• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
 

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

on

  • 2,187 views

 

Statistics

Views

Total Views
2,187
Views on SlideShare
2,182
Embed Views
5

Actions

Likes
2
Downloads
31
Comments
0

1 Embed 5

https://twitter.com 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012 Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012 Presentation Transcript

    • Internet Services Mobile networks: exploiting HTTP headers and data trafficBogdan ALECU
    • About me • Independent security researcher • Sysadmin • Passionate about security, specially when it’s related to mobile devices, CISSP, CEH, CISA,CCSP • Started with NetMonitor (thanks Cosconor), continued with VoIP and finally GSM networks / mobile phones • @msecnet / www.m-sec.netBogdan Alecu December 2012
    • THANK YOU!The End!Questions?Bogdan Alecu December 2012
    • This talk is NOT about • SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) or anything alike ANY DEMO THAT WILL BE SHOWN HAS TO BE TREATED JUST LIKE AN EXAMPLE AND NOTHING MORE HAVE NO INTENT TO DISCREDIT ANY OF THE OPERATORS JUST A HEADS UP – RAISE SECURITY AWARENESS AMONG USERS, PROGRAMMERS, MOBILE OPERATORSBogdan Alecu December 2012
    • Mobile operators have their own WAP / WEB page forcustomers: • Balance check • Money transfer • Download music, videos, wallpapers, etc • Subscribe to services (eg. custom ringback tones)Usually the page is available only on the mobile phoneBogdan Alecu December 2012
    • Bogdan Alecu December 2012
    • Bogdan Alecu December 2012 September2012
    • Bogdan Alecu December 2012
    • HOWEVERBogdan Alecu December 2012
    • Bogdan Alecu December 2012
    • User Agent Switcher - https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/Bogdan Alecu December 2012
    • User Agent Switcher – impersonate the browser to pretendthat you’re actually browsing from a phoneDescription: NokiaE71User Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71-1/110.07.127; Profile/MIDP-2.0 Configuration/CLDC-1.1 )AppleWebKit/413 (KHTML, like Gecko) Safari/413App Code Name: Series 60App Name: BrowserApp Version: Series60/3.1Platform: E71Vendor: NokiaBogdan Alecu December 2012
    • User Agent Switcher not much to do: just browse the mobile version of the site could be used to overpass the mobile-only data traffic plan no access to your subscriptionsSome sites provide with application/vnd.wap.xhtml+xmlcontent XHTML Mobile Profile https://addons.mozilla.org/en-US/firefox/addon/xhtml- mobile-profile/Bogdan Alecu December 2012
    • How the mobile operators know who should becharged? • Once you connect to the Internet, the operator knows your mobile number no attack here; can’t spoof the number physical access necessary to another SIM • They use specific HTTP headers to send the number used specially for 3rd party websites hard to find those headers can be easily attacked / changedBogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers Where are the headers coming from? 1. Your phone’s browser 2. Operator’s proxyBogdan Alecu December 2012
    • Tested around 20 operators from Romania, Germany, Austria, Italy, France, Poland, United Kingdom, Brazil, Netherlands No user has been affected as for most of the tests I had my own SIM card Some tests could not be fully performedBogdan Alecu December 2012
    • Discovered in January 2012 First report in March to an affected mobile operator Reported to GSMA in April (later got confirmation from different operators that GSMA issued a warning) Most of the operators responded quickly and also fixed the vulnerability Informed operators and GSMA about this public disclosureBogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers How to find the headers? 1st idea: - connect your phone to computer and sniff the traffic - find the headers names where phone # is stored - headers might be specific to each carrier - find a way to modify the value of the headers - ATTACK!Bogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers 1st idea: - Result FAIL!Bogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers How to find the headers? 2nd idea: - search the web for headers - headers might be specific to each carrier - find a way to modify the value of the headers - ATTACK!Bogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers How to find the headers? 2nd idea: - search the web for headers That’s good, but there must be something more!Bogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers How to find the headers? 2nd idea: - search the web for headers Found a paper called “Privacy Leaks in Mobile Phone InternetAccess” by Collin Mulliner -http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdfBogdan Alecu December 2012
    • Bogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers Chosen HTTP headers: o X-UP-CALLING-LINE-ID o X_FH_MSISDN o MSISDN o X-MSISDN o X-NOKIA-MSISDN o M o X_NETWORK_INFOBogdan Alecu December 2012
    • How the mobile operators know who should becharged? - HTTP headers - find a way to modify the value of the headersModify Headers – Firefox Extensionhttps://addons.mozilla.org/en-US/firefox/addon/modify-headers/Bogdan Alecu December 2012
    • Action: Modify Value: mobile number in E.164 formatBogdan Alecu December 2012
    • We have the headers We know how to change them We know how to impersonate the browserThe attack: 1. From inside of the mobile operator network 2. From outside of the mobile operator network (2 types)Bogdan Alecu December 2012
    • 1. From inside of the mobile operator networkSteps:a) Use a GSM modem and SIM cardb) Configure the profile settings to match those of your operatorc) Connect to the Internet and change the User Agent to match a mobile phone browserd) Inject HTTP headers with the MSISDN of the targetBogdan Alecu December 2012
    • 1. From inside of the mobile operator network DEMOBogdan Alecu December 2012
    • 1. From inside of the mobile operator network • “It just works!” • No need to know any complicated passwordBogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2a) Use your own Internet connection Connect to the Internet and change the User Agent to match a mobile phone browser Inject HTTP headers with the MSISDN of the targetBogdan Alecu December 2012
    • Things I noticed after these 2 types of attack: Attack works either on the operators website, either on the 3rd party site or both Some operators let you access their mobile site only if you are connected to their network, while others do not have such restriction Sometimes you need to also set the proxy in order to set a different MSISDN in the HTTP headersBogdan Alecu December 2012
    • Things I noticed after these 2 types of attack: Few have implemented a unique session ID for each connection instead of the phone number Just one operator from the ones I tested was ignoring any additional headers sent, but there might be others that do thatBogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) The old fashioned way ☺Bogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) The old fashioned way ☺ aka CSD (Circuit Switched Data)Bogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) CSDo Think about it like dial-upo Since it involves actually placing a phonecall, it is exposed to the same vulnerabilities like a regular callBogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) CSDo 1st idea: - search for CSD settings - see what it can be changed - testBogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) CSDo 1st idea:Bogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) CSDo 1st idea:OOPS! I need to have Data Call enabledChanging the username to match another number didnot helpBogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) CSDo 2nd idea: - spoof the caller ID - connect to the Internet - testBogdan Alecu December 2012
    • 2. From outside of the mobile operator network (2 types)2b) CSDo 2nd idea: - spoof the caller ID DEMOBogdan Alecu December 2012
    • To be noted: On some operators you still have to send the HTTP headers Sometimes there was a poor way to detect if the call was coming from their network. Easy to pass it: call first a number from the network which has call forwarding setup to the CSD number Not all operators have a full CSD number available (eg *231)Bogdan Alecu December 2012
    • How to profit . and get caught Create a LLC (Limited Liability Company) Sign a partnership with the operators to provide 3rd party web content on their portal Attack different users or just subscribe them to your services (yes, you can do that without asking for any permissions) ProfitBogdan Alecu December 2012
    • Few recommendations: Check if the web page is accessed from your network (IP) Do not rely solely on the Caller ID Implement username/password access for sensitive zones (like modifying active services) Send SMS to the customer informing that a purchase has been made, a service has been modified, etc Be careful with the 3rd party content providersBogdan Alecu December 2012
    • Conclusion: Sometimes there might be issues in the mobile operator’s system“Our technology does not allow unauthorized access.Occurrence of errors in billing regarding data traffic isexcluded.” (Customer Support)Bogdan Alecu December 2012
    • Conclusion: Depending on the destination, the cost of the attack might be higher than the revenue Mobile operators reacted promptly Unfortunately there are still issues – mostly on 3rd party services Check if your operator allows you to disable access to premium rate content Test yourself and report the issue to your operatorBogdan Alecu December 2012
    • Data traffic vulnerability (2 types)o You should be able to access the operator’s webpage in order to top-up or view account details . But we can exploit thisBogdan Alecu December 2012
    • Data traffic vulnerability (2 types)1. Setup a VPN server on port 53, UDP (DNS port) and connect to your server pass the traffic to the InternetUNLIMITED & UNCOUNTEDMOBILE DATA TRAFFIC!Bogdan Alecu December 2012
    • Data traffic vulnerability (2 types)2. DNS tunnelingWhat if:- You had your own DNS server- Delegate all DNS requests to your server- Encapsulate in the reply the trafficWAIT! THERE IS A WAY!Bogdan Alecu December 2012
    • Data traffic vulnerability (2 types)2. DNS tunnelinga.sub.domain.com. IN NS sub.domain.com.sub.domain.com. IN A 79.122.100.20 (your IP)Request: www.google.com.up.a.sub.domain.comAnswer: www.google.com.down.a.sub.domain.com INAAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6EsAavqHgBzH2khqsQHQjEf355jS7cTG+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7GdngGm9jpvReXX7S/2oqAIUFCn0M8=Bogdan Alecu December 2012
    • Data traffic vulnerability (2 types)2. DNS tunneling- Already built solution: Iodine http://code.kryo.se/iodine/ (for Linux, Windows, Android)Bogdan Alecu December 2012
    • THANK YOU!Special thanks to: Tobias Engel Collin Mulliner all security guys from mobile operatorsBogdan Alecu December 2012