Securitatea mobila - Atacuri prin SMS

SecuritateSecuritate mobilamobila ––

AtacuriAtacuri prinprin SMSSMS

PrezentatorPrezentator::

BogdanBogdan ALECUALECU

http://mhttp://m--sec.netsec.net

Twitter: @Twitter: @msecnetmsecnet

InformatiiInformatii generalegenerale despredespre SMSSMS

AmenintariAmenintari

WAPWAP

InterceptareInterceptare trafictrafic de datede date

DemoDemo

InformatiiInformatii generalegenerale

SMS SMS -- Short Message Service Short Message Service reprezintareprezinta un un mod de mod de comunicarecomunicare prinprin mesajemesaje text text intreintretelefoaneletelefoanele mobile / mobile / fixefixe, , utilizandutilizand un protocol un protocol standardizatstandardizat. . EsteEste un mod de un mod de comunicarecomunicareeficaceeficace; ; utilizatorulutilizatorul scriescrie un text, un text, apasaapasa SEND SEND sisimesajulmesajul e e livratlivrat aproapeaproape instant instant catrecatre destinatardestinatar. .

FolositFolosit pentrupentru maimai multemulte scopuriscopuri: MMS : MMS ––Multimedia Messaging Service, OTA Multimedia Messaging Service, OTA –– Over The Over The Air Air –– configurareaconfigurarea telefonuluitelefonului, , notificarinotificari pentrupentrumesageriamesageria vocalavocala, email, fax, , email, fax, microplatimicroplati –– plataplataunorunor sumesume micimici pentrupentru diferitediferite serviciiservicii => => SECURITATE!SECURITATE!

InformatiiInformatii generalegenerale

““Un Un dispozitivdispozitiv mobilmobil activactiv trebuietrebuie sasa fie fie

capabilcapabil de a de a primiprimi un un mesajmesaj scurtscurt de de

tipultipul TPDU TPDU -- Transfer protocol data unit Transfer protocol data unit

-- (SMS(SMS--DELIVER) in DELIVER) in oriceorice moment, moment,

indiferentindiferent dacadaca existaexista un un apelapel sausau trafictrafic

de date in de date in derularederulare. Un . Un raportraport vava fifi

trimistrimis intotdeaunaintotdeauna catrecatre SC (SC (ServiciulServiciul

de de mesajemesaje); ); confirmandconfirmand fie ca fie ca teltel a a

primitprimit mesajulmesajul sausau ca ca mesajulmesajul nunu a a fostfost

livratlivrat, , incluzindincluzind sisi motivulmotivul refuzuluirefuzului..””

ETSI TS 100 901 V7.5.0 (2001ETSI TS 100 901 V7.5.0 (2001--12), 12), pagpag

1313

AmenintariAmenintari -- SMSSMS

SMS SPAMSMS SPAM

SMS spoofingSMS spoofing

NotificariNotificari SMSSMS

AlteAlte tipuritipuri


SMS SPAMSMS SPAM

CompaniileCompaniile oferaofera serviciiservicii de de publicitatepublicitate

prinprin SMSSMS

MesajeMesaje cu cu castiguricastiguri falsefalse

InginerieInginerie socialasociala –– ““SunaSuna--ma urgent ma urgent pepe nr nr

astaasta: 0900323421! Mama: 0900323421! Mama””


SMS SpoofingSMS Spoofing

ServiciiServicii online online cece permit permit modificareamodificarea

expeditoruluiexpeditorului (numeric / (numeric / alfanumericalfanumeric))

GreuGreu de de opritoprit, , maimai ales ales dacadaca tinemtinem cont de cont de

roamingroaming

EficientaEficienta maimai mare in mare in atacurileatacurile de tip de tip

inginerieinginerie socialasociala


NotificariNotificari SMSSMS

VoicemailVoicemail

FaxFax

EE--mailmail

VideoVideo

UtilizatorulUtilizatorul nunu poatepoate scoatescoate iconicon--ulul de de

notificarenotificare asupraasupra primiriiprimirii unuiunui astfelastfel de de

mesajmesaj


NotificariNotificari SMS SMS

(voicemail)(voicemail)


NotificariNotificari SMS SMS

(email)(email)



Flash SMS (Class 0) Flash SMS (Class 0) –– utilizatorulutilizatorul vedevede

mesajulmesajul direct, direct, farafara a intra in Inboxa intra in Inbox

Silent SMS Silent SMS –– DCS 0xC0 = Message Waiting DCS 0xC0 = Message Waiting

Indication Group: Discard MessageIndication Group: Discard Message



Flash SMSFlash SMS



Silent SMSSilent SMS

WAPWAP

Wireless Application ProtocolWireless Application Protocol

Arhitectura de Arhitectura de retearetea specificaspecifica

Set de reguliSet de reguli

Limbaj specificLimbaj specific: Wireless Markup Language : Wireless Markup Language (WML)(WML)

PaginiPagini HTML HTML ajustateajustate pentrupentru dimensiuneadimensiuneaecranuluiecranului telefonuluitelefonului

WAPWAP

WAP PushWAP Push

PermitePermite trimitereatrimiterea de de continutcontinut WAP cu o WAP cu o

interventieinterventie minima din minima din parteapartea utilizatoruluiutilizatorului

2 2 tipuritipuri: Service Indication / Service Load: Service Indication / Service Load

WAP PushWAP Push

Service Indication (SI) Service Indication (SI) permitepermite trimitereatrimiterea

de de notificarinotificari utilizatoruluiutilizatorului intrintr--un mod un mod

asincronasincron

WAP PushWAP Push

Service Indication (SI)Service Indication (SI)

WAP PushWAP Push

Service Load (SL) Service Load (SL) determinadetermina ““aplicatiaaplicatia”” de de

pepe telefontelefon sasa incarceincarce sisi execute un execute un

serviciuserviciu

WAP PushWAP Push

Service Load (SL)Service Load (SL)

WAP Push WAP Push -- securitatesecuritate

TeoriaTeoria: : DoarDoar un un anumitanumit numarnumar esteeste autorizatautorizat pentrupentrutrimiteretrimitere; ; PracticaPractica: : dacadaca nunu e e configuratconfigurat binebine, un , un telefontelefonacceptaaccepta de la de la oriceorice numarnumar astfelastfel de de mesajemesaje

PePe Windows Mobile Windows Mobile trebuiesctrebuiesc verificateverificate setarilesetarile din din HKLMHKLM\\SecuritySecurity\\PoliciesPolicies\\PoliciesPolicies

; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) ; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINE[HKEY_LOCAL_MACHINE\\SecuritySecurity\\PoliciesPolicies\\Policies] Policies] "0000100c"=dword:800 ; SI Message Policy ; (default: "0000100c"=dword:800 ; SI Message Policy ; (default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINE[HKEY_LOCAL_MACHINE\\SecuritySecurity\\PoliciesPolicies\\Policies] Policies] "0000100d"=dword:c00 "0000100d"=dword:c00


SECROLE_PPG_TRUSTED: Trusted Push Proxy SECROLE_PPG_TRUSTED: Trusted Push Proxy Gateway. Messages assigned this role indicate Gateway. Messages assigned this role indicate that the content sent by the Push Initiator is that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).Gateway (SECROLE_TRUSTED_PPG).

SECROLE_PPG_AUTH: Push Initiator SECROLE_PPG_AUTH: Push Initiator Authenticated. Messages assigned this role Authenticated. Messages assigned this role indicate that the Push Initiator is authenticated by indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).(SECROLE_TRUSTED_PPG).

WAPWAP

ConfigurareaConfigurarea telefonuluitelefonului pentrupentru accesacces la Internet la Internet

/ date / date poatepoate fifi facutafacuta manualmanual

PentruPentru o o configurareconfigurare maimai usoarausoara, , rapidarapida sisi

pentrupentru eventualeleeventualele schimbarischimbari, a , a fostfost creatcreat un un

standard standard cece permitepermite configurareaconfigurarea de la de la distantadistanta

ProgramareaProgramarea Over The Air (OTA) Over The Air (OTA) folosestefoloseste

standardulstandardul OMA OMA –– Open Mobile AllianceOpen Mobile Alliance

ProgramareaProgramarea se face se face prinprin SMSSMS--uriuri special special

conceputeconcepute

WAP WAP -- provisioningprovisioning

FolosesteFoloseste protocolulprotocolul WAPWAP

WBXML (WAP Binary XML) WBXML (WAP Binary XML) prinprin Wireless Wireless

Application EnvironmentApplication Environment

Wireless Session ProtocolWireless Session Protocol

Wireless Datagram ProtocolWireless Datagram Protocol

SMSSMS


ConfigurareaConfigurarea se se scriescrie in XML (conform in XML (conform

specificatiilorspecificatiilor de la de la

http://http://www.openmobilealliance.orgwww.openmobilealliance.org))

XMLXML--ulul se se vava codificacodifica in WAP Binary XMLin WAP Binary XML

WBXML se WBXML se vava encapsulaencapsula intrintr--oo data de tip data de tip

Wireless Session Protocol Wireless Session Protocol

DateleDatele se se vorvor codificacodifica intrintr--un un mesajmesaj Push, Push, definitdefinit

in Wireless Session Protocolin Wireless Session Protocol


MesajulMesajul Push Push continecontine diferitidiferiti parametriparametri, ,

unulunul fiindfiind parametrulparametrul ““SECSEC”” pentrupentru

autentificareautentificare pepe bazabaza de de ““cheiecheie”” comunacomuna

USERPIN: string ASCII USERPIN: string ASCII codificatcodificat in in

zecimalezecimale

NETWPIN: NETWPIN: cheiacheia esteeste specificaspecifica reteleiretelei sisi

cunoscutacunoscuta ((teoreticteoretic) ) doardoar de de catrecatre operatoroperator

USERNETWPIN: USERNETWPIN: combinatiecombinatie a a celorcelor 22


NETWPIN: IMSI = MCC+MNC+MSIN NETWPIN: IMSI = MCC+MNC+MSIN

(Mobile Subscription Identification (Mobile Subscription Identification

Number)Number)

PretPret: 2: 2--5 euro5 euro--centicenti

In general In general limitatlimitat pentrupentru companiicompanii, se , se cerecere

un un volumvolum mare de mare de interogariinterogari


<<wapwap--provisioningdocprovisioningdoc>>

<characteristic type="NAPDEF"><characteristic type="NAPDEF">

<<parmparm name="NAME" value="name="NAME" value="NewAPNNewAPN"/>"/>

<<parmparm name="NAPID" value="name="NAPID" value="NewAPN_NAPID_MENewAPN_NAPID_ME"/>"/>

<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--GPRS"/>GPRS"/>

<<parmparm name="NAPname="NAP--ADDRESS" value="ADDRESS" value="apn.operator.roapn.operator.ro"/>"/>

<<parmparm name="NAPname="NAP--ADDRTYPE" value="APN"/>ADDRTYPE" value="APN"/>

</characteristic></characteristic>

<characteristic type=<characteristic type=““APPLICATION">APPLICATION">

<<parmparm name="NAME" value="name="NAME" value="NewAPNNewAPN"/>"/>

<<parmparm name="APPID" value="w2"/>name="APPID" value="w2"/>

<<parmparm name="TOname="TO--NAPID" value="NAPID" value="NewAPN_NAPID_MENewAPN_NAPID_ME"/>"/></characteristic></characteristic>



<<wapwap--provisioningdocprovisioningdoc> > -- continecontine toatatoata informatiainformatiatransmisatransmisa

<characteristic <characteristic ……> > -- grupeazagrupeaza informatiainformatia in in unitatiunitatilogicelogice

<<…… value="NAPDEF"/> value="NAPDEF"/> -- configuramconfiguram un un nounounetwork access pointnetwork access point

<<parmparm name="APPID" value="w2"/> name="APPID" value="w2"/> --mapeazamapeaza configuratiaconfiguratia la la activitatileactivitatile de de browsingbrowsing

InformatiiInformatii la la http://http://www.openmobilealliance.orgwww.openmobilealliance.org



<characteristic type="BOOTSTRAP"><characteristic type="BOOTSTRAP">

<<parmparm name="NAME" value=name="NAME" value=““Operator NET"/>Operator NET"/>

<<parmparm name="PROXYname="PROXY--ID" ID" value="value="OpNET_ProxyOpNET_Proxy"/>"/>



<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>

<<parmparm name="NAPID" value="name="NAPID" value="OpNET_NAPIDOpNET_NAPID"/>"/>

<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--GPRS"/>GPRS"/>

<<parmparm name="NAPname="NAP--ADDRESS" value="net"/>ADDRESS" value="net"/>

<<parmparm name="NAPname="NAP--ADDRTYPE" value="APN"/>ADDRTYPE" value="APN"/>



<characteristic type="PXLOGICAL"><characteristic type="PXLOGICAL">


<<parmparm name="PROXYname="PROXY--ID" value="ID" value="OpNET_ProxyOpNET_Proxy"/>"/>

<characteristic type="PXPHYSICAL"><characteristic type="PXPHYSICAL">

<<parmparm name="PHYSICALname="PHYSICAL--PROXYPROXY--ID" ID" value="value="OpNET_PhProxyOpNET_PhProxy"/>"/>

<<parmparm name="PXADDR" value=name="PXADDR" value=““192.168.1.1"/>192.168.1.1"/>

<<parmparm name="PXADDRTYPE" value="IPV4"/>name="PXADDRTYPE" value="IPV4"/>

<<parmparm name="TOname="TO--NAPID" value="NAPID" value="OpNET_NAPIDOpNET_NAPID"/>"/>

<characteristic type="PORT"><characteristic type="PORT">

<<parmparm name="PORTNBR" value="8080"/>name="PORTNBR" value="8080"/>





<characteristic type="APPLICATION"><characteristic type="APPLICATION">

<<parmparm name="APPID" value="w2"/>name="APPID" value="w2"/>


<<parmparm name="TOname="TO--PROXY" PROXY" value="value="OpNET_ProxyOpNET_Proxy"/>"/>

<characteristic type="RESOURCE"><characteristic type="RESOURCE">


<<parmparm name="URI" name="URI" value="http://value="http://www.google.comwww.google.com"/>"/>

<<parmparm name="STARTPAGE"/>name="STARTPAGE"/>



</</wapwap--provisioningdocprovisioningdoc>>


TeoreticTeoretic aceastaaceasta configurareconfigurare poatepoate fifi facutafacuta

doardoar de de catrecatre operator, de la un operator, de la un numarnumar

predefinitpredefinit

PutemPutem analizaanaliza SMSSMS--ulul prinprin WireSharkWireShark

PutemPutem adaugaadauga un alt un alt numarnumar

WAP WAP -- provisioningprovisioning<?xml version="1.0"?><?xml version="1.0"?>

<!DOCTYPE <!DOCTYPE wapwap--provisioningdocprovisioningdoc PUBLIC "PUBLIC "--//WAPFORUM//DTD PROV 1.0//EN" //WAPFORUM//DTD PROV 1.0//EN" "http://"http://www.wapforum.org/DTD/prov.dtdwww.wapforum.org/DTD/prov.dtd">">

<<wapwap--provisioningdocprovisioningdoc version="1.1">version="1.1">

<characteristic type="BOOTSTRAP"><characteristic type="BOOTSTRAP">

<<parmparm name="NAME" value=name="NAME" value=““NumeNume"/>"/>


<characteristic type="PXLOGICAL"><characteristic type="PXLOGICAL">

<<parmparm name="NAME" value=name="NAME" value=““NumeNume"/>"/>

<<parmparm name="PROXYname="PROXY--ID" value="ID" value="Trusted_ProxyTrusted_Proxy"/>"/>

<<parmparm name="NAME" value="Trusted Proxy"/>name="NAME" value="Trusted Proxy"/>

<characteristic type="PXPHYSICAL"><characteristic type="PXPHYSICAL">

<<parmparm name="PHYSICALname="PHYSICAL--PROXYPROXY--ID" value="ID" value="Trusted_PhProxyTrusted_PhProxy"/>"/>

<<parmparm name="PXADDR" value="40711111111"/>name="PXADDR" value="40711111111"/>

<<parmparm name="PXADDRTYPE" value="E164"/>name="PXADDRTYPE" value="E164"/>

<<parmparm name="TOname="TO--NAPID" value="NAPID" value="Trusted_NAPIDTrusted_NAPID"/>"/>

<<parmparm name="PUSHENABLED" value="1"/>name="PUSHENABLED" value="1"/>

<<parmparm name="PULLENABLED" value="1"/>name="PULLENABLED" value="1"/>




<<parmparm name="NAME" value="Op"/>name="NAME" value="Op"/>

<<parmparm name="NAPID" value="name="NAPID" value="Trusted_NAPIDTrusted_NAPID"/>"/>

<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--SMS"/>SMS"/>

<<parmparm name="NAME" value="Trusted Proxy"/>name="NAME" value="Trusted Proxy"/>

<<parmparm name="NAPname="NAP--ADDRESS" value=" 40711111111 "/>ADDRESS" value=" 40711111111 "/>

<<parmparm name="NAPname="NAP--ADDRTYPE" value="E164"/>ADDRTYPE" value="E164"/>




<characteristic type="<characteristic type="NetworkPolicyNetworkPolicy">">

<characteristic type="<characteristic type="WiFiWiFi">">

<characteristic type="Settings"><characteristic type="Settings">

<<parmparm name="Disabled" value="1"/>name="Disabled" value="1"/>




</</wapwap--provisioningdocprovisioningdoc>>

InterceptareInterceptare trafictrafic

TraficulTraficul trecetrece prinprin proxyproxy--ulul nostrunostru

VariantaVarianta 1 1 –– Burp ProxyBurp Proxy


TraficulTraficul trecetrece prinprin proxyproxy--ulul nostrunostru

VariantaVarianta 2 2 –– sslstripsslstrip

http://http://www.thoughtcrime.org/software/sslstripwww.thoughtcrime.org/software/sslstrip//


DEMODEMO

ProtectieProtectie

OperatorulOperatorul poatepoate filtrafiltra acesteaceste tipuritipuri de de mesajemesaje

ProducatoriiProducatorii de de telefoanetelefoane trebuietrebuie sasa se se concentrezeconcentreze maimai multmult pepe securitatesecuritate

VerificatiVerificati constant (la constant (la felfel cum cum facetifaceti cu cu facturafactura / / creditulcreditul disponibildisponibil) ) setarilesetarile de de InternetInternet

IntrebariIntrebari??

Securitatea mobila - Atacuri prin SMS

Technology

Transcript of Securitatea mobila - Atacuri prin SMS