Mobile Security Lab

During the same days of our Hijacking attack presentation at BH EU ’09, we read of “a-sort-of” SMS hijacking attack performed on Windows Mobile phones. On the demonstrating video here a binary SMS is sent to a Windows mobile phone, and the browser suddenly pops up, opening an attacker specified URL. That’s the typical behaviour of an handset receiving a Service Load (SL) message, and actually this type of attack had already been discussed (here and here). We feel that this might still be a somewhat underestimated risk in the mobile environment, as Service Loading is supported by many platforms apart from Windows Mobile; but before going deeper into that, let’s explain what Service Loading messages are and what are they for.

Service Loading is a part of the WAP Push protocol suite for OTA (Over The Air) provisioning of mobile handset. It is often cited together with Service Indication: like Service Loading, Service Indication is used to carry URL addresses to the handset in a binary SMS message; but it is rather meant to notify the user of a certain URL in order to be, for instance, added to the bookmarks, and not necessarily to open it at once.

Let’s see the basic structure of a SL message:

As any other WAP protocol element, it uses an XML representation; the actual SL element have only two attributes: an URI (commonly said to be URL) and an action; the latter can be “execute-high”, meaning the content is executed in an user-obtrusive (visible) manner, “execute-low”, meaning the content is executed in a non user-obtrusive (invisible) manner, and “cache”, meaning that the content should simply be put in browser’s cache, not executed neither displayed. The default is execute-low. In order to be sent, this document must be converted to WBXML format (a compressed binary representation), then stuffed in an SMS message according to WSP protocol.

Upon receiving such a message, if the URI is an HTML page, the phone will load and show it with the default web browser; if it is an executable program, it will download and execute it, possibly in a silent way. The risk associated with this feature, especially without user’s awareness, should be obvious also for non tech savvy readers; that’s why most handsets come with some sort of security policy associated with WAP Push messages.

We have conducted a test on two largely used devices, a Nokia N95 and a Sony Ericsson C905, to check how they deal with Service Loading messages.

(more…)

The attack we presented at BlackHat Europe 2009 showed how it could be possible to take complete control of mobile originated data connections, by using a standard Provisioning mechanism, exploiting the ability to deliver configuration messages to handsets and performing social engineering on user by means of spoofing techniques.

Provisioning is a process that allows for remote configuration of Mobile Devices, and is tipically used by Mobile Operators for sending handsets the correct configuration for using data connections (eg: Internet access, MMS…)

Userpin is one of the available security mechanisms for performing the Provisioning process.
When using such mechanism the Mobile Operator sends a text SMS, advising the user that he is going to receive a configuration message, and a PIN code, that will be used for installing the configuration.
The configuration message is then sent as a second SMS. The user needs to insert the received PIN code, and then the configuration will be installed.

Abusing the Provisioning process can be performed in multiple ways. The solution we presented at BlackHat relies on changing the DNS address with the Userpin mechanism, but other options are possible.

Our paper can be downloaded here and slides here

A demo of the attack is now also available in the video below, where two samples of the attack have been performed.

Further information and details are reported in the following.

We will provide additional samples and variations, while covering handsets from more manufacturers, in the next few days.

(more…)

We’re back from Black Hat Europe ’09; as always it’s been an interesting experience.

In the next few days we’ll post here the details of the work we presented there (“Hijacking Mobile Data Connections”), but since a few articles have been published, we feel that stressing a few concepts is needed.

The attack we presented does not rely on a single vulnerability but is the result of the possibility of “abusing” a standard protocol that allows for mobile devices remote reconfiguration.

The problem affects all the devices which sports an OMA Provisioning client and that are used on a network that doesn’t implement effective filtering of provisioning messages coming from untrusted sources; the brand, model and other similar details play a marginal role in all this.

In our opinion, support for OMA provisioning is not a problem ‘per se’, but it is rather the ability to abuse it that should be regarded as the problem.
So, the handsets could be considered more as possible targets of the attack, rather than the root cause of the problem itself. Some improvements on the handset side could help in mitigating the problem, but they could hardly entirely avoid this kind of attack.

The ability to process OMA provisioning messages really depends on several factors: brand, model, firmware version; providing explicit indications on which handset is a possible target could be easily prone to error.
As far as we know a large number of models, from different Manufacturers, support the provisioning client, but, in order to avoid possible misunderstanding, we prefer not to mention brand and models unless specific vulnerabilities in the client are identified.

In summary: support of the OMA provisioning client, as specified in standard, along with the possibility to receive provisioning messages from untrusted sources, should be the main criteria for evaluating a risk scenario.

Stay tuned for the rest of the story.

Well, it seems it happened.
Our paper ‘Hijacking Mobile Data Connections’ has been selected for the BlackHat Europe 2009 conference, that will take place in Amsterdam – April 14-17.
For those who don’t know this conference (you really should), according to BH site, it’s “The World’s Premiere Technical Security Conference”.
We are happy that two members of Mobile Security Lab will be speaking at this event, with novel material we recently researched.
For additional information on the speech just read the speakers’ page on BH site, by following this link.
Stay tuned for more interesting things, this post will be updated with the schedule assigned to our speech.

See you in Amsterdam!!

A new page is now online at poc.mseclab.com.
We plan to use such space to release tools, projects and, most of all, the proof-of-concept codes and test pages related to the published vulnerabilities.
The test page for a specific vulnerability will be accessible from the Advisories page, or by directly accessing the address above.
We hope this provides means of testing that can be used by anyone, including operators and manufacturers, for verifying vulnerabilities and solutions.

In this perspective, the possibility to remotely test HTC Touch handsets against the MSL-2008-002 vulnerability has just been released and is now available here.
Enjoy!

Two members of our team had the fun of attending the 25th Chaos Communication Congress (25C3) – “Nothing to hide”.
The quality level of several talks, spread during the 4 conference days, proved to be very high.

Below some presentations, related to Mobile Security, that we found particularly interesting:
Locating Mobile Phones using SS7 by Tobias Engel: showed how it can be possible to remotely locate Mobile Phones by ‘using’ SS7 protocol.
Exploiting Symbian by Collin Mulliner: provided information on the exploitation of stack buffer overflows on the Symbian platform.
Attacking NFC mobile phones by Collin Mulliner: insights on the security of NFC mobile phones and related services.
Hacking the iPhone by MuscleNerd, pytey, planetbeing: the very technical in’s and out’s of of iPhone unlocking and jailbreaking
Running your own GSM network by Harald Welte and Dieter Spaar: Building a ‘personal’ GSM network, without investing billions, now has been put in the realm of possibilities. But..running it without proper care and permissions could generate some unwanted legal side-effects 😉

Additional talks that we really enjoyed:
Chip Reverse Engineering by Karsten Nohl and starbug: how the reverse engineering of functions and algorithms buried in hardware, can be achieved.
Analyzing RFID Security by Henryk Plötz and Karsten Nohl: advices, tips, examples and more for working on RFID security
Predictable RNG in the vulnerable Debian OpenSSL package by Maximiliano Bertacchini and Luciano Bello: elaborating the consequences of the predictable RNG Debian flaw. Vulnerability overview and attack demonstration along with a lot of fun.

Details regarding a previously unknown vulnerability on Nokia phones, named ‘Curse of Silence’, have been released by Tobias Engel.
An attacker can prevent vulnerable devices from receiving SMS messages until a Factory Reset is performed.
Advisory details and video

Happy New Year!!
Mobile Security Lab

“Dunque…noi vogliamo sapere…per andare dove dobbiamo andare, per dove dobbiamo andare?”

that is

“Now…we would like to know…to go where we have to go, where are we supposed to go?…”

“Totò, Peppino e…la malafemmina – 1956”

No, we’re not crazy; right, we are supposed to talk about mobile security, but at the same time we feel that a short introduction is needed, so let’s start from the beginning: what’s all of this about ?

We plan to use this space mainly as a kind of blackboard to document some of the research activities we are involved in. On top of this, we would like to post about some of the material that we use or develop during our work. What we would like to do is to stimulate some discussion on themes that, while not directly related to any security issue, could constitute the basis on which new tools or techniques could be developed.

The reason to do so is that we strongly believe in the important role of a multidisciplinary approach in security research and, even more, in the mobile security field. To this effect we try to leverage, as our best tool, some of our personal backgrounds, ranging from information science to electronics engineering to physics (and, of course, ICT security).

While doing so, we try our best to understand not only how to break this security measure or how to exploit that product, but also how all the parts of the increasingly complex mobile scenario interact. We have found that this way of working tends to stimulate the production of collateral ideas; while most of them have no immediate use, we love to explore them and and try to relate them to other, seemingly unrelated, concepts.

So, this is the ultimate meaning of the text quoted at the beginning of this post: to really understand not only what we are doing but also how to link and exploit all this knowledge fragments to achieve a better overall security level in the mobile world.

By the way, if you did not see that movie, you really should 😉