Dirty use of USSD codes in cellular networks
Transcript of Dirty use of USSD codes in cellular networks
![Page 1: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/1.jpg)
.
......
Dirty use of USSD codes in cellularnetworks
Ravishankar Borgaonkar
Security in Telecommunications, Technische Universität Berlin
TelcoSecDay, Heidelberg, 12th March 2013
![Page 2: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/2.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Agenda
USSD codes and services in mobile telephony
Attacks in USSD network infrastructure
Attacks on smartphones (end-users)
SecT / TU-Berlin 2 / 35
![Page 3: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/3.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksUSSD Basics
technology - features - applications
What is USSD in mobile telephony?a messaging service between mobile phones andan application server in the networkbut data is transferred in real time as a session (noSMSC-store and forward)faster than SMS and interactive servicesupported by all mobiles - feature phones tosmartphoneswhy USSD? to increase ARPU (Average Revenue PerUser)
SecT / TU-Berlin 3 / 35
![Page 4: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/4.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksUSSD Applications
Services
Services based on USSD protocol:interactive data services (News, Sports etc)pre-paid phone top-up and balance queriesmobile banking and money servicesaccess to social services such as Twitter, Facebook
SecT / TU-Berlin 4 / 35
![Page 5: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/5.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksUSSD Applications
Toilet thinking
Motivation storiesAirtel Money in India, really?An interesting documentplaying with NFC protocol on Android with Collin
SecT / TU-Berlin 5 / 35
![Page 6: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/6.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
GSM cellular architecture
SecT / TU-Berlin 6 / 35
![Page 7: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/7.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
USSD Architecture
Architectural components:MSC (Mobile Switching Center),VLR (Visitor LocationRegister)USSD GatewayUSSD application/serverSimple Messaging Peer-Peer interface
SecT / TU-Berlin 7 / 35
![Page 8: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/8.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
Application Flow Example
SecT / TU-Berlin 8 / 35
![Page 9: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/9.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
Service Example
Mobile Banking:Register your number to the BankGet user id and MPIN (mobile pin)dial ussd code to access your account
Twitter:Register for the service by sending SMS (optional)dial USSD codestype username and password to access
SecT / TU-Berlin 9 / 35
![Page 10: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/10.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
Security in USSD services
Completely relies on security provided bycellular network
The biggest bank in India claims:
However in reality.. ☺ ☺
SecT / TU-Berlin 10 / 35
![Page 11: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/11.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
2. Attacks in USSD network infrastructure
SecT / TU-Berlin 11 / 35
![Page 12: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/12.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Information needed for an attacker
USSD codesUser ID to access the servicepassword or MPINtools to access the service on behalf of victimweaknesses of the cellular network
SecT / TU-Berlin 12 / 35
![Page 13: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/13.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Issues in Cellular Networks (GSM)
No mutual authentication between mobile and basestationfake base station attacks ☺Base station decides when to turn on encryptionSome networks do not use encryption ☺IMSI sent when requested by base station ☺
SecT / TU-Berlin 13 / 35
![Page 14: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/14.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Phishing attack
Goal: Recover user id, password, MPINset up a fake base station with OpenBSCopenBSC have basic USSD supportpossible to build bank applicationbase station can initiate USSD communicationcollect user ID, password, MPINdrawback: attack works in 200m range
SecT / TU-Berlin 14 / 35
![Page 15: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/15.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Tools to exploit -1
Using a compromised femtocell:femtocell: a small access point, connects themobile phone to the 3G/UMTS networkblackhat 2012 talk by Nico, Kevin and mecompromised femtocell can be used for MiTMset-up allows to intercept/inject messagesdrawback: attacking range is 50m
→ It is difficult for the victim user to recognizethis attack
SecT / TU-Berlin 15 / 35
![Page 16: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/16.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Tools to exploit -2
Using OsmocomBB phone:using a phone supported by OsmocomBBthe attack depends on the weaknesses in thecellular networkNullcon 2011 talk "Your Phone is Your Phone ButYour Calls are My Calls" by Akib Sayyed et al.→ authentication bypass→ by using victim's IMSI/TMSIthe same method can be used for replaying USSDmessages
SecT / TU-Berlin 16 / 35
![Page 17: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/17.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Issues with cellular networks
When mobile sends SMS/USSD message:
SecT / TU-Berlin 17 / 35
![Page 18: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/18.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Issues with cellular networks"Operators turn off encryption/authentication to reduceload on the base station."
SecT / TU-Berlin 18 / 35
![Page 19: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/19.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
3. Attacks on smartphones (Andriod)
SecT / TU-Berlin 19 / 35
![Page 20: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/20.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
USSD on smartphones
USSD (Unstructured Service Supplementary Data):all smartphones including feature phones supportsUSSD as per 3GPP standards.technically referred as MMI (Man-Machine Interface)on the mobile deviceMMI commands and format:→ activation: *SC*SI# ,deactivation: #SC*SI#→ for more details read TS 122.030→ Example: * 31 # <called number> SENDCodes are executed via "Call Settings" menu optionusually
SecT / TU-Berlin 20 / 35
![Page 21: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/21.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
USSD on smartphones
USSD (Unstructured Service Supplementary Data):all smartphones including feature phones supportsUSSD as per 3GPP standard.technically referred as MMI (Man-Machine Interface)on the mobile deviceMMI commands and format:→ activation: *SC*SI# ,deactivation: #SC*SI# (TS122.030)→ Example: * 31 # <called number> SENDCodes are executed via Call "Menu option" usually
SecT / TU-Berlin 21 / 35
![Page 22: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/22.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
USSD on Android
Vulnerability in Android :
Dialer in Androidinvoking TEL:123 intent via any Android app putnumber 123 on the dialer to callhowever, Android dialer fails to differentiatebetween phone number and USSD codes→ this failure allows to execute USSD codesaffects versions: ICS, Jelly Bean and older versionstoo
Let's try some dirty USSD codes ☺ ☺
SecT / TU-Berlin 22 / 35
![Page 23: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/23.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Affected Devices
Almost every Android device (JellyBean, ICS and olderversions too)
Google Nexsus seriesHTC One series, HTC SensationSamsung Galaxy SI, SII, SIIIMotorola Driod seriesSony Ericssonother vendors might be (not tested)
SecT / TU-Berlin 23 / 35
![Page 24: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/24.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
SIM attacks
Locking SIM card:
Every SIM card has PIN codehowever there are only 3 valid attempts SIM3 wrong pins → card gets locked and ask PUK codePUK code is on smart card
Solution: SIM card works after entering PUK code..dammm..less impact :(
SecT / TU-Berlin 24 / 35
![Page 25: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/25.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
SIM attacks
Killing SIM card:
Instead of changing PIN code, change PUK code10 wrong PUK code → SIM is unusablefor this attack, it does not matter you set up PIN onSIM card or not
Solution: Go to shop and buy new SIM card. ☺
SecT / TU-Berlin 25 / 35
![Page 26: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/26.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Dirty codes and methods
USSD Codes:**05*1234545*1234*1234# - Change PIN code*#06# - Show IMEI number*#7780# - factory reset, different for every handset
Method: everybody loves iframes (Reasons?)
SecT / TU-Berlin 26 / 35
![Page 27: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/27.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
1. From a malicious websitevisiting a link kills your SIM permanentlycan be invoked via any Android app havingpermission to call phoneattack works in all Android devices
SecT / TU-Berlin 27 / 35
![Page 28: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/28.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
From QR codeQR Droid (popular barcode scanner app)→ 10,000,000+ downloads in Google Playit opens website directly by defaultNot all barcode apps testedattack works in all Android devices
Solution: Remove QR Droid from your phone
SecT / TU-Berlin 28 / 35
![Page 29: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/29.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
By sending a WAP Push SMSWAP Push SMS (need a special application to sendsuch SMS)discovered by c0rnholio @http://www.silentservices.de/thanks Nico (@imnion) for informingI extended the above attack with USSD exploit codehowever, this attacks works on Samsung devicesonly so far
Solution: Turn off "Service Loading" feature
SecT / TU-Berlin 29 / 35
![Page 30: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/30.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
From NFC tagfew NFC tag readers open URL directly by defaultit was showed earlier but still developers fail toimplement basics of securityworks in NFC based Android devices
SecT / TU-Berlin 30 / 35
![Page 31: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/31.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Wiping out Samsung phones
Samsung tragedythere is a USSD code for factory reset settings onSamsung devicessend a SMS or a link and wipe out the devicevictim can only see the show, cant stop it ;)on Galaxy SIII, vulnerability can be exploited viaNFC
Attack can be combined: Kill SIM card and Wipethe phone in 3 sec
SecT / TU-Berlin 31 / 35
![Page 32: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/32.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Vulnerability Impact
Mobile users:Loss of valuable data (if there is no backup)disconnects from the cellular network services untilgetting new SIMFinancial loss- buy a new SIM card
Network operators and vendors:loss in service -> money loss for operatorsissue new SIM cards if affectedcost of updating
SecT / TU-Berlin 32 / 35
![Page 33: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/33.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Fixing the vulnerability
informed to the involved partiesit has been patched but Android fails always inupdating the devicesissues with Android devices on operator's contractupdate your device
Test your Android device at :www.isk.kth.se/rb̃bo/testussd.html
SecT / TU-Berlin 33 / 35
![Page 34: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/34.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
thanks (in no particular order)
Jean-Pierre SeifertCollin MullinerNico Golde
SecT / TU-Berlin 34 / 35
![Page 35: Dirty use of USSD codes in cellular networks](https://reader038.fdocuments.in/reader038/viewer/2022102603/586b6db21a28abb26b8b717e/html5/thumbnails/35.jpg)
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
the end
thank you for your attention
questions?
on tweet : @raviborgaonkar
SecT / TU-Berlin 35 / 35