Hijacking… made easier

Here we are with another sample of our attack technique described in the “Hijacking Mobile Data Connections” post. Today we are going to show you how the attack can have a significantly deeper impact depending on the design of the target handset: specifically, some defects in the provisioning messages processing code, together with a less than optimal User Interface design, lead to a significant advantage for an attacker trying to compromise the device.
In this case no ‘social engineering’ or spoofed messages are required.

As described in our MSL-2009-001 advisory (“Samsung Missing Provisioning Authentication”), we have identified some handsets that don’t perform proper authentication of incoming SMS Provisioning messages. They never display the source of the message; moreover, and much more worrying, they accept both authenticated and unauthenticated provisioning messages without giving to the user any hint of the nature of the message itself. To install the configuration inside it, user simply has to open the incoming message, while no authentication is in effect.

The following video shows how the attack is performed against these devices.

It is important to highlight that both unauthenticated messages and authenticated ones (whether by USERPIN or NETWORKPIN mechanism) are presented to the user in exactly the same way.
This has a deep impact on the security level perceived by the user: a competent one, in fact, could base its judgement of the message authenticity on the fact that it is authenticated by a specific mechanism. In order to produce a correct NETWORKPIN-authenticated message, the sending party has to know the IMSI of the victim, which is usually considered a private information, known only to the user itself and to the operator he belongs to.
The user, seeing that he is not asked to input any PIN, is led to think that the provisioning message is of the NETWORKPIN-authenticated type, and that, being so, it has to come from the operator’s systems; this reinforce, in the user, the belief that he can safely accept the new configuration.

Leave a Reply