Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: sms

DEEPSEC: SMS Fuzzing – SIM Toolkit Attack

3 Comments Posted by ChrisJohnRiley on November 17, 2011

SMS Fuzzing – SIM Toolkit Attack

Bogdan Alecu

SMS is a unique mobile attack vector as it is an always on service. Regardless of wether or not you’re using another application, an SMS can be received by the phone. As SMS is enabled by default on all phones it provides many interesting possibilities.

Tools Used

PDUSpy

Used to decode the binary message

Nokia 3300

Used for capturing
F-BUS cable

dct3tap
Wireshark

GSMTAP and SIMCARD patches

Gemalto GemPC SIM Card reader

SIM Application Toolkit

Provides value added services for the mobile operators.

Basically a set of commands written on the SIM card which helps the card to communicate with the mobile device.

We are particularly interested in the following data on the SIM Card

Data download via SMS Point to Point

When this service is enabled, it instructs the mobile device to respond to short message with varying protocol identifiers. This allows an attacker to send a message that goes straight to the SIM and is not shown to the user (the screen may light up on set phones).

By setting the second byte it is possible to trigger a delivery report. Setting the acknowledgement receipt via DELIVERY REPORT can result in any further messages being queued up until after the initial message expires (time out dependent on provider).

The person receiving the call is charged for the Acknowledgement at the standard rate of the provider. This is involuntary as the person receiving the message receives no warning.

Problem reported as cve-2010-3612 (currently reserved)

Vulnerability tested on multiple phones incl Nokia, Samsung Galaxy S, ….

Impact

Works independently of the phone or GSM network
When sending the message between different networks or the same network it doesn’t have such a great financial impact
There are providers that allow you to spoof source numbers –> Think premium rate numbers

By spoofing the source address you can set a premium rate source (attacker owned) and have the credit stolen from a victims phone without notification.

Protection

Most protects require operator assistance.
Some mobile devices have the ability to ask the user about SIM actions (other than Nokia ?)
Use a SIM Card that has the service “data download via SMS Point to Point” deactivated or one without any Toolkit Application

Links :

SMS Fuzzing – SIM Toolkit Attack –> Overview
SMS Fuzzing – SIM Toolkit Attack Slides –> Link

Conference, Security deepsec, GSM, mobile, sms

Shmoocon 2011: Defeating mTANs for profit

1 Comment Posted by ChrisJohnRiley on January 29, 2011

Defeating mTANs for profit

Axelle Apvrille and Kyle Yang

Zeus In The MObile –> ZITMO

Malware for Symbian OS > 9.0

Intercepts mTANs (one-time passwords sent over SMS)

Targeting Spanish online banks

Propagated on PC by Zeus botnet

First case seen of organized criminals exploiting mobile TANs

Zeus (AKA Zbot)

It’s a crimeware kit and not a single botnet (there are several)

Designed to steal banking credentials

Zitmo in a nutshell

Once Zeus has infected a pc, and the user initiates a transaction, Zeus detects the mobile number and attempts to propagates to the mobile device by sending the end-user an SMS to prompt the user to download a new certificate. Once this is installed the attacker can transfer the money at any time as the attacker has access to the online login information (stolen by Zeus through keylogging) and the mTAN for the transaction (stolen through Zitmo). The end-user never receives an SMS due to it being intercepted by Zitmo.

This means attackers can do the transfer at any point they wish without any user interaction.

Analysis of the Zitmo malware showed the program shared a lot of similarities with a Russian software called SMS Monitor which offers a lot of the same functions, but marketed as a parent controls and security audit tool.

However some of the code from SMS Monitor was published in Russian magazines. Maybe the code was stolen?

Reverse Engineering Zitmo

Three actors –> Victim, Administrator (bad guy) and Others (e.g. bank, friends, …)

2 separate processes –> INIT and SMS Processing Engine

Daemon listens for incoming SMS requests and checks them to see if they need to be processed (commands, mTANs, etc…) or forwarded to the phone’s inbox.

Due to the way Symbian works it’s not possible to hook directly into the “Listen to all SMS” function (in use by the phone). However it is possible to hook into the “Listen to all SMS containing the following”. By setting this to IfNotNULL, they can bypass the restriction of listening to ALL SMS messages.

Zitmo doesn’t block all SMS messages, but checks all incoming to check for appropriate actions. Blocking all SMS messages would result in the user becoming suspicious.

Zitmo Commands

ON / OFF (disable Zitmo)
SET ADMIN xx
ADD SENDER xx, xx / ALL
REM SENDER xx, xx / ALL
SET SENDER xx
BLOCK ON / OFF (block incoming calls)

Spoof administrator

Protocol flaw: Anybody can claim to be the administrator!

How to 0wn the adm1n :

Method 1: Send SET ADMIN command by SMS to the phone
Method 2: Craft a new settings file

By using remote debugging on Symbian it’s easy to step through the process used to handle commands as they come in from the lab administrator phone.

Zitmo’s Hidden debug window

Zitmo was secretly writing to a hidden debug window

By putting in a breakpoint on the hide function and altering it to visible, it was possible to view the hidden debug window and watch status information change when receiving commands.

Conclusions

Very difficult to spot due to the lack of symptoms

One possible trigger to detection is that the application was delivered as a .sis/.sisx application and not as a certificate (as advertised)

It also shows in the installed applications list

Zitmo is signed by Symbian, therefore accepted by the phone –> Express Signed

This is not uncommon however as multiple malware has been signed using this abuse

Links:

Shmoocon Schedule –> HERE
Talk Synopsis –> HERE
Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated – Fortinet Blog
Fortinet

Conference, Penetration Test, Security Banks, mtan, Security, Shmoocon, sms

RSS feed

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!