Post on 19-Jan-2015
description
SecuritateSecuritate mobilamobila ––
AtacuriAtacuri prinprin SMSSMS
PrezentatorPrezentator::
BogdanBogdan ALECUALECU
http://mhttp://m--sec.netsec.net
Twitter: @Twitter: @msecnetmsecnet
InformatiiInformatii generalegenerale despredespre SMSSMS
AmenintariAmenintari
WAPWAP
InterceptareInterceptare trafictrafic de datede date
DemoDemo
InformatiiInformatii generalegenerale
SMS SMS -- Short Message Service Short Message Service reprezintareprezinta un un mod de mod de comunicarecomunicare prinprin mesajemesaje text text intreintretelefoaneletelefoanele mobile / mobile / fixefixe, , utilizandutilizand un protocol un protocol standardizatstandardizat. . EsteEste un mod de un mod de comunicarecomunicareeficaceeficace; ; utilizatorulutilizatorul scriescrie un text, un text, apasaapasa SEND SEND sisimesajulmesajul e e livratlivrat aproapeaproape instant instant catrecatre destinatardestinatar. .
FolositFolosit pentrupentru maimai multemulte scopuriscopuri: MMS : MMS ––Multimedia Messaging Service, OTA Multimedia Messaging Service, OTA –– Over The Over The Air Air –– configurareaconfigurarea telefonuluitelefonului, , notificarinotificari pentrupentrumesageriamesageria vocalavocala, email, fax, , email, fax, microplatimicroplati –– plataplataunorunor sumesume micimici pentrupentru diferitediferite serviciiservicii => => SECURITATE!SECURITATE!
InformatiiInformatii generalegenerale
““Un Un dispozitivdispozitiv mobilmobil activactiv trebuietrebuie sasa fie fie
capabilcapabil de a de a primiprimi un un mesajmesaj scurtscurt de de
tipultipul TPDU TPDU -- Transfer protocol data unit Transfer protocol data unit
-- (SMS(SMS--DELIVER) in DELIVER) in oriceorice moment, moment,
indiferentindiferent dacadaca existaexista un un apelapel sausau trafictrafic
de date in de date in derularederulare. Un . Un raportraport vava fifi
trimistrimis intotdeaunaintotdeauna catrecatre SC (SC (ServiciulServiciul
de de mesajemesaje); ); confirmandconfirmand fie ca fie ca teltel a a
primitprimit mesajulmesajul sausau ca ca mesajulmesajul nunu a a fostfost
livratlivrat, , incluzindincluzind sisi motivulmotivul refuzuluirefuzului..””
ETSI TS 100 901 V7.5.0 (2001ETSI TS 100 901 V7.5.0 (2001--12), 12), pagpag
1313
AmenintariAmenintari -- SMSSMS
SMS SPAMSMS SPAM
SMS spoofingSMS spoofing
NotificariNotificari SMSSMS
AlteAlte tipuritipuri
AmenintariAmenintari -- SMSSMS
SMS SPAMSMS SPAM
CompaniileCompaniile oferaofera serviciiservicii de de publicitatepublicitate
prinprin SMSSMS
MesajeMesaje cu cu castiguricastiguri falsefalse
InginerieInginerie socialasociala –– ““SunaSuna--ma urgent ma urgent pepe nr nr
astaasta: 0900323421! Mama: 0900323421! Mama””
AmenintariAmenintari -- SMSSMS
SMS SpoofingSMS Spoofing
ServiciiServicii online online cece permit permit modificareamodificarea
expeditoruluiexpeditorului (numeric / (numeric / alfanumericalfanumeric))
GreuGreu de de opritoprit, , maimai ales ales dacadaca tinemtinem cont de cont de
roamingroaming
EficientaEficienta maimai mare in mare in atacurileatacurile de tip de tip
inginerieinginerie socialasociala
AmenintariAmenintari -- SMSSMS
NotificariNotificari SMSSMS
VoicemailVoicemail
FaxFax
EE--mailmail
VideoVideo
UtilizatorulUtilizatorul nunu poatepoate scoatescoate iconicon--ulul de de
notificarenotificare asupraasupra primiriiprimirii unuiunui astfelastfel de de
mesajmesaj
AmenintariAmenintari -- SMSSMS
NotificariNotificari SMS SMS
(voicemail)(voicemail)
AmenintariAmenintari -- SMSSMS
NotificariNotificari SMS SMS
(email)(email)
AmenintariAmenintari -- SMSSMS
AlteAlte tipuritipuri
Flash SMS (Class 0) Flash SMS (Class 0) –– utilizatorulutilizatorul vedevede
mesajulmesajul direct, direct, farafara a intra in Inboxa intra in Inbox
Silent SMS Silent SMS –– DCS 0xC0 = Message Waiting DCS 0xC0 = Message Waiting
Indication Group: Discard MessageIndication Group: Discard Message
AmenintariAmenintari -- SMSSMS
AlteAlte tipuritipuri
Flash SMSFlash SMS
AmenintariAmenintari -- SMSSMS
AlteAlte tipuritipuri
Silent SMSSilent SMS
WAPWAP
Wireless Application ProtocolWireless Application Protocol
Arhitectura de Arhitectura de retearetea specificaspecifica
Set de reguliSet de reguli
Limbaj specificLimbaj specific: Wireless Markup Language : Wireless Markup Language (WML)(WML)
PaginiPagini HTML HTML ajustateajustate pentrupentru dimensiuneadimensiuneaecranuluiecranului telefonuluitelefonului
WAPWAP
WAP PushWAP Push
PermitePermite trimitereatrimiterea de de continutcontinut WAP cu o WAP cu o
interventieinterventie minima din minima din parteapartea utilizatoruluiutilizatorului
2 2 tipuritipuri: Service Indication / Service Load: Service Indication / Service Load
WAP PushWAP Push
Service Indication (SI) Service Indication (SI) permitepermite trimitereatrimiterea
de de notificarinotificari utilizatoruluiutilizatorului intrintr--un mod un mod
asincronasincron
WAP PushWAP Push
Service Indication (SI)Service Indication (SI)
WAP PushWAP Push
Service Load (SL) Service Load (SL) determinadetermina ““aplicatiaaplicatia”” de de
pepe telefontelefon sasa incarceincarce sisi execute un execute un
serviciuserviciu
WAP PushWAP Push
Service Load (SL)Service Load (SL)
WAP Push WAP Push -- securitatesecuritate
TeoriaTeoria: : DoarDoar un un anumitanumit numarnumar esteeste autorizatautorizat pentrupentrutrimiteretrimitere; ; PracticaPractica: : dacadaca nunu e e configuratconfigurat binebine, un , un telefontelefonacceptaaccepta de la de la oriceorice numarnumar astfelastfel de de mesajemesaje
PePe Windows Mobile Windows Mobile trebuiesctrebuiesc verificateverificate setarilesetarile din din HKLMHKLM\\SecuritySecurity\\PoliciesPolicies\\PoliciesPolicies
; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) ; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINE[HKEY_LOCAL_MACHINE\\SecuritySecurity\\PoliciesPolicies\\Policies] Policies] "0000100c"=dword:800 ; SI Message Policy ; (default: "0000100c"=dword:800 ; SI Message Policy ; (default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINE[HKEY_LOCAL_MACHINE\\SecuritySecurity\\PoliciesPolicies\\Policies] Policies] "0000100d"=dword:c00 "0000100d"=dword:c00
WAP Push WAP Push -- securitatesecuritate
SECROLE_PPG_TRUSTED: Trusted Push Proxy SECROLE_PPG_TRUSTED: Trusted Push Proxy Gateway. Messages assigned this role indicate Gateway. Messages assigned this role indicate that the content sent by the Push Initiator is that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).Gateway (SECROLE_TRUSTED_PPG).
SECROLE_PPG_AUTH: Push Initiator SECROLE_PPG_AUTH: Push Initiator Authenticated. Messages assigned this role Authenticated. Messages assigned this role indicate that the Push Initiator is authenticated by indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).(SECROLE_TRUSTED_PPG).
WAP Push WAP Push -- securitatesecuritate
WAPWAP
ConfigurareaConfigurarea telefonuluitelefonului pentrupentru accesacces la Internet la Internet
/ date / date poatepoate fifi facutafacuta manualmanual
PentruPentru o o configurareconfigurare maimai usoarausoara, , rapidarapida sisi
pentrupentru eventualeleeventualele schimbarischimbari, a , a fostfost creatcreat un un
standard standard cece permitepermite configurareaconfigurarea de la de la distantadistanta
ProgramareaProgramarea Over The Air (OTA) Over The Air (OTA) folosestefoloseste
standardulstandardul OMA OMA –– Open Mobile AllianceOpen Mobile Alliance
ProgramareaProgramarea se face se face prinprin SMSSMS--uriuri special special
conceputeconcepute
WAP WAP -- provisioningprovisioning
FolosesteFoloseste protocolulprotocolul WAPWAP
WBXML (WAP Binary XML) WBXML (WAP Binary XML) prinprin Wireless Wireless
Application EnvironmentApplication Environment
Wireless Session ProtocolWireless Session Protocol
Wireless Datagram ProtocolWireless Datagram Protocol
SMSSMS
WAP WAP -- provisioningprovisioning
ConfigurareaConfigurarea se se scriescrie in XML (conform in XML (conform
specificatiilorspecificatiilor de la de la
http://http://www.openmobilealliance.orgwww.openmobilealliance.org))
XMLXML--ulul se se vava codificacodifica in WAP Binary XMLin WAP Binary XML
WBXML se WBXML se vava encapsulaencapsula intrintr--oo data de tip data de tip
Wireless Session Protocol Wireless Session Protocol
DateleDatele se se vorvor codificacodifica intrintr--un un mesajmesaj Push, Push, definitdefinit
in Wireless Session Protocolin Wireless Session Protocol
WAP WAP -- provisioningprovisioning
MesajulMesajul Push Push continecontine diferitidiferiti parametriparametri, ,
unulunul fiindfiind parametrulparametrul ““SECSEC”” pentrupentru
autentificareautentificare pepe bazabaza de de ““cheiecheie”” comunacomuna
USERPIN: string ASCII USERPIN: string ASCII codificatcodificat in in
zecimalezecimale
NETWPIN: NETWPIN: cheiacheia esteeste specificaspecifica reteleiretelei sisi
cunoscutacunoscuta ((teoreticteoretic) ) doardoar de de catrecatre operatoroperator
USERNETWPIN: USERNETWPIN: combinatiecombinatie a a celorcelor 22
WAP WAP -- provisioningprovisioning
NETWPIN: IMSI = MCC+MNC+MSIN NETWPIN: IMSI = MCC+MNC+MSIN
(Mobile Subscription Identification (Mobile Subscription Identification
Number)Number)
PretPret: 2: 2--5 euro5 euro--centicenti
In general In general limitatlimitat pentrupentru companiicompanii, se , se cerecere
un un volumvolum mare de mare de interogariinterogari
WAP WAP -- provisioningprovisioning
<<wapwap--provisioningdocprovisioningdoc>>
<characteristic type="NAPDEF"><characteristic type="NAPDEF">
<<parmparm name="NAME" value="name="NAME" value="NewAPNNewAPN"/>"/>
<<parmparm name="NAPID" value="name="NAPID" value="NewAPN_NAPID_MENewAPN_NAPID_ME"/>"/>
<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--GPRS"/>GPRS"/>
<<parmparm name="NAPname="NAP--ADDRESS" value="ADDRESS" value="apn.operator.roapn.operator.ro"/>"/>
<<parmparm name="NAPname="NAP--ADDRTYPE" value="APN"/>ADDRTYPE" value="APN"/>
</characteristic></characteristic>
<characteristic type=<characteristic type=““APPLICATION">APPLICATION">
<<parmparm name="NAME" value="name="NAME" value="NewAPNNewAPN"/>"/>
<<parmparm name="APPID" value="w2"/>name="APPID" value="w2"/>
<<parmparm name="TOname="TO--NAPID" value="NAPID" value="NewAPN_NAPID_MENewAPN_NAPID_ME"/>"/></characteristic></characteristic>
<<wapwap--provisioningdocprovisioningdoc>>
WAP WAP -- provisioningprovisioning
<<wapwap--provisioningdocprovisioningdoc> > -- continecontine toatatoata informatiainformatiatransmisatransmisa
<characteristic <characteristic ……> > -- grupeazagrupeaza informatiainformatia in in unitatiunitatilogicelogice
<<…… value="NAPDEF"/> value="NAPDEF"/> -- configuramconfiguram un un nounounetwork access pointnetwork access point
<<parmparm name="APPID" value="w2"/> name="APPID" value="w2"/> --mapeazamapeaza configuratiaconfiguratia la la activitatileactivitatile de de browsingbrowsing
InformatiiInformatii la la http://http://www.openmobilealliance.orgwww.openmobilealliance.org
WAP WAP -- provisioningprovisioning
<<wapwap--provisioningdocprovisioningdoc>>
<characteristic type="BOOTSTRAP"><characteristic type="BOOTSTRAP">
<<parmparm name="NAME" value=name="NAME" value=““Operator NET"/>Operator NET"/>
<<parmparm name="PROXYname="PROXY--ID" ID" value="value="OpNET_ProxyOpNET_Proxy"/>"/>
</characteristic></characteristic>
<characteristic type="NAPDEF"><characteristic type="NAPDEF">
<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>
<<parmparm name="NAPID" value="name="NAPID" value="OpNET_NAPIDOpNET_NAPID"/>"/>
<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--GPRS"/>GPRS"/>
<<parmparm name="NAPname="NAP--ADDRESS" value="net"/>ADDRESS" value="net"/>
<<parmparm name="NAPname="NAP--ADDRTYPE" value="APN"/>ADDRTYPE" value="APN"/>
</characteristic></characteristic>
WAP WAP -- provisioningprovisioning
<characteristic type="PXLOGICAL"><characteristic type="PXLOGICAL">
<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>
<<parmparm name="PROXYname="PROXY--ID" value="ID" value="OpNET_ProxyOpNET_Proxy"/>"/>
<characteristic type="PXPHYSICAL"><characteristic type="PXPHYSICAL">
<<parmparm name="PHYSICALname="PHYSICAL--PROXYPROXY--ID" ID" value="value="OpNET_PhProxyOpNET_PhProxy"/>"/>
<<parmparm name="PXADDR" value=name="PXADDR" value=““192.168.1.1"/>192.168.1.1"/>
<<parmparm name="PXADDRTYPE" value="IPV4"/>name="PXADDRTYPE" value="IPV4"/>
<<parmparm name="TOname="TO--NAPID" value="NAPID" value="OpNET_NAPIDOpNET_NAPID"/>"/>
<characteristic type="PORT"><characteristic type="PORT">
<<parmparm name="PORTNBR" value="8080"/>name="PORTNBR" value="8080"/>
</characteristic></characteristic>
</characteristic></characteristic>
</characteristic></characteristic>
WAP WAP -- provisioningprovisioning
<characteristic type="APPLICATION"><characteristic type="APPLICATION">
<<parmparm name="APPID" value="w2"/>name="APPID" value="w2"/>
<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>
<<parmparm name="TOname="TO--PROXY" PROXY" value="value="OpNET_ProxyOpNET_Proxy"/>"/>
<characteristic type="RESOURCE"><characteristic type="RESOURCE">
<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>
<<parmparm name="URI" name="URI" value="http://value="http://www.google.comwww.google.com"/>"/>
<<parmparm name="STARTPAGE"/>name="STARTPAGE"/>
</characteristic></characteristic>
</characteristic></characteristic>
</</wapwap--provisioningdocprovisioningdoc>>
WAP WAP -- provisioningprovisioning
TeoreticTeoretic aceastaaceasta configurareconfigurare poatepoate fifi facutafacuta
doardoar de de catrecatre operator, de la un operator, de la un numarnumar
predefinitpredefinit
PutemPutem analizaanaliza SMSSMS--ulul prinprin WireSharkWireShark
PutemPutem adaugaadauga un alt un alt numarnumar
WAP WAP -- provisioningprovisioning<?xml version="1.0"?><?xml version="1.0"?>
<!DOCTYPE <!DOCTYPE wapwap--provisioningdocprovisioningdoc PUBLIC "PUBLIC "--//WAPFORUM//DTD PROV 1.0//EN" //WAPFORUM//DTD PROV 1.0//EN" "http://"http://www.wapforum.org/DTD/prov.dtdwww.wapforum.org/DTD/prov.dtd">">
<<wapwap--provisioningdocprovisioningdoc version="1.1">version="1.1">
<characteristic type="BOOTSTRAP"><characteristic type="BOOTSTRAP">
<<parmparm name="NAME" value=name="NAME" value=““NumeNume"/>"/>
</characteristic></characteristic>
<characteristic type="PXLOGICAL"><characteristic type="PXLOGICAL">
<<parmparm name="NAME" value=name="NAME" value=““NumeNume"/>"/>
<<parmparm name="PROXYname="PROXY--ID" value="ID" value="Trusted_ProxyTrusted_Proxy"/>"/>
<<parmparm name="NAME" value="Trusted Proxy"/>name="NAME" value="Trusted Proxy"/>
<characteristic type="PXPHYSICAL"><characteristic type="PXPHYSICAL">
<<parmparm name="PHYSICALname="PHYSICAL--PROXYPROXY--ID" value="ID" value="Trusted_PhProxyTrusted_PhProxy"/>"/>
<<parmparm name="PXADDR" value="40711111111"/>name="PXADDR" value="40711111111"/>
<<parmparm name="PXADDRTYPE" value="E164"/>name="PXADDRTYPE" value="E164"/>
<<parmparm name="TOname="TO--NAPID" value="NAPID" value="Trusted_NAPIDTrusted_NAPID"/>"/>
<<parmparm name="PUSHENABLED" value="1"/>name="PUSHENABLED" value="1"/>
<<parmparm name="PULLENABLED" value="1"/>name="PULLENABLED" value="1"/>
</characteristic></characteristic>
</characteristic></characteristic>
<characteristic type="NAPDEF"><characteristic type="NAPDEF">
<<parmparm name="NAME" value="Op"/>name="NAME" value="Op"/>
<<parmparm name="NAPID" value="name="NAPID" value="Trusted_NAPIDTrusted_NAPID"/>"/>
<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--SMS"/>SMS"/>
<<parmparm name="NAME" value="Trusted Proxy"/>name="NAME" value="Trusted Proxy"/>
<<parmparm name="NAPname="NAP--ADDRESS" value=" 40711111111 "/>ADDRESS" value=" 40711111111 "/>
<<parmparm name="NAPname="NAP--ADDRTYPE" value="E164"/>ADDRTYPE" value="E164"/>
</characteristic></characteristic>
WAP WAP -- provisioningprovisioning
<<wapwap--provisioningdocprovisioningdoc>>
<characteristic type="<characteristic type="NetworkPolicyNetworkPolicy">">
<characteristic type="<characteristic type="WiFiWiFi">">
<characteristic type="Settings"><characteristic type="Settings">
<<parmparm name="Disabled" value="1"/>name="Disabled" value="1"/>
</characteristic></characteristic>
</characteristic></characteristic>
</characteristic></characteristic>
</</wapwap--provisioningdocprovisioningdoc>>
InterceptareInterceptare trafictrafic
TraficulTraficul trecetrece prinprin proxyproxy--ulul nostrunostru
VariantaVarianta 1 1 –– Burp ProxyBurp Proxy
InterceptareInterceptare trafictrafic
TraficulTraficul trecetrece prinprin proxyproxy--ulul nostrunostru
VariantaVarianta 2 2 –– sslstripsslstrip
http://http://www.thoughtcrime.org/software/sslstripwww.thoughtcrime.org/software/sslstrip//
InterceptareInterceptare trafictrafic
DEMODEMO
ProtectieProtectie
OperatorulOperatorul poatepoate filtrafiltra acesteaceste tipuritipuri de de mesajemesaje
ProducatoriiProducatorii de de telefoanetelefoane trebuietrebuie sasa se se concentrezeconcentreze maimai multmult pepe securitatesecuritate
VerificatiVerificati constant (la constant (la felfel cum cum facetifaceti cu cu facturafactura / / creditulcreditul disponibildisponibil) ) setarilesetarile de de InternetInternet
IntrebariIntrebari??