Hijacking Mobile Data Connections

The attack we presented at BlackHat Europe 2009 showed how it could be possible to take complete control of mobile originated data connections, by using a standard Provisioning mechanism, exploiting the ability to deliver configuration messages to handsets and performing social engineering on user by means of spoofing techniques.

Provisioning is a process that allows for remote configuration of Mobile Devices, and is tipically used by Mobile Operators for sending handsets the correct configuration for using data connections (eg: Internet access, MMS…)

Userpin is one of the available security mechanisms for performing the Provisioning process.
When using such mechanism the Mobile Operator sends a text SMS, advising the user that he is going to receive a configuration message, and a PIN code, that will be used for installing the configuration.
The configuration message is then sent as a second SMS. The user needs to insert the received PIN code, and then the configuration will be installed.

Abusing the Provisioning process can be performed in multiple ways. The solution we presented at BlackHat relies on changing the DNS address with the Userpin mechanism, but other options are possible.

Our paper can be downloaded here and slides here

A demo of the attack is now also available in the video below, where two samples of the attack have been performed.

Further information and details are reported in the following.

We will provide additional samples and variations, while covering handsets from more manufacturers, in the next few days.

In this scenario, a fake info SMS is sent first, an user will believe it has been sent by the Operator because of the spoofed source and the message content.
If this message is trusted, then the user will be confident that the configuration message he will receive afterwards is also legitimate.
This SMS has been sent by using one of the many services available over the Internet, that allow sending SMS with arbitrary message source.

Then a configuration message is sent and it can be installed by using the PIN provided by the attacker; successful installation of this message will make the user trust even more the received configuration.
Usually, there is no need for spoofing such message, because many handset do not display its source.

The Nokia handset in the demo correctly shows the source number, but an attacker may bypass this by spoofing this message as well, or just by leveraging the fact that many users will not notice the information.
The provisioning message has been created by using a custom tool, but similar tools are easily available over the Internet.

In many cases, the provided configuration is installed directly as the default one.
The Nokia handset in the demo asks the user before installing it as the default, but, at this point, many user will likely consent to this.

In our scenario the attacker changes the DNS address with an IP of a DNS server he controls.
All the DNS queries will be answered with the address of an HTTP transparent proxy, and all the HTTP traffic will flow through this point of interception.
This allow to access and modify the traffic, effectively hijacking the sessions.

The video provides demonstration that, by using this technique, an attacker is able to access the clear text victim traffic.
This can be achieved just by sending a couple of SMS to an unsuspecting victim; the attack will survive to any reboot of the handset.

User awareness is one of the best defense against this kind of attack:
Have a careful look to the configurations installed in your handset.

Let op!

Leave a Reply