the mobile operator network
DEMO
Bogdan Alecu December 2012
30. 1. From inside of the mobile operator network
• “It just works!”
• No need to know any complicated password
Bogdan Alecu December 2012
31. 2. From outside of the mobile operator network (2 types)
2a) Use your own Internet connection
Connect to the Internet and change the User Agent to
match a mobile phone browser
Inject HTTP headers with the MSISDN of the target
Bogdan Alecu December 2012
32. Things I noticed after these 2 types of attack:
Attack works either on the operator's website, either
on the 3rd party site or both
Some operators let you access their mobile site only
if you are connected to their network, while others do
not have such restriction
Sometimes you need to also set the proxy in order to
set a different MSISDN in the HTTP headers
Bogdan Alecu December 2012
33. Things I noticed after these 2 types of attack:
Few have implemented a unique session ID for each
connection instead of the phone number
Just one operator from the ones I tested was ignoring
any additional headers sent, but there might be others
that do that
Bogdan Alecu December 2012
34. 2. From outside of the mobile operator network (2 types)
2b) The old fashioned way ☺
Bogdan Alecu December 2012
35. 2. From outside of the mobile operator network (2 types)
2b) The old fashioned way ☺ aka CSD (Circuit Switched Data)
Bogdan Alecu December 2012
36. 2. From outside of the mobile operator network (2 types)
2b) CSD
o Think about it like dial-up
o Since it involves actually placing a phonecall, it is
exposed to the same vulnerabilities like a regular call
Bogdan Alecu December 2012
37. 2. From outside of the mobile operator network (2 types)
2b) CSD
o 1st idea: - search for CSD settings
- see what it can be changed
- test
Bogdan Alecu December 2012
38. 2. From outside of the mobile operator network (2 types)
2b) CSD
o 1st idea:
Bogdan Alecu December 2012
39. 2. From outside of the mobile operator network (2 types)
2b) CSD
o 1st idea:
OOPS! I need to have Data Call enabled
Changing the username to match another number did
not help
Bogdan Alecu December 2012
40. 2. From outside of the mobile operator network (2 types)
2b) CSD
o 2nd idea: - spoof the caller ID
- connect to the Internet
- test
Bogdan Alecu December 2012
41. 2. From outside of the mobile operator network (2 types)
2b) CSD
o 2nd idea: - spoof the caller ID
DEMO
Bogdan Alecu December 2012
42. To be noted:
On some operators you still have to send the HTTP
headers
Sometimes there was a poor way to detect if the call
was coming from their network. Easy to pass it: call
first a number from the network which has call
forwarding setup to the CSD number
Not all operators have a full CSD number available (eg
*231)
Bogdan Alecu December 2012
43. How to profit . and get caught
Create a LLC (Limited Liability Company)
Sign a partnership with the operators to provide 3rd
party web content on their portal
Attack different users or just subscribe them to your
services (yes, you can do that without asking for any
permissions)
Profit
Bogdan Alecu December 2012
44. Few recommendations:
Check if the web page is accessed from your network
(IP)
Do not rely solely on the Caller ID
Implement username/password access for sensitive
zones (like modifying active services)
Send SMS to the customer informing that a purchase
has been made, a service has been modified, etc
Be careful with the 3rd party content providers
Bogdan Alecu December 2012
45. Conclusion:
Sometimes there might be issues in the mobile operator’s system
“Our technology does not allow unauthorized access.
Occurrence of errors in billing regarding data traffic is
excluded.” (Customer Support)
Bogdan Alecu December 2012
46. Conclusion:
Depending on the destination, the cost of the attack
might be higher than the revenue
Mobile operators reacted promptly
Unfortunately there are still issues – mostly on 3rd
party services
Check if your operator allows you to disable access
to premium rate content
Test yourself and report the issue to your operator
Bogdan Alecu December 2012
47. Data traffic vulnerability (2 types)
o You should be able to access the operator’s webpage
in order to top-up or view account details
. But we can exploit this
Bogdan Alecu December 2012
48. Data traffic vulnerability (2 types)
1. Setup a VPN server on port 53, UDP (DNS port)
and connect to your server
pass the traffic to the Internet
UNLIMITED & UNCOUNTED
MOBILE DATA TRAFFIC!
Bogdan Alecu December 2012
49. Data traffic vulnerability (2 types)
2. DNS tunneling
What if:
- You had your own DNS server
- Delegate all DNS requests to your server
- Encapsulate in the reply the traffic
WAIT! THERE IS A WAY!
Bogdan Alecu December 2012
50. Data traffic vulnerability (2 types)
2. DNS tunneling
a.sub.domain.com. IN NS sub.domain.com.
sub.domain.com. IN A 79.122.100.20 (your IP)
Request: www.google.com.up.a.sub.domain.com
Answer: www.google.com.down.a.sub.domain.com IN
AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6
EsAavqHgBzH2khqsQHQjEf355jS7cT
G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7Gdn
gGm9jpvReXX7S/2oqAIUFCn0M8=
Bogdan Alecu December 2012
51. Data traffic vulnerability (2 types)
2. DNS tunneling
- Already built solution: Iodine
http://code.kryo.se/iodine/ (for Linux, Windows, Android)
Bogdan Alecu December 2012
52. THANK YOU!
Special thanks to:
Tobias Engel
Collin Mulliner
all security guys from mobile operators
Bogdan Alecu December 2012