Securitatea mobila - Atacuri prin SMS
Upcoming SlideShare
Loading in...5
×
 

Securitatea mobila - Atacuri prin SMS

on

  • 587 views

 

Statistics

Views

Total Views
587
Views on SlideShare
587
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Securitatea mobila - Atacuri prin SMS Securitatea mobila - Atacuri prin SMS Presentation Transcript

  • Securitate mobila – Atacuri prin SMS Prezentator: Bogdan ALECU http://m-sec.net Twitter: @msecnet
  • Informatii generale despre SMSAmenintariWAPInterceptare trafic de dateDemo
  • Informatii generaleSMS - Short Message Service reprezinta unmod de comunicare prin mesaje text intretelefoanele mobile / fixe, utilizand un protocolstandardizat. Este un mod de comunicareeficace; utilizatorul scrie un text, apasa SEND simesajul e livrat aproape instant catre destinatar.Folosit pentru mai multe scopuri: MMS –Multimedia Messaging Service, OTA – Over TheAir – configurarea telefonului, notificari pentrumesageria vocala, email, fax, microplati – plataunor sume mici pentru diferite servicii =>SECURITATE!
  • Informatii generale“Un dispozitiv mobil activ trebuie sa fiecapabil de a primi un mesaj scurt detipul TPDU - Transfer protocol data unit- (SMS-DELIVER) in orice moment,indiferent daca exista un apel sau traficde date in derulare. Un raport va fitrimis intotdeauna catre SC (Serviciulde mesaje); confirmand fie ca tel aprimit mesajul sau ca mesajul nu a fostlivrat, incluzind si motivul refuzului.”ETSI TS 100 901 V7.5.0 (2001-12), pag13
  • Amenintari - SMSSMS SPAMSMS spoofingNotificari SMSAlte tipuri
  • Amenintari - SMS SMS SPAMCompaniile ofera servicii de publicitate prin SMSMesaje cu castiguri falseInginerie sociala – “Suna-ma urgent pe nr asta: 0900323421! Mama”
  • Amenintari - SMS SMS SpoofingServicii online ce permit modificarea expeditorului (numeric / alfanumeric)Greu de oprit, mai ales daca tinem cont de roamingEficienta mai mare in atacurile de tip inginerie sociala
  • Amenintari - SMS Notificari SMSVoicemailFaxE-mailVideoUtilizatorul nu poate scoate icon-ul de notificare asupra primirii unui astfel de mesaj
  • Amenintari - SMSNotificari SMS(voicemail)
  • Amenintari - SMSNotificari SMS(email)
  • Amenintari - SMS Alte tipuriFlash SMS (Class 0) – utilizatorul vede mesajul direct, fara a intra in InboxSilent SMS – DCS 0xC0 = Message Waiting Indication Group: Discard Message
  • Amenintari - SMS Alte tipuriFlash SMS
  • Amenintari - SMS Alte tipuriSilent SMS
  • WAPWireless Application ProtocolArhitectura de retea specificaSet de reguliLimbaj specific: Wireless Markup Language(WML)Pagini HTML ajustate pentru dimensiuneaecranului telefonului
  • WAP
  • WAP PushPermite trimiterea de continut WAP cu ointerventie minima din partea utilizatorului2 tipuri: Service Indication / Service Load
  • WAP PushService Indication (SI) permite trimitereade notificari utilizatorului intr-un modasincron
  • WAP PushService Indication (SI)
  • WAP PushService Load (SL) determina “aplicatia” depe telefon sa incarce si execute unserviciu
  • WAP PushService Load (SL)
  • WAP Push - securitate Teoria: Doar un anumit numar este autorizat pentru trimitere; Practica: daca nu e configurat bine, un telefon accepta de la orice numar astfel de mesaje Pe Windows Mobile trebuiesc verificate setarile din HKLMSecurityPoliciesPolicies; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINESecurityPoliciesPolicies] "0000100c"=dword:800 ; SI Message Policy ; (default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINESecurityPoliciesPolicies] "0000100d"=dword:c00
  • WAP Push - securitateSECROLE_PPG_TRUSTED: Trusted Push ProxyGateway. Messages assigned this role indicatethat the content sent by the Push Initiator istrusted by the Push Proxy Gateway. This roleimplies that the device trusts the Push ProxyGateway (SECROLE_TRUSTED_PPG).SECROLE_PPG_AUTH: Push InitiatorAuthenticated. Messages assigned this roleindicate that the Push Initiator is authenticated bythe Push Proxy Gateway. This role implies thatthe device trusts the Push Proxy Gateway(SECROLE_TRUSTED_PPG).
  • WAP Push - securitate
  • WAPConfigurarea telefonului pentru acces la Internet/ date poate fi facuta manualPentru o configurare mai usoara, rapida sipentru eventualele schimbari, a fost creat unstandard ce permite configurarea de la distantaProgramarea Over The Air (OTA) folosestestandardul OMA – Open Mobile AllianceProgramarea se face prin SMS-uri specialconcepute
  • WAP - provisioningFoloseste protocolul WAPWBXML (WAP Binary XML) prin WirelessApplication EnvironmentWireless Session ProtocolWireless Datagram ProtocolSMS
  • WAP - provisioningConfigurarea se scrie in XML (conformspecificatiilor de lahttp://www.openmobilealliance.org)XML-ul se va codifica in WAP Binary XMLWBXML se va encapsula intr-o data de tipWireless Session ProtocolDatele se vor codifica intr-un mesaj Push, definitin Wireless Session Protocol
  • WAP - provisioningMesajul Push contine diferiti parametri,unul fiind parametrul “SEC” pentruautentificare pe baza de “cheie” comunaUSERPIN: string ASCII codificat inzecimaleNETWPIN: cheia este specifica retelei sicunoscuta (teoretic) doar de catre operatorUSERNETWPIN: combinatie a celor 2
  • WAP - provisioningNETWPIN: IMSI = MCC+MNC+MSIN(Mobile Subscription IdentificationNumber)Pret: 2-5 euro-centiIn general limitat pentru companii, se cereun volum mare de interogari
  • WAP - provisioning<wap-provisioningdoc><characteristic type="NAPDEF"><parm name="NAME" value="NewAPN"/><parm name="NAPID" value="NewAPN_NAPID_ME"/><parm name="BEARER" value="GSM-GPRS"/><parm name="NAP-ADDRESS" value="apn.operator.ro"/><parm name="NAP-ADDRTYPE" value="APN"/></characteristic><characteristic type=“APPLICATION"><parm name="NAME" value="NewAPN"/><parm name="APPID" value="w2"/><parm name="TO-NAPID" value="NewAPN_NAPID_ME"/></characteristic><wap-provisioningdoc>
  • WAP - provisioning<wap-provisioningdoc> - contine toata informatia transmisa<characteristic …> - grupeaza informatia in unitati logice<… value="NAPDEF"/> - configuram un nou network access point<parm name="APPID" value="w2"/> - mapeaza configuratia la activitatile de browsingInformatii la http://www.openmobilealliance.org
  • WAP - provisioning<wap-provisioningdoc><characteristic type="BOOTSTRAP"><parm name="NAME" value=“Operator NET"/><parm name="PROXY-ID" value="OpNET_Proxy"/></characteristic><characteristic type="NAPDEF"><parm name="NAME" value="OpNET"/><parm name="NAPID" value="OpNET_NAPID"/><parm name="BEARER" value="GSM-GPRS"/><parm name="NAP-ADDRESS" value="net"/><parm name="NAP-ADDRTYPE" value="APN"/></characteristic>
  • WAP - provisioning<characteristic type="PXLOGICAL"><parm name="NAME" value="OpNET"/><parm name="PROXY-ID" value="OpNET_Proxy"/><characteristic type="PXPHYSICAL"><parm name="PHYSICAL-PROXY-ID" value="OpNET_PhProxy"/><parm name="PXADDR" value=“192.168.1.1"/><parm name="PXADDRTYPE" value="IPV4"/><parm name="TO-NAPID" value="OpNET_NAPID"/><characteristic type="PORT"><parm name="PORTNBR" value="8080"/></characteristic></characteristic></characteristic>
  • WAP - provisioning<characteristic type="APPLICATION"><parm name="APPID" value="w2"/><parm name="NAME" value="OpNET"/><parm name="TO-PROXY" value="OpNET_Proxy"/><characteristic type="RESOURCE"><parm name="NAME" value="OpNET"/><parm name="URI" value="http://www.google.com"/><parm name="STARTPAGE"/></characteristic></characteristic></wap-provisioningdoc>
  • WAP - provisioningTeoretic aceasta configurare poate fi facutadoar de catre operator, de la un numarpredefinitPutem analiza SMS-ul prin WireSharkPutem adauga un alt numar
  • WAP - provisioning<?xml version="1.0"?><!DOCTYPE wap-provisioningdoc PUBLIC "-//WAPFORUM//DTD PROV 1.0//EN" wap- "- "http://www.wapforum.org/DTD/prov.dtd"> "http://www.wapforum.org/DTD/prov.dtd"><wap-provisioningdoc version="1.1"> wap-<characteristic type="BOOTSTRAP"><parm name="NAME" value=“Nume"/> value=“ Nume"/></characteristic><characteristic type="PXLOGICAL"><parm name="NAME" value=“Nume"/> value=“ Nume"/><parm name="PROXY-ID" value="Trusted_Proxy"/> name="PROXY- value="Trusted_Proxy"/><parm name="NAME" value="Trusted Proxy"/><characteristic type="PXPHYSICAL"><parm name="PHYSICAL-PROXY-ID" value="Trusted_PhProxy"/> name="PHYSICAL- PROXY- value="Trusted_PhProxy"/><parm name="PXADDR" value="40711111111"/><parm name="PXADDRTYPE" value="E164"/><parm name="TO-NAPID" value="Trusted_NAPID"/> name="TO- value="Trusted_NAPID"/><parm name="PUSHENABLED" value="1"/><parm name="PULLENABLED" value="1"/></characteristic></characteristic><characteristic type="NAPDEF"><parm name="NAME" value="Op"/><parm name="NAPID" value="Trusted_NAPID"/> value="Trusted_NAPID"/><parm name="BEARER" value="GSM-SMS"/> value="GSM-<parm name="NAME" value="Trusted Proxy"/><parm name="NAP-ADDRESS" value=" 40711111111 "/> name="NAP-<parm name="NAP-ADDRTYPE" value="E164"/> name="NAP-</characteristic>
  • WAP - provisioning<wap-provisioningdoc> <characteristic type="NetworkPolicy"> <characteristic type="WiFi"> <characteristic type="Settings"> <parm name="Disabled" value="1"/> </characteristic> </characteristic> </characteristic></wap-provisioningdoc>
  • Interceptare traficTraficul trece prin proxy-ul nostruVarianta 1 – Burp Proxy
  • Interceptare traficTraficul trece prin proxy-ul nostruVarianta 2 – sslstriphttp://www.thoughtcrime.org/software/sslstrip/
  • Interceptare traficDEMO
  • ProtectieOperatorul poate filtra aceste tipuri demesajeProducatorii de telefoane trebuie sa seconcentreze mai mult pe securitateVerificati constant (la fel cum faceti cufactura / creditul disponibil) setarile deInternet
  • Intrebari?