Archive for June, 2009

Gmail Hijacking On Mobiles

Friday, June 19th, 2009

In the last days, there has been lots of talking about weak security of Google ‘cloud’ services: after the authentication on encrypted protocol (HTTPS), all data exchange between user and Google servers takes place on plain HTTP, thus allowing for easy attack or eavesdropping. Wired reports that, for this reason, several security experts signed a public petition to ask Google to protect complete user sessions with SSL. From our mobile enviroment perspective, we cannot but to completely agree.

The abusing of the OMA provisioning mechanism, supported by a great extent of modern mobile devices, as we pointed out, demonstrates beyond any doubt how concrete the risk is. Ironically, while provisioning protocol makes abusing mobile devices configuration so easy, many sites do use secure (SSL) protocols, but not when accessed by mobile devices; probably because, given their reduced computational power, these are considered unfit to cope with encryption in an effective way.

Continuing our exploration of what the consequences of Data Session Hijacking could be, we went a step further. In Proxy Fun we reported that hijacking by means of remote proxy configuration only affects HTTP traffic (and HTTPS as well), that could be considered as a limitation but, by contrast, allows for some HTTP-specific hijacking techniques more easily than a remote DNS configuration.
Actually, the original attack we presented at BH Europe 2009, based on DNS configuration, was still unable to intercept and handle HTTPS connections, thus still being ineffective with sites that used this protocol for authentication.
Proxy configuration makes hijacking effective on a new mobile site category: those (email providers, social network, e-commerce) that use HTTPS protocol for logging in, and then switch to HTTP protocol for the rest of the session. Exactly like Google – that, by the way, is still more secure than several services that make no use of SSL whatsoever; we have found several ones.

So, hijacking by means of a proxy configuration means passing HTTPS authentication without interception by CONNECT method, then getting the session cookie (called GX for Gmail) from subsequent HTTP requests and using it to hijack the user session – a technique called “sidejacking”. You don’t have to think that only exchanged data is at risk; the attacker gets authenticated to the server and can operate on the server as if he was the user. An attacker, for example, could write, send and delete mails on behalf of the victim user or delete the user’s documents.

Sidejacking, or using the victim session cookies to impersonate him, was demonstrated by the founders of Errata Security at BlackHat Usa 2007. Also an evolution of this technique has been proposed, called forced sidejacking, that makes use of ‘HTTP 302 Temporarily moved’ web pages for collecting victim cookies.

In the following video we show how remotely configuring an LG KM900, in order to force it to go through an evil proxy server, looks like; then the attacker easily grabs the GX cookie released within a Gmail mobile session and uses it in his browser to hijack the mobile session.

Proxy Fun

Friday, June 12th, 2009

In the previous post Hijacking Mobile Data Connections , we pointed out how an attacker could gain full control on mobile data connections originated by mobile phone.

This could be achieved by reconfiguring the DNS address on victim’s mobile phone with one controlled by the attacker, by means of OMA provisioning SMS. However, during our tests some mobile phones resisted to this attack, due to the fact that, despite supporting OMA provisioning, they don’t honour configuration requests of DNS address, neither locally nor remotely.

But, as we said, OMA provisioning allows for setting other parameters than DNS; among them there are the proxy settings.

In mobile world, a proxy isn’t different from any other environment: it is a software component that is located between a client, in this case a mobile phone, and a server on Internet; any standard HTTP proxy can be used for an HTTP mobile client.

In our experiences we have noticed that the proxy settings are widely used by several operator services, mainly for delivering MMS messages.

On the other side, an attacker could use proxy configuration to hijack the victim traffic, HTTP and HTTPS, and redirect it towards an IP address under his control. Still the victim, after having installed the rogue configuration, will be unaware that a third party, the attacker, is eavesdropping the data traffic.

Hijacking by means of a proxy configuration has some differences with respect to DNS configuration, apart from being supported by a few more phones:

  • Proxy component is enough to redirect user’s data traffic.
  • The proxy port could be set to a different value, other than the standard TCP/80. This could be useful for the attacker to overcome some firewall restriction.
  • While the operator could block DNS traffic to outside of its network, in order to mitigate attacks to DNS settings, it may be difficult to restrict access to HTTP proxies over Internet;

The limitation, of course, is that only HTTP-based services could be hijacked; this excludes email and most dedicated clients.

To be more technical, let’s shows a simple proxy configuration:

proxy settings

The complete proxy XML configuration file can be downloaded here.

A generic explanation of an XML configuration file has been provided in our paper downloadable from here.

In order to provide new proxy configuration it is necessary to use the two characteristic, PXPHYSICAL and PXLOGICAL as described in provided in Provisioning Content Specification.

PXLOGICAL characteristic is used to introduce a new proxy configuration inside the current XML configuration.

PXPHISICAL characteristic, defined inside PXLOGICAL characteristic, specifies the proxy server information needed to use it: proxy address, port number and other proxy related parameters, if needed.

The following two pictures show the proxy configuration on LGKM900 where it is not possible to configure a DNS address.

phone settings

A suitable program must now be used to compile this configuration in a binary SMS message; then, the message can be delivered to the victim by sending AT commands to a mobile phone attached to the PC.