Mobile Security Lab

A new page is now online at poc.mseclab.com.
We plan to use such space to release tools, projects and, most of all, the proof-of-concept codes and test pages related to the published vulnerabilities.
The test page for a specific vulnerability will be accessible from the Advisories page, or by directly accessing the address above.
We hope this provides means of testing that can be used by anyone, including operators and manufacturers, for verifying vulnerabilities and solutions.

In this perspective, the possibility to remotely test HTC Touch handsets against the MSL-2008-002 vulnerability has just been released and is now available here.
Enjoy!

The Wappush vulnerability, present on some Sony Ericsson handsets, has been discussed on several “places” on the web , after the release of our advisory.
We feel that, in order to avoid possible misconceptions, a few points need being remarked:

Calls in video: Performing a phone call is not required in order to allow the attack to take place. Rebooting will happen regardless of the activities being performed on the phone at the moment of the attack.

SMS messages: It is not needed to open a received SMS, for triggering the vulnerability. As shown in the video, the handset crashes upon SMS message reception, and no SMS message is displayed or present in the Message Inbox after the handset reboots.

IP packets: It is not needed to send an IP packet to a broadcast address in order to trigger the vulnerability. A crafted unicast packet, directed to the handset IP address, is all that is needed.

Operator IP Networks: We don’t know of any Mobile Operator allowing broadcast IP packets in their networks. On the other hand, at the time writing, there are Mobile Operators that assign unfiltered public IP addresses to handsets connecting to the Internet.

Tools: Despite of what has been stated elsewhere, we are not aware of any public tool that is able to exploit the vulnerability, either by using IP or SMS.

Active exploitations: Up to now, we have not heard of any hostile activity that has taken place exploiting the issue.

With regard to these specific points, we would be interested to hear of anything different.

WAP Push service can be used for delivering unsolicited data to the handset, and is typically used by Operators for providing advanced services (eg: e-mail, MMS).

The MSL-2008-001 advisory reports a Denial of Service vulnerability discovered in several SonyEricsson handsets, that allows an attacker to remotely reboot a vulnerable handset by sending a malformed WAP Push message.
Both SMS messages and UDP datagrams can be used as a transport mechanism for delivering WAP Push messages.
The vulnerability can be remotely triggered both via SMS and UDP; in the latter case the malformed message need to be sent to port 2948, that has been found open on all the handsets listed in the advisory.

The risks associated to an “UDP-based” attack scenario are not negligible in case the Operator allows reachability of the handset IP address, without doing proper filtering.
An attacker may be able to remotely reboot the handset by simply sending a carefully crafted IP datagram to the handset IP address.

Additionally:
– the handsets accept IP packets directed to a broadcast address. If broadcast packets are allowed in the network, a single UDP datagram may be sufficient for rebooting all the handsets in the target subnet.
– UDP protocol is connectionless and a single datagram is sufficient for triggering the vulnerability. Under these conditions source IP spoofing is possible, increasing the difficulties of implementing proper firewall policies and attackers tracking.

In the “SMS-based” attack scenario, an SMS, carrying the malformed WAP Push message, is able to trigger the vulnerability.
The SMS buffering performed by the Operator network brings, as a side effect, the possibility for an attacker to perform an extended Denial of Service attack against a single target.
In facts, if multiple SMS are sent to the victim, the first one will reboot the handset making it unavailable for receiving further messages.
The other messages will queue on the network side and delivery will be attempted as soon as the handset re-attaches to the network, leading to continous rebooting.
This may allow an attacker to effectively disable the use of the handset for an extended period of time.

Read the rest of this entry »

Two members of our team had the fun of attending the 25th Chaos Communication Congress (25C3) – “Nothing to hide”.
The quality level of several talks, spread during the 4 conference days, proved to be very high.

Below some presentations, related to Mobile Security, that we found particularly interesting:
Locating Mobile Phones using SS7 by Tobias Engel: showed how it can be possible to remotely locate Mobile Phones by ‘using’ SS7 protocol.
Exploiting Symbian by Collin Mulliner: provided information on the exploitation of stack buffer overflows on the Symbian platform.
Attacking NFC mobile phones by Collin Mulliner: insights on the security of NFC mobile phones and related services.
Hacking the iPhone by MuscleNerd, pytey, planetbeing: the very technical in’s and out’s of of iPhone unlocking and jailbreaking
Running your own GSM network by Harald Welte and Dieter Spaar: Building a ‘personal’ GSM network, without investing billions, now has been put in the realm of possibilities. But..running it without proper care and permissions could generate some unwanted legal side-effects 😉

Additional talks that we really enjoyed:
Chip Reverse Engineering by Karsten Nohl and starbug: how the reverse engineering of functions and algorithms buried in hardware, can be achieved.
Analyzing RFID Security by Henryk Plötz and Karsten Nohl: advices, tips, examples and more for working on RFID security
Predictable RNG in the vulnerable Debian OpenSSL package by Maximiliano Bertacchini and Luciano Bello: elaborating the consequences of the predictable RNG Debian flaw. Vulnerability overview and attack demonstration along with a lot of fun.

Details regarding a previously unknown vulnerability on Nokia phones, named ‘Curse of Silence’, have been released by Tobias Engel.
An attacker can prevent vulnerable devices from receiving SMS messages until a Factory Reset is performed.
Advisory details and video

Happy New Year!!
Mobile Security Lab

“You are browsing with your shiny smartphone while being connected to a wireless LAN.
Suddenly you receive a single SMS carrying a new contact information.
You don’t even have the time to check it, that your SMS inbox starts filling with unwanted messages and you don’t seem to be able to stop it…”

This is a possible scenario that may happen if you are victim of a vCard Denial of Service, described here.

The attack can be carried on, possibly in a more effective way, when a data connection is active with a Mobile Operator that assigns a public IP address, reachable over the Internet, and does not provide any filtering of incoming packets.
In this case the attack can become a truly remote Denial of Service, that can be performed over the Internet, at no cost for an attacker.
Additionally, the protocol used (UDP) allows for easy IP source address spoofing, making more difficult the tracking of an attacker or the implementation of proper firewall policies.

The following video provides a short insight of what may happens to an handset when is targeted by such an attack.
Read the rest of this entry »

Symmetric algorithms are often used for encrypting embedded and mobile firmware images in order to protect code and data confidentiality, AES-CBC being a typical choice.
Firmware files are usually also fully signed, but, in our experience, we met cases where encryption of some regions was the only security measure, relying only on the confidentiality of the key itself.

The lack of integrity protections, that is sometimes regarded as a minor issue in case the encryption key is maintained secret (e.g.: in hardware), may leave open some attack paths that, in some very specific cases, allow an attacker to introduce modification in selectively targeted plaintext regions.

These ideas, even if not necessarily new or applicable in a wide range of cases, are, nonetheless, here presented with the intent of stressing the need for proper integrity protection, even if the encryption key is considered secret.
Scenarios are presented for CBC mode of a generic symmetric encryption algorithm, but they may be applicable also to other modes.

Read the rest of this entry »

“Dunque…noi vogliamo sapere…per andare dove dobbiamo andare, per dove dobbiamo andare?”

that is

“Now…we would like to know…to go where we have to go, where are we supposed to go?…”

“Totò, Peppino e…la malafemmina – 1956”

No, we’re not crazy; right, we are supposed to talk about mobile security, but at the same time we feel that a short introduction is needed, so let’s start from the beginning: what’s all of this about ?

We plan to use this space mainly as a kind of blackboard to document some of the research activities we are involved in. On top of this, we would like to post about some of the material that we use or develop during our work. What we would like to do is to stimulate some discussion on themes that, while not directly related to any security issue, could constitute the basis on which new tools or techniques could be developed.

The reason to do so is that we strongly believe in the important role of a multidisciplinary approach in security research and, even more, in the mobile security field. To this effect we try to leverage, as our best tool, some of our personal backgrounds, ranging from information science to electronics engineering to physics (and, of course, ICT security).

While doing so, we try our best to understand not only how to break this security measure or how to exploit that product, but also how all the parts of the increasingly complex mobile scenario interact. We have found that this way of working tends to stimulate the production of collateral ideas; while most of them have no immediate use, we love to explore them and and try to relate them to other, seemingly unrelated, concepts.

So, this is the ultimate meaning of the text quoted at the beginning of this post: to really understand not only what we are doing but also how to link and exploit all this knowledge fragments to achieve a better overall security level in the mobile world.

By the way, if you did not see that movie, you really should 😉