Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: mobile

DEEPSEC: SMS Fuzzing – SIM Toolkit Attack

3 Comments Posted by ChrisJohnRiley on November 17, 2011

SMS Fuzzing – SIM Toolkit Attack

Bogdan Alecu

SMS is a unique mobile attack vector as it is an always on service. Regardless of wether or not you’re using another application, an SMS can be received by the phone. As SMS is enabled by default on all phones it provides many interesting possibilities.

Tools Used

PDUSpy

Used to decode the binary message

Nokia 3300

Used for capturing
F-BUS cable

dct3tap
Wireshark

GSMTAP and SIMCARD patches

Gemalto GemPC SIM Card reader

SIM Application Toolkit

Provides value added services for the mobile operators.

Basically a set of commands written on the SIM card which helps the card to communicate with the mobile device.

We are particularly interested in the following data on the SIM Card

Data download via SMS Point to Point

When this service is enabled, it instructs the mobile device to respond to short message with varying protocol identifiers. This allows an attacker to send a message that goes straight to the SIM and is not shown to the user (the screen may light up on set phones).

By setting the second byte it is possible to trigger a delivery report. Setting the acknowledgement receipt via DELIVERY REPORT can result in any further messages being queued up until after the initial message expires (time out dependent on provider).

The person receiving the call is charged for the Acknowledgement at the standard rate of the provider. This is involuntary as the person receiving the message receives no warning.

Problem reported as cve-2010-3612 (currently reserved)

Vulnerability tested on multiple phones incl Nokia, Samsung Galaxy S, ….

Impact

Works independently of the phone or GSM network
When sending the message between different networks or the same network it doesn’t have such a great financial impact
There are providers that allow you to spoof source numbers –> Think premium rate numbers

By spoofing the source address you can set a premium rate source (attacker owned) and have the credit stolen from a victims phone without notification.

Protection

Most protects require operator assistance.
Some mobile devices have the ability to ask the user about SIM actions (other than Nokia ?)
Use a SIM Card that has the service “data download via SMS Point to Point” deactivated or one without any Toolkit Application

Links :

SMS Fuzzing – SIM Toolkit Attack –> Overview
SMS Fuzzing – SIM Toolkit Attack Slides –> Link

Conference, Security deepsec, GSM, mobile, sms

Shmoocon 2011: Attacking 3G and 4G mobile telecommunications networks

Comments Off Posted by ChrisJohnRiley on January 29, 2011

Attacking 3G and 4G mobile telecommunications networks

Enno Rey, Rene Graf & Daniel Mende

No demos today due to shipping materials and the like. TSA don’t like big electronic devices being shipped after all.

Still, that doesn’t mean there was no practical research.

Fundamentals

Standards

In mobile telco world everything is standardized by 3GPP

3GPP: collaboration between groups of telco standards orgs
3GPP: standard structured as/bundled in releases
- 1992: Phase 1
- 2000: Release 99 (incl first spec of 3G UMTS)
- 2008: Release 8

2 Elements. 1 facing the internet and the other facing the mobile network

4G Network

4G networks change the names and functions of some devices.

Transport Layer: UDP or SCTP (mostly)

There could be some TCP elements, but none that have been seen in this research.

Generic Packed Tunneling: GTP

All types of signaling:

S1AP
X2AP
GTP-C

Authentication: DIAMETER

Others:

L2TP
DSMIPv6
…

SCTP Overview

Stream Control Transmission Protocol

General purpose layer 4 protocol

Specified by the IETF

Uses elements from TCP and UDP to cover all required functionality of both.

SCTP – 4 way handshake

INIT – INIT ACK – COOKIE ECHO – COOKIE ACK

Several different RFCs covering SCTP (starting with RFC2960).

Current tools don’t work very well due to SCTP rewrites in RFC5206 and RFC4960

NMAP SCTP doesn’t work “in a satisfactory manner”
SCTPscan no long work

Attacks from within the mobile telco networks

Attacks from the backhaul networks
Attacks from the Core network
Attacks from Management networks

Backhaul networks

Mobile backhaul

Carries data from the RAN to the management network and back

4G specific requirement laid out by 3GPP

Includes

eNodeB
MME
SGW

Can be implemented with different technologies

Originally ATM (in the early years of GSM), PDH/SDH, IP/MPLS, “Hybrid Approach” offloading to DSL, Carrier Ethernet

4G Assumes gigabit connections between elements to give sufficient bandwidth (mainly ethernet based)

How to get into backhaul

Physical intrusion to some cage located “in the somewhere”

Get Access to the network segment

Microwave
DSL
Carrier Ethernet

4G Aggregates “dumb” BTS and BSC/RNC functions on the one device –> eNB is not dumb anymore!

Once your in, what to do!

Attacking components

3G: SGSNm RNC, NodeB
4G: MME, eNB, SAE.GW
Routers/Switches

Eavesdropping

Pretty much everything is unencrypted
3GPP insists on using IPsec Gateways
- Which operators implement this?
Some countries argue against this standard

ARP spoofing still works smoothly

Apparently not on the security radar!

4G ALL-IP approach comes in handy

Let’s get practical

These notes are from in lab testing (i.e no firewalls, IPsec, etc…)

Real world attacks may be different due to this!

“Standard attack approach” did not yield anything interesting

SCTP Scanning via nmap or SCTPscan showed nothing

Using custom SCTP scanning tool showed some open ports

some of those “obscure signaling protocols”

Fuzzing the protocols

After starting the fuzzing, things got really slow.

When checking the server was sending SCTP ABORT leading us to believe something had crashed!

The main function of the device was no longer available

It recovered after a few minutes

Changed scripts and continued to fuzz

Final result…. system went down!

Business impact?

The first field of the protocol was causing the device crash!

Targeted code was running in the kernel

All that glitters is not gold however!

This isn’t old code! It’s newly developed for 4G! Make your own conclusions…

<NDA>

Continued testing is planned to really find the impact of this and other issues.

</NDA>

Attacks from the internet

Public space might mean the terminal (not covered) or the internet

Some interfaces must be made available to entities outside the network

e.g. S8 on PDN-GW for roaming
3G: SGSNs must be able to connect to GGSNs of other countries
Standards say: Use NDS (IPsec of equiv. security) for these cases
So GTP should never be visible from the internet

Reality check!

GTP

Used to carry IP-based data traffic between network elements. There is also some other elements

Variants: GTP-C, GTP-U, and GTP’

TEID

Tunnel Endpoint IDentifier

Not very random

Not protected

Reality is that scanning for GTP in the wild does find results.

GTP Echo mechanism (port 2123) can be used to discover real GTP speakers in the internet waiting for communications

GTP-scan.py will be released soon to show this!

Many of the systems listening on GTP ports are also listening on other ports (21, 22, 23, 80) !

Various countries, many in Europe.

Whois information points to major mobile operators in these countries.

So why would they do this?

Sometimes having a working network is more important than following the standards to the letter!

Conclusions

From what the research shows, it looks like many attacks are coming against these networks.

Walled telco gardens are disappearing

All IP in the future

Terminals are getting more and more powerful

Misconception that people don’t understand these complex IP landscapes

Links:

Shmoocon Schedule –> HERE
Talk synopsis –> HERE
www.insinuator.net

Conference, Penetration Test, Security 3G, 4G, backhaul network, GSM, mobile, Shmoocon, Telco

Shmoocon 2011: TEAM JOCH vs. Android: The Ultimate Showdown

2 Comments Posted by ChrisJohnRiley on January 29, 2011

TEAM JOCH vs. Android: The Ultimate Showdown

Jon Oberheide and Zach Lanier

Android Security Overview

Base platform :

ARM Core
Linux Kernel 2.6.3x
Native Libraries
Dalvik VM
….

TrustZone Security Foundation by ARM

ARM11 TrustZone –> Unused!
ARM11 Jazelle JVM –> Unused!
ARMv6 eXecute-Never (XN)? –> Unused!

Mobile ASLR sucks!

Exploiting like it’s 1990

Executable stack/heap
Non-randomization of mmap/brk

Permissions based models

Applications explicitly request pre-defined permissions. All or nothing (ACCEPT or don’t install)

App Sandboxing

standard uid/gid – generating a unique account per app to prevent overwriting of files

Application signing

NO CAs

Kernel Security

Linux kernel = Swiss cheese

Jailbreaks, aka local privesc

Dalvik VM != sandbox

Not limited to execute dex bytecode
Can pop out of VM to execute native code
Any 3rd party app can root your phone by exploiting a kernel vuln

Native code packaged within APKs

No code signing

How to build a mobile botnet

Build some fun looking game/app
- including RootStrap functionality
- Periodically phone home to check for new payloads
As soon as a new kernel vuln is discovered, push out exploit payload
Rootkit a bunch of phones

PoC –> Eclipse Preview

200+ downloads in under 24 hours

Not very good reviews… 1*

Google pulled the software from the store

Google used the REMOVE_ASSET function to uninstall the app from the phones

Google can not only remove software, but use INSTALL_ASSET to install things!

Platform Security

There’s a lot of “platform goo” in the middle between applications and kernels

What to attack?

Not kernel, not apps!
How about the permissions framework

Permissions approval process is designed to warn users of what an application needs to access

Browse
Install
Approve?
Installed!

Google is a sneaky panda!

You don’t actually download/install the app through the market

When you click install in market, Google sends the INSTALL_ASSET command to your phone to begin the install using the GTalkService persistent data connection used to connect your phone to Google.

This is one of the few closed-source parts in Android.

Connections are SSL… but SSL isn’t everything.

If you can pop the GTalkService Servers at Google, you could push out apps to every Android phone!

Gap in responsibility

Market app performs the perceived install process and acceptance of permissions

The GTalkService then takes it from there

The communications use Google’s Protobuf format which has been at least partially documented by the Android Market API project on googlecode.

Elements of an install request

Needs to be populated with

Misc fields
App ID
- Can be derived from dissecting market requests
Auth Token
- Turns out this can be stolen from the Android AccountManager

Bypassing permissions approval

Steal the “android” service token used by the market from the AccountManager
Construct ProtoBuf request to market servers
Bypass the permissions approval process by directly requesting the software from the GTalkService using INSTALL_ASSET

When people viewed the install page in the market, the user wasn’t prompted and in the background other applications were installed

Platform Security Write-up

Vulnerability Status

Donut: Fixed
Foyo: Fixed
Eclair: no confirmation yet, may be vulnerable

Solution adds a process where the marketplace flags an app as accepted which the GTalkService checks before installing.

Platform complexity leads to vulns

Round-about marketplace and GTalkService procedure
“server-initiated” flag fix worth investigation

Application Security

Broad Observations

The web pushed a lot of content to the browser

Now instead of data, functionality is being pushed to the web.

Mobile brought about an app for everything. Most could be achieved through the browser

XKCD viewer??

Carriers: “We trust you because you’re on our network”

Client-side data trust issues… admin=1 is live again!

HyperGlobalMegaCloudDataMeshStore???

Whitebox source-code review

Sometimes it’s trivial to get app source code

Blackbox

Acquiring Application binaries
Reverse Engineering (Disass/Decomp)
Network Analysis (Fuzzing, Protocol Analysis)
MITM

Testing Tools and Techniques

DextoJar
JDgui / JAD
Undex
APKtool (wrapper around smaller tools)

Case Studies

FourSquare

Originally written in Java, like most Android apps

Source available under Apache 2.0 license

FourSquare API supports Basic Auth and OAuth

OAuth Includes signatures for transactions to prevent replay attacks etc…
So naturally FourSquare used Basic Auth over HTTP

FourSquared app does have OAuth support, but it’s not actually used

Fixed since, as FourSquare API now forces HTTPS (at least it’s one step in the right direction)

Storage Application

Simple crash in storage quota viewer

Divide by zero error leads to Dos
Attacker mus successfully intercept and modify the server response

More of an annoyance than a real problem… app crashes!

This app also supported some DRM protections however

App supports sharing video, audio, image content
This is set by an XML manifest that says what is and isn’t possible
DRM enforced on the handheld….
intercept, change read only to share and DRM bypassed

App Framework

Runs on multiple platforms

Custom permissions restricts us from sending messages (intents) to the runtime

This app implements a custom intent service which can be spoken to as long as you have the right key!

But other malicious apps can clobber widget content! (CWE-276: Incorrect Default Permissions)

The configuration and store on the filesystem is world writable, allowing for clobbering the app content (modify widget anybody)

Lookout mobile

Lookout mobile security app

> 4 million users

Performs scanning, backup, lost device recovery.

Installs with world writeable configuration file (/data/data/com.lookout)

Has a code execution flaw due to its call to liblookout.so from a shared location.

By overwriting the lib (or changing the read path in the world writeable config) you can get code exec

Security app != Secure phone

Wrap-up

No real guidance, standards, best practices
Bone-headed unix mistakes from 1995 are appearing in mobile now

Links:

Shmoocon Schedule –> HERE
Talk Synopsis –> HERE
Market API –> HERE

Conference, Security android, mobile, Security, Shmoocon

[BruCON] The Monkey Steals the Berries

Comments Off Posted by ChrisJohnRiley on September 24, 2010

The Monkey Steals the Berries (Tyler Shields)

Why would an attacker target a phone

PC’s are becoming smaller and smaller as more data is moved to the mobile platform. Mobile devices are also commonly less protected than desktop systems (like going back in time in some cases). It also allows for very targeted attacks.

The mobile arena is currently growing more than any other operating system. This makes it the target of the future. Once the various mobile platforms settle and the 2 or 3 major players are defined, things will become more targeted (as it was with Windows).

Mobile applications are another constant growth area giving another great chance to attack users.

Flexispy (http://www.flexispy.com)

Features everything needed for attackers.
- Yearly costs involved
- Closed source
- Exfiltrates data to the software provider where you can view it through a web interface.
This makes it a hard sell for attackers.

Mobile Spy (www.mobile-spy.com)

Less features, but covers a wider range of platforms.
- Yearly costs involved (cheaper than flexispy)
- Closed source
- Exfiltrates data to the software provider where you can view it through a web interface.
Same issues as flexispy, including closed source and no direct control of the exfiltrated data.

Etisalat (SS8)

As rolled out in the UAE to Blackberry systems.
Used Blackberry PIN messaging as the C&C channel. Captured outbound SMS and Emails with complete control given to the provider.
Was discovered due to issues users reported with battery life

Storm8

Creator of games like iMobster and Vampires Live for the iPhone
Gathered phone numbers of users. Company claimed it was coded in error

Symbian Sexy Space

Exfiltrates data to a website of the hackers choice.
Binary was signed as safe by Symbian!

Symbian MergoSMS

Came in the form of games and themes
Binary signed as safe!

09Droid

Created banking applications for the Android platform
Did nothing more than pass calls through to the bank
No malicious code found… Could easily have happened however!

3D Anti-Terrorist, …

Dialed premium rate numbers (8 per month)
Waited 3 days before starting to avoid easy detection
Slow win instead of a fast big pay-off
Repackaged legitimate game to be malicious

Mobile Security Mechanisms

Only 23% of smartphone owners use the security software installed on a device

13% of organisations currently protect from mobile devices

A balancing act between usability and security.

Corporate Level security Policies

Applied at the corporate IT Level
Can’t be modified by the end-users

End-User Level security Policies

Could be assigned from a provider
Can be overridden by end-user
Not as common as Corporate protections
Not as strict as Corporate protections

Mobile Anti-Virus

Implemented at the handset itself
Fails due to the same reason PC antivirus is failing today

Checks code

How are people like Apple checking apps in the app store?
Not all checked code is secure!

Code Signing

Subset of Blackberry API considered “controlled”
Use of controlled package, class, … needs signature
Can be yours for only $20
Hash of code sent to RIM (Not full code)
No barrier to entry
Signature can’t be revoked for existing apps (only to stop future apps)

Blackberry IT Policies

Blackberry Enterprise Server (BES)
Supersedes lower level security controls
Complex and very in-depth
Lots of fine-grained controls
So many that mod are set to “Default Allow All” as a result

Blackberry Application Policies

Can be controlled at the BES
Also mostly Allow
- Gives an app many permissions by default
If you say “don’t trust” app still gets access to email, contact data by default!
- Can be tweaked on a per-app basis (yeah right!)

Blackberry Spyware (TXSBBSpy)

Many ways to install on systems

Extensive logging and data exfiltration features (including SMS, EMail, HTTP, TCP/UDP sockets, DNS requests)

Technical Methods

Data Dumpers
Listeners
Exfiltration Methods
Command & Control

Detection

AV fails to detect due to the same issues we see on the desktop
Resource usage and whitelisting
Sandboxed based execution
Code Analysis (possible, but tricky/expensive)

Best solution is to use a Defense in Depth strategy and implement any and all protections possible.

Conclusion

A lot of trust lies with vendor application checks –> This is unwarrented

The only real solution is analysis of code

LINK:

TWITTER –> http://www.twitter.com/txs
Is Your Blackberry Spying on You –> HERE
TXSBBSpy Video Demo –> HERE
TXSBBSpy Source (JAVA) –> HERE
Talk Abstract –> HERE
Talk Slides –> HERE

Conference, Security blackberry, brucon, malware, mobile, spyware, TXSBBSpy

← Older posts

RSS feed

Don't forget to tune in to episode 2 of Might & Mercy #13thage #TTRPG youtu.be/2QUVlHQQ1x0 Would love to hear your feedback. 1 week ago
That thing we did, yeah episode 1 is out now. Watch "Might & Mercy - S1E1 - When Trouble finds you…" on YouTube… twitter.com/i/web/status/1… 2 weeks ago
RT @FIRSTdotOrg: It's #FIRSTFriday and there's a new #FIRSTImpressions episode to stream! This interview features #DNSAbuse #SIG co-chair,… 2 weeks ago
Some music to see you through the dark times… c22 Sessions 2023 Vol.1 mixcloud.com/C22DnB/c22-ses… #DnB #djmixes 3 weeks ago
#Soon Get ready to watch "Might & Mercy - D&D Campaign - Trailer" on YouTube youtu.be/TqNyc055fyU 2 months ago
RT @ConSelfOwns: https://t.co/jV4qUr4NdX 3 months ago

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!