Prezentare Securitate mobila - SMS la DefCamp Iasi

1. Securitate mobila –
Atacuri prin SMS
Prezentator:
Bogdan ALECU
http://m-sec.net
Twitter: @msecnet

2. Informatii generale despre SMS
Amenintari
WAP
Interceptare trafic de date
Demo

3. Informatii generale
SMS - Short Message Service reprezinta un
mod de comunicare prin mesaje text intre
telefoanele mobile / fixe, utilizand un protocol
standardizat. Este un mod de comunicare
eficace; utilizatorul scrie un text, apasa SEND si
mesajul e livrat aproape instant catre destinatar.
Folosit pentru mai multe scopuri: MMS –
Multimedia Messaging Service, OTA – Over The
Air – configurarea telefonului, notificari pentru
mesageria vocala, email, fax, microplati – plata
unor sume mici pentru diferite servicii =>
SECURITATE!

4. Informatii generale
“Un dispozitiv mobil activ trebuie sa fie
capabil de a primi un mesaj scurt de
tipul TPDU - Transfer protocol data unit
- (SMS-DELIVER) in orice moment,
indiferent daca exista un apel sau trafic
de date in derulare. Un raport va fi
trimis intotdeauna catre SC (Serviciul
de mesaje); confirmand fie ca tel a
primit mesajul sau ca mesajul nu a fost
livrat, incluzind si motivul refuzului.”
ETSI TS 100 901 V7.5.0 (2001-12), pag
13

5. Amenintari - SMS
SMS SPAM
SMS spoofing
Notificari SMS
Alte tipuri

6. Amenintari - SMS
SMS SPAM
Companiile ofera servicii de publicitate
prin SMS
Mesaje cu castiguri false
Inginerie sociala – “Suna-ma urgent pe nr
asta: 0900323421! Mama”

7. Amenintari - SMS
SMS Spoofing
Servicii online ce permit modificarea
expeditorului (numeric / alfanumeric)
Greu de oprit, mai ales daca tinem cont de
roaming
Eficienta mai mare in atacurile de tip
inginerie sociala

8. Amenintari - SMS
Notificari SMS
Voicemail
Fax
E-mail
Video
Utilizatorul nu poate scoate icon-ul de
notificare asupra primirii unui astfel de
mesaj

9. Amenintari - SMS
Notificari SMS
(voicemail)

10. Amenintari - SMS
Notificari SMS
(email)

11. Amenintari - SMS
Alte tipuri
Flash SMS (Class 0) – utilizatorul vede
mesajul direct, fara a intra in Inbox
Silent SMS – DCS 0xC0 = Message Waiting
Indication Group: Discard Message

12. Amenintari - SMS
Alte tipuri
Flash SMS

13. Amenintari - SMS
Alte tipuri
Silent SMS

14. WAP
Wireless Application Protocol
Arhitectura de retea specifica
Set de reguli
Limbaj specific: Wireless Markup Language
(WML)
Pagini HTML ajustate pentru dimensiunea
ecranului telefonului

15. WAP

16. WAP Push
Permite trimiterea de continut WAP cu o
interventie minima din partea utilizatorului
2 tipuri: Service Indication / Service Load

17. WAP Push
Service Indication (SI) permite trimiterea
de notificari utilizatorului intr-un mod
asincron

18. WAP Push
Service Indication (SI)

19. WAP Push
Service Load (SL) determina “aplicatia” de
pe telefon sa incarce si execute un
serviciu

20. WAP Push
Service Load (SL)

21. WAP Push - securitate
Teoria: Doar un anumit numar este autorizat pentru
trimitere; Practica: daca nu e configurat bine, un telefon
accepta de la orice numar astfel de mesaje
Pe Windows Mobile trebuiesc verificate setarile din
HKLMSecurityPoliciesPolicies
; SL Message Policy ; (default: SECROLE_PPG_TRUSTED)
[HKEY_LOCAL_MACHINESecurityPoliciesPolicies]
"0000100c"=dword:800 ; SI Message Policy ; (default:
SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
[HKEY_LOCAL_MACHINESecurityPoliciesPolicies]
"0000100d"=dword:c00

22. WAP Push - securitate
SECROLE_PPG_TRUSTED: Trusted Push Proxy
Gateway. Messages assigned this role indicate
that the content sent by the Push Initiator is
trusted by the Push Proxy Gateway. This role
implies that the device trusts the Push Proxy
Gateway (SECROLE_TRUSTED_PPG).
SECROLE_PPG_AUTH: Push Initiator
Authenticated. Messages assigned this role
indicate that the Push Initiator is authenticated by
the Push Proxy Gateway. This role implies that
the device trusts the Push Proxy Gateway
(SECROLE_TRUSTED_PPG).

23. WAP Push - securitate

24. WAP
Configurarea telefonului pentru acces la Internet
/ date poate fi facuta manual
Pentru o configurare mai usoara, rapida si
pentru eventualele schimbari, a fost creat un
standard ce permite configurarea de la distanta
Programarea Over The Air (OTA) foloseste
standardul OMA – Open Mobile Alliance
Programarea se face prin SMS-uri special
concepute

25. WAP - provisioning
Foloseste protocolul WAP
WBXML (WAP Binary XML) prin Wireless
Application Environment
Wireless Session Protocol
Wireless Datagram Protocol
SMS

26. WAP - provisioning
Configurarea se scrie in XML (conform
specificatiilor de la
http://www.openmobilealliance.org)
XML-ul se va codifica in WAP Binary XML
WBXML se va encapsula intr-o data de tip
Wireless Session Protocol
Datele se vor codifica intr-un mesaj Push, definit
in Wireless Session Protocol

27. WAP - provisioning
Mesajul Push contine diferiti parametri,
unul fiind parametrul “SEC” pentru
autentificare pe baza de “cheie” comuna
USERPIN: string ASCII codificat in
zecimale
NETWPIN: cheia este specifica retelei si
cunoscuta (teoretic) doar de catre operator
USERNETWPIN: combinatie a celor 2

28. WAP - provisioning
NETWPIN: IMSI = MCC+MNC+MSIN
(Mobile Subscription Identification
Number)
Pret: 2-5 euro-centi
In general limitat pentru companii, se cere
un volum mare de interogari

29. WAP - provisioning
<wap-provisioningdoc>
<characteristic type="NAPDEF">
<parm name="NAME" value="NewAPN"/>
<parm name="NAPID" value="NewAPN_NAPID_ME"/>
<parm name="BEARER" value="GSM-GPRS"/>
<parm name="NAP-ADDRESS" value="apn.operator.ro"/>
<parm name="NAP-ADDRTYPE" value="APN"/>
</characteristic>
<characteristic type=“APPLICATION">
<parm name="NAME" value="NewAPN"/>
<parm name="APPID" value="w2"/>
<parm name="TO-NAPID" value="NewAPN_NAPID_ME"/>
</characteristic>
<wap-provisioningdoc>

30. WAP - provisioning
<wap-provisioningdoc> - contine toata informatia
transmisa
<characteristic …> - grupeaza informatia in unitati
logice
<… value="NAPDEF"/> - configuram un nou
network access point
<parm name="APPID" value="w2"/> -
mapeaza configuratia la activitatile de
browsing
Informatii la http://www.openmobilealliance.org

31. WAP - provisioning
<wap-provisioningdoc>
<characteristic type="BOOTSTRAP">
<parm name="NAME" value=“Operator NET"/>
<parm name="PROXY-ID"
value="OpNET_Proxy"/>
</characteristic>
<characteristic type="NAPDEF">
<parm name="NAME" value="OpNET"/>
<parm name="NAPID" value="OpNET_NAPID"/>
<parm name="BEARER" value="GSM-GPRS"/>
<parm name="NAP-ADDRESS" value="net"/>
<parm name="NAP-ADDRTYPE" value="APN"/>
</characteristic>

32. WAP - provisioning
<characteristic type="PXLOGICAL">
<parm name="NAME" value="OpNET"/>
<parm name="PROXY-ID" value="OpNET_Proxy"/>
<characteristic type="PXPHYSICAL">
<parm name="PHYSICAL-PROXY-ID"
value="OpNET_PhProxy"/>
<parm name="PXADDR" value=“192.168.1.1"/>
<parm name="PXADDRTYPE" value="IPV4"/>
<parm name="TO-NAPID" value="OpNET_NAPID"/>
<characteristic type="PORT">
<parm name="PORTNBR" value="8080"/>
</characteristic>
</characteristic>
</characteristic>

33. WAP - provisioning
<characteristic type="APPLICATION">
<parm name="APPID" value="w2"/>
<parm name="NAME" value="OpNET"/>
<parm name="TO-PROXY"
value="OpNET_Proxy"/>
<characteristic type="RESOURCE">
<parm name="NAME" value="OpNET"/>
<parm name="URI"
value="http://www.google.com"/>
<parm name="STARTPAGE"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>

34. WAP - provisioning
Teoretic aceasta configurare poate fi facuta
doar de catre operator, de la un numar
predefinit
Putem analiza SMS-ul prin WireShark
Putem adauga un alt numar

35. WAP - provisioning
<?xml version="1.0"?>
<!DOCTYPE wap-provisioningdoc PUBLIC "-//WAPFORUM//DTD PROV 1.0//EN"
wap- "-
"http://www.wapforum.org/DTD/prov.dtd">
"http://www.wapforum.org/DTD/prov.dtd">
<wap-provisioningdoc version="1.1">
wap-
<characteristic type="BOOTSTRAP">
<parm name="NAME" value=“Nume"/>
value=“ Nume"/>
</characteristic>
<characteristic type="PXLOGICAL">
<parm name="NAME" value=“Nume"/>
value=“ Nume"/>
<parm name="PROXY-ID" value="Trusted_Proxy"/>
name="PROXY- value="Trusted_Proxy"/>
<parm name="NAME" value="Trusted Proxy"/>
<characteristic type="PXPHYSICAL">
<parm name="PHYSICAL-PROXY-ID" value="Trusted_PhProxy"/>
name="PHYSICAL- PROXY- value="Trusted_PhProxy"/>
<parm name="PXADDR" value="40711111111"/>
<parm name="PXADDRTYPE" value="E164"/>
<parm name="TO-NAPID" value="Trusted_NAPID"/>
name="TO- value="Trusted_NAPID"/>
<parm name="PUSHENABLED" value="1"/>
<parm name="PULLENABLED" value="1"/>
</characteristic>
</characteristic>
<characteristic type="NAPDEF">
<parm name="NAME" value="Op"/>
<parm name="NAPID" value="Trusted_NAPID"/>
value="Trusted_NAPID"/>
<parm name="BEARER" value="GSM-SMS"/>
value="GSM-
<parm name="NAME" value="Trusted Proxy"/>
<parm name="NAP-ADDRESS" value=" 40711111111 "/>
name="NAP-
<parm name="NAP-ADDRTYPE" value="E164"/>
name="NAP-
</characteristic>

36. WAP - provisioning
<wap-provisioningdoc>
<characteristic type="NetworkPolicy">
<characteristic type="WiFi">
<characteristic type="Settings">
<parm name="Disabled" value="1"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>

37. Interceptare trafic
Traficul trece prin proxy-ul nostru
Varianta 1 – Burp Proxy

38. Interceptare trafic
Traficul trece prin proxy-ul nostru
Varianta 2 – sslstrip
http://www.thoughtcrime.org/software/sslstrip/

39. Interceptare trafic
DEMO

40. Protectie
Operatorul poate filtra aceste tipuri de
mesaje
Producatorii de telefoane trebuie sa se
concentreze mai mult pe securitate
Verificati constant (la fel cum faceti cu
factura / creditul disponibil) setarile de
Internet

41. Intrebari?