Mobile Phone (In)Security - Hacking-Lab

Tel.+41 55-214 41 60Fax+41 55-214 41 [email protected] www.csnc.ch

Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona

Mobile Phone (In)Security

Live Demos with Mobile Phone Technology

Walter Sprenger

© Compass Security AG Slide 2www.csnc.ch

Extract from the latest status report on IT security of the BSI (German Federal Office for Information Security)

„Cyber criminals use besides botnets, spamming and phishing-Emails more and more the infiltration through mobile phones and WLAN“

Latest information


The Present

Devices vs. Applications (Marketshares 06/2010)

Devices

Applications


How do Trojans and spyware get on mobile devices?

Mobile Phone Malware

eMail

Applications (Apps)

Bluetooth

Updates

Internet SitesLAN / WAN / WLAN/UMTS

GSM


Mobile devices: critical and often forgotten children ...

� Mobile devices often work without a protecting company-firewall

� They are frequently transported and can easily be moved

� They communicate with foreign networks through unsafe techniques

� The users often have administrator rights

� Can easily be stolen, pinched or destroyed ...

� Are often forgotten or deliberately ignored in the security concept

General


Situation in Enterprises: Situation in Enterprises: Situation in Enterprises: Situation in Enterprises: GotGotGotGot Boss, Boss, Boss, Boss, gotgotgotgot iPhoneiPhoneiPhoneiPhone????

SmartPhone and Enterprises

Oh…?!

I am theBoss…goget me an iPhone!

But Boss, iPhonesare the source of

all evil. It‘s so vulnerable. Wewould expose ournetwork, open thefirewall, dataleakage and muchmore!!!

However…I am theBoss…go get me an iPhone!

*sigh*



The Mobile Network - Positioning


Everybody sending out signals can in principle also be located.

In reverse you can locate yourself by evaluating signals sent out from known positions.

General


Reference points in the mobile network

The Mobile Switching Centre (MSC), serves as a router for the transmission of the calls and text messages within the network or to the fixed line network. The MSC communicates via the Signalling System #7 (SS/)

The cell is the direct radio interface to the subscriber

The Base Transceiver Station (BSC)BSC)BSC)BSC)controls several base stations (BTS), assigns the frequencies to be used and can initiate the Handover.

The Home Location Register (HLRHLRHLRHLR) of a network provider contains the personal data of all customers.

The Visitor Location Register (VLRVLRVLRVLR), memorises the data of the users using the MSC but are not customers of the respective network provider.


Transmission in the GSM-Network

PSTNHLR/ AuCHLR/ AuCHLR/ AuCHLR/ AuC

MSCMSCMSCMSCMSCMSCMSCMSC MSCMSCMSCMSC

BSCBSCBSCBSC BSCBSCBSCBSC

BTSBTSBTSBTSBTSBTSBTSBTS BTSBTSBTSBTS

VLRVLRVLRVLR VLRVLRVLRVLRVLRVLRVLRVLR

BTSBTSBTSBTS

BTSBTSBTSBTS

BTSBTSBTSBTS

BTSBTSBTSBTS

=LAC

=CellID


Reading out locally relevant data of the presently active/located Cell (Example iPhone)

� Activate the “Fieldtest” mode

Locating via LBS Location Based ID




� Reading out of the GSM Cell data






� MCC (Mobile Country Code)



MCC (Mobile Country Code)

� Based on the first digit you can assign a continent : 0 not defined

1 not defined

2222 EuropeEuropeEuropeEurope

3 North America and the Caribbean

4 Asia, India, Middle East

5 Australia and Oceania

6 Africa

7 South America

8 not defined

9 world

See also www.nobbi.com/wiki/doku.php/mcc



MCC (Mobile Country Code)

� The second and the third digit define the country (selection): 262262262262 GermanyGermanyGermanyGermany

228228228228 SwitzerlandSwitzerlandSwitzerlandSwitzerland

232 Austria

234 United Kingdom

235 United Kingdom

310 through

316 United States of America

See also www.nobbi.com/wiki/doku.php/mcc







� MNC (Mobile Network Code)



MNC (Mobile Network Code)

� The MNC stands for the net provider

Germany01010101 ,06,06,06,06 TTTT----MobileMobileMobileMobile

02 ,04,09 Vodafone

07 ,08,11 O2

Switzerland01 Swisscom Mobile

02 Sunrise

03 03 03 03 OrangeOrangeOrangeOrange





� Auslesen der GSM Cell Daten



� LAC (Location Area Code) organisational grouping of cells





� Auslesen der GSM Cell Daten



� LAC (Location Area Code) organisational grouping of cells

� Cell ID, two bytes identifying a cell within an LAC



In our example the unambiguous location based ID would be

MCC – MNC – LAC – CID

262 – 01 – 38914 – 57564

Present Location(LAI)

HEX: 228 01 2929 00a53c3

Swisscom: 228 01 10537 676803

Orange: 228 03 7500 174692

LiveDemo Positioning




Live Demo [Use Google's Dataset]


How does Google collect their data?

Transmission of data

Determination of the reference coordinates


Alternative tools to determine the Location Based ID

GPS Tracking transmitter TK102-2

Live DemoLive DemoLive DemoLive Demo

See also www.itakka.at/shop/ and www.positionx.de




And now? The detection of the location is also a matter of the right database



Locating using silent text messages


What do you require silent text messages for

� After net authentication only the Location Area Identity (LAI) is memorised in the Visitor Location Register (VLR/HLR)

� As soon as the net wants to make contact with the mobile phone, allbase stations (BTS) within the BSC call the subscriber

� The information about the cells used during a conversation or at the time of the reception or sending of a text message are part of the pool data to be recorded by the net provider according to the law

� This kind of message behaves like a normal text message during transmission, but it is neither visibly nor acoustically announced on the mobile phone

� Access to the database of the net provider is essential




BSCBSCBSCBSC

BTSBTSBTSBTS

BTSBTSBTSBTS

BTSBTSBTSBTS

BTSBTSBTSBTS

=LAC

=CellID



Live Demo [Silent SMS/PDUspy]



Identification spoofing[Call-ID-Spoofing]


Why an attack with a falsified call ID?

� Often the call ID (CLIP) serves as an identification attribute of the caller (e.g. for telephone calls, remote access, applications, etc.)

� Access restriction using call ID authentication can be bypassed resp. applied supportively in social-engineering

� Matching of the call ID in EU end devices is applied only up to max. the 7th digit

Call-ID-Spoofing


Providers of commercial Call-ID-Spoofing services

http://spoofcard.com

Call-ID-Spoofing


Tools for Call-ID-Spoofing

� Telephone connection with service attribute CLIP -no screening-

or

� SIP-Gateway to the PSTN (z.B. www.sipgate.de)

� Softphone (e.g. www.phoner.de)

Call-ID-Spoofing



Live Demo [Call-ID-Spoofing]


Call-ID-Spoofing (MITM-attack)

Incoming call:Incoming call:Incoming call:Incoming call:

+49666666666666+49666666666666+49666666666666+49666666666666

Paris Hilton

Freiton

CallCallCallCall----IDIDIDID----SpoofingSpoofingSpoofingSpoofing----attackattackattackattack



Identification spoofing[SMS-ID-Spoofing]


Why an attack with a falsified phone number?

� Similar to the call ID authentication social engineering can be applied supportively

� Instead of number identification the sender can be named directly

� Phishing via text messages is still widely unknown and therefore more promising

� No content filter available (as e.g. for E-mails)

SMS-ID-Spoofing


Examples

SMS-ID-Spoofing


Example 1: SMS-Phishing using SMS-Spoofing

� Example of a Phishing-SMS

� Original message of the net provider

SMS-ID-Spoofing



� Example of a Phishing-SMS

� Falsified message based on the text message from the net provider

SMS-ID-Spoofing



� Leave the competitor at home

SMS-ID-Spoofing



Live Demo [SMS-ID-Spoofing]



SIM-interface as an attacking vector on mobile end devices [SIM Application Toolkit]


Why an attack on the SIM interface?

� SIM interface as a universal attacking vector on mobile end devices

� Standardised interface

� Realisation: Hardware-based Man-in-the-middle-attack

� Distant impact of end devices (as partially already used by the network providers)

SIM Application Toolkit


Functions of the SIM Application Toolkit

� Sending and receiving of short messages

(SEND SHORT MESSAGE, SMS-PP Download)

� Initiating outbound calls (SET UP CALL)

� Diversion of outbound calls (CALL CONTROL)

� Positioning

� Data transmission via GPRS/UMTS

� Sending of AT-commands to the end device

� etc. ...



Mode of operation of an SAT-attack

� SIM-Card can make use of the described SAT functions

� No cryptography between SIM and end device

� Infiltration of own SAT-commands possible

� SIM will be required further on for authentication

� Man-in-the-middle-attack by installation of a microcontroller(e.g. Atmel ATTiny85V)



Development history




Freiton

ManManManMan----inininin----thethethethe----middlemiddlemiddlemiddle----attackattackattackattackExample VoiceExample VoiceExample VoiceExample Voice

Call +49 151 xxxxxxxx



Attacks on mobile end devices via malware[Trojans, etc.]


Commercial Trojans: MOBILE SPY monitors iPhone and many other mobile phones from $49.00 a quarter

www.mobile-spy.com


Inkl. 24/7 Support Inkl. 24/7 Support Inkl. 24/7 Support Inkl. 24/7 Support


Commercial Trojans: The classic „FlexiSpy“.

www.flexispy.com


Für fast alle PlattformenFür fast alle PlattformenFür fast alle PlattformenFür fast alle Plattformenverfügbar…verfügbar…verfügbar…verfügbar…


www.flexispy.com


Commercial Trojan: The classic „FlexiSpy“.

� Configuration menu of FlexiSpy


www.flexispy.com



� Configuration menu of FlexiSpy



www.flexispy.com



How does FlexiSpy collect the user data?

The Trojan transmits all data

such as text messages, calls,

eMails, etc. in defined intervals directly to the server.

WWW Database


The attacker can download

the data at any time via the Internet..



Live Demo [Mobile phone Trojans]


Open discussion

Questions?!


Contact

Compass Security Network Computing

Werkstrasse 20

Postfach 2038

CH - 8645 Jona

[email protected] | www.csnc.ch | +41 55 214 41 60

Secure File Exchange: www.csnc.ch/filebox

PGP-Fingerprint:

Mobile Phone (In)Security - Hacking-Lab

Documents

Transcript of Mobile Phone (In)Security - Hacking-Lab