Mobile Security Lab

Two members of our team had the fun of attending the 25th Chaos Communication Congress (25C3) – “Nothing to hide”.
The quality level of several talks, spread during the 4 conference days, proved to be very high.

Below some presentations, related to Mobile Security, that we found particularly interesting:
Locating Mobile Phones using SS7 by Tobias Engel: showed how it can be possible to remotely locate Mobile Phones by ‘using’ SS7 protocol.
Exploiting Symbian by Collin Mulliner: provided information on the exploitation of stack buffer overflows on the Symbian platform.
Attacking NFC mobile phones by Collin Mulliner: insights on the security of NFC mobile phones and related services.
Hacking the iPhone by MuscleNerd, pytey, planetbeing: the very technical in’s and out’s of of iPhone unlocking and jailbreaking
Running your own GSM network by Harald Welte and Dieter Spaar: Building a ‘personal’ GSM network, without investing billions, now has been put in the realm of possibilities. But..running it without proper care and permissions could generate some unwanted legal side-effects 😉

Additional talks that we really enjoyed:
Chip Reverse Engineering by Karsten Nohl and starbug: how the reverse engineering of functions and algorithms buried in hardware, can be achieved.
Analyzing RFID Security by Henryk Plötz and Karsten Nohl: advices, tips, examples and more for working on RFID security
Predictable RNG in the vulnerable Debian OpenSSL package by Maximiliano Bertacchini and Luciano Bello: elaborating the consequences of the predictable RNG Debian flaw. Vulnerability overview and attack demonstration along with a lot of fun.

Details regarding a previously unknown vulnerability on Nokia phones, named ‘Curse of Silence’, have been released by Tobias Engel.
An attacker can prevent vulnerable devices from receiving SMS messages until a Factory Reset is performed.
Advisory details and video

Happy New Year!!
Mobile Security Lab

“You are browsing with your shiny smartphone while being connected to a wireless LAN.
Suddenly you receive a single SMS carrying a new contact information.
You don’t even have the time to check it, that your SMS inbox starts filling with unwanted messages and you don’t seem to be able to stop it…”

This is a possible scenario that may happen if you are victim of a vCard Denial of Service, described here.

The attack can be carried on, possibly in a more effective way, when a data connection is active with a Mobile Operator that assigns a public IP address, reachable over the Internet, and does not provide any filtering of incoming packets.
In this case the attack can become a truly remote Denial of Service, that can be performed over the Internet, at no cost for an attacker.
Additionally, the protocol used (UDP) allows for easy IP source address spoofing, making more difficult the tracking of an attacker or the implementation of proper firewall policies.

The following video provides a short insight of what may happens to an handset when is targeted by such an attack.
(more…)