Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Internet Services

Mobile networks: exploiting HTTP
headers and data traffic
Bogdan ALECU

About me
• Independent security researcher
• Sysadmin
• Passionate about security, specially when it’s related to
mobile devices, CISSP, CEH, CISA,CCSP
• Started with NetMonitor (thanks Cosconor), continued
with VoIP and finally GSM networks / mobile phones
• @msecnet / www.m-sec.net

Bogdan Alecu December 2012

THANK YOU!

The End!

Questions?


This talk is NOT about
• SQL Injection, Cross-Site Scripting (XSS), Cross-Site
Request Forgery (CSRF) or anything alike

ANY DEMO THAT WILL BE SHOWN HAS TO BE TREATED
JUST LIKE AN EXAMPLE AND NOTHING MORE
HAVE NO INTENT TO DISCREDIT ANY OF THE
OPERATORS
JUST A HEADS UP – RAISE SECURITY AWARENESS
AMONG USERS, PROGRAMMERS, MOBILE OPERATORS


Mobile operators have their own WAP / WEB page for
customers:
• Balance check
• Money transfer
• Download music, videos, wallpapers, etc
• Subscribe to services (eg. custom ringback tones)

Usually the page is available only on the mobile phone


September2012

HOWEVER


User Agent Switcher - https://addons.mozilla.org/en-
US/firefox/addon/user-agent-switcher/


User Agent Switcher – impersonate the browser to pretend
that you’re actually browsing from a phone

Description: NokiaE71
User Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71-
1/110.07.127; Profile/MIDP-2.0 Configuration/CLDC-1.1 )
AppleWebKit/413 (KHTML, like Gecko) Safari/413
App Code Name: Series 60
App Name: Browser
App Version: Series60/3.1
Platform: E71
Vendor: Nokia


User Agent Switcher
not much to do: just browse the mobile version of the site
could be used to overpass the mobile-only data traffic plan
no access to your subscriptions

Some sites provide with application/vnd.wap.xhtml+xml
content
XHTML Mobile Profile
https://addons.mozilla.org/en-US/firefox/addon/xhtml-
mobile-profile/


How the mobile operators know who should be
charged?

• Once you connect to the Internet, the operator knows your mobile
number
no attack here; can’t spoof the number
physical access necessary to another SIM

• They use specific HTTP headers to send the number
used specially for 3rd party websites
hard to find those headers
can be easily attacked / changed


charged? - HTTP headers

Where are the headers coming from?
1. Your phone’s browser
2. Operator’s proxy


Tested around 20 operators from Romania, Germany,
Austria, Italy, France, Poland, United Kingdom, Brazil,
Netherlands
No user has been affected as for most of the tests I had
my own SIM card
Some tests could not be fully performed


Discovered in January 2012
First report in March to an affected mobile operator
Reported to GSMA in April (later got confirmation
from different operators that GSMA issued a warning)
Most of the operators responded quickly and also
fixed the vulnerability
Informed operators and GSMA about this public
disclosure



How to find the headers?
1st idea: - connect your phone to computer and sniff the traffic
- find the headers names where phone # is stored
- headers might be specific to each carrier
- find a way to modify the value of the headers
- ATTACK!



1st idea: - Result

FAIL!


2nd idea: - search the web for headers
- headers might be specific to each carrier
- ATTACK!




That’s good, but there must be something more!




Found a paper called “Privacy Leaks in Mobile Phone Internet
Access” by Collin Mulliner -
http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf



Chosen HTTP headers:
o X-UP-CALLING-LINE-ID
o X_FH_MSISDN
o MSISDN
o X-MSISDN
o X-NOKIA-MSISDN
o M
o X_NETWORK_INFO




Modify Headers – Firefox Extension

https://addons.mozilla.org/en-US/firefox/addon/modify-headers/


Action: Modify Value: mobile number in E.164 format


We have the headers
We know how to change them
We know how to impersonate the browser

The attack:
1. From inside of the mobile operator network
2. From outside of the mobile operator network (2 types)



Steps:
a) Use a GSM modem and SIM card
b) Configure the profile settings to match those of your
operator
c) Connect to the Internet and change the User Agent to
match a mobile phone browser
d) Inject HTTP headers with the MSISDN of the target



DEMO


• “It just works!”
• No need to know any complicated password


2a) Use your own Internet connection

Connect to the Internet and change the User Agent to
match a mobile phone browser
Inject HTTP headers with the MSISDN of the target


Things I noticed after these 2 types of attack:

Attack works either on the operator's website, either
on the 3rd party site or both
Some operators let you access their mobile site only
if you are connected to their network, while others do
not have such restriction
Sometimes you need to also set the proxy in order to
set a different MSISDN in the HTTP headers


Things I noticed after these 2 types of attack:

Few have implemented a unique session ID for each
connection instead of the phone number

Just one operator from the ones I tested was ignoring
any additional headers sent, but there might be others
that do that


2b) The old fashioned way ☺


2b) The old fashioned way ☺ aka CSD (Circuit Switched Data)


2b) CSD
o Think about it like dial-up
o Since it involves actually placing a phonecall, it is
exposed to the same vulnerabilities like a regular call


2b) CSD
o 1st idea: - search for CSD settings
- see what it can be changed
- test


2b) CSD
o 1st idea:


2b) CSD
o 1st idea:

OOPS! I need to have Data Call enabled

Changing the username to match another number did
not help


2b) CSD
o 2nd idea: - spoof the caller ID
- connect to the Internet
- test


2b) CSD
o 2nd idea: - spoof the caller ID

DEMO


To be noted:

On some operators you still have to send the HTTP
headers
Sometimes there was a poor way to detect if the call
was coming from their network. Easy to pass it: call
first a number from the network which has call
forwarding setup to the CSD number
Not all operators have a full CSD number available (eg
*231)


How to profit . and get caught

Create a LLC (Limited Liability Company)
Sign a partnership with the operators to provide 3rd
party web content on their portal
Attack different users or just subscribe them to your
services (yes, you can do that without asking for any
permissions)
Profit


Few recommendations:

Check if the web page is accessed from your network
(IP)
Do not rely solely on the Caller ID
Implement username/password access for sensitive
zones (like modifying active services)
Send SMS to the customer informing that a purchase
has been made, a service has been modified, etc
Be careful with the 3rd party content providers


Conclusion:

Sometimes there might be issues in the mobile operator’s system

“Our technology does not allow unauthorized access.
Occurrence of errors in billing regarding data traffic is
excluded.” (Customer Support)


Conclusion:

Depending on the destination, the cost of the attack
might be higher than the revenue
Mobile operators reacted promptly
Unfortunately there are still issues – mostly on 3rd
party services
Check if your operator allows you to disable access
to premium rate content
Test yourself and report the issue to your operator


Data traffic vulnerability (2 types)

o You should be able to access the operator’s webpage
in order to top-up or view account details

. But we can exploit this



1. Setup a VPN server on port 53, UDP (DNS port)

and connect to your server
pass the traffic to the Internet

UNLIMITED & UNCOUNTED
MOBILE DATA TRAFFIC!



2. DNS tunneling
What if:
- You had your own DNS server
- Delegate all DNS requests to your server
- Encapsulate in the reply the traffic

WAIT! THERE IS A WAY!



2. DNS tunneling
a.sub.domain.com. IN NS sub.domain.com.
sub.domain.com. IN A 79.122.100.20 (your IP)

Request: www.google.com.up.a.sub.domain.com
Answer: www.google.com.down.a.sub.domain.com IN
AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6
EsAavqHgBzH2khqsQHQjEf355jS7cT
G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7Gdn
gGm9jpvReXX7S/2oqAIUFCn0M8=



2. DNS tunneling

- Already built solution: Iodine
http://code.kryo.se/iodine/ (for Linux, Windows, Android)


THANK YOU!

Special thanks to:
Tobias Engel
Collin Mulliner
all security guys from mobile operators


Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Similar to Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012 (20)

More from DefCamp

More from DefCamp (20)

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012