Mobile Phone Hacking:
A lucrative, but largely hidden history
DC4420
David Rogers
27th May 2014
Copyright © 2014 Copper Ho...
Car Radio Hacking – 1990s / 2000s
 PIN locks to deter and remove value of theft
 Hacking tools reset / calculate / remov...
Some Phone Terms: SIMlock & IMEI
 SIMlock:
– used to secure the device to a particular network during the period of
the s...
‘Unlocking’ and IMEI changing
 What is ‘unlocking?
– SIMlocks
– Most hacking used to be aimed at the SIMlock area
 The s...
INTERNET
Historic Criminal
Structure
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
H...
INTERNET
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
HACKER
ORGANISED
CRIME
RE-SEL...
Examples of Hacking Hardware
 Standard service repair equipment
– Fraudulent purchasing of manufacturer’s equipment
 Mas...
Mass Manufacture of Hacking Hardware
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All...
Examples of Hacking Hardware (2)
• Most hacks steal their solutions from already existing
hacks
— May seem to be 22 hacks ...
Hardware Hacking Methods
 EEPROM cloning or ‘Chipping’
– Old method
– Copied EEPROM with basic equipment
– Main aim to pu...
In-line PIC Between SIM and Device
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd. All r...
Software Hacking Methods
 Direct change
– Breaking a programming algorithm
– Finding the correct test interface protocol ...
Typical (Old) Software Hack Methodology
MARKETING
LAUNCH AT
TRADE SHOW
PHONE
RELEASED
TO MARKET
RESEARCH
THEFT OF
EARLY MO...
Use of Hardware Clips – 5 Second Unlocking!
 Simple to use, takes it’s power from the handset
 Contains a Programmable I...
“Logs”
 Used as a method of continually generating revenue for the
real hackers and re-sellers at the top of the food cha...
 Some manufacturers and ODMs used symmetric algorithms
based on the IMEI number to generate CK codes
– Broken and every p...
De-capping and Focused Ion Beam Equipment
Mobile Phone Security - David Rogers
Copyright © 2014 Copper Horse Solutions Ltd...
Newer Hardware and System Level Attacks
 George Hotz – original iPhone jailbreak
– Used hardware flaw to XOR data address...
Newer Motivations
 Main targets / motivations recently have been:
 Rooting / jailbreak device – for piracy / other apps ...
2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012
EICTA / GSMA 9 Principles
OMTP Trusted
Environment:
OMTP TR0
OMTP Adv...
Evad3rs, i0n1c, geohot, RedSn0w – iOS6 & iOS7
 iOS6 hack “used more zero-days than stuxnet”*
 Millions of downloads – hu...
May 2014 – Root Bounty for Verizon & AT&T
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Kill Switch / Anti-Theft Mechanism Targeting?
 Obvious this would happen
Copyright © 2014 Copper Horse Solutions Ltd. All...
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
Car Radio Hacking - 2014
Questions?
david.rogers {@} copperhorse.co.uk
@drogersuk
Mobile Systems Security course:
http://www.cs.ox.ac.uk/softeng/su...
Upcoming SlideShare
Loading in...5
×

Phone Hacking: A lucrative, but largely hidden history

5,219

Published on

This talk explains some of the things that have been going on in the mobile phone hacking world for a number of years. SIM unlocking and other types of hacking associated with it have been extremely lucrative for many embedded systems hackers, but the topic has never really been covered by the media, whilst things like "carding" have been because of its illegality. Some of the artificial protection mechanisms such as SIMlock have actually driven hacking research, with end users actively seeking to remove the locks and pay people to do it. This hacking community has steadily evolved and merged into the rooting and jailbreaking scene, where again ordinary end users are more than willing to stump up cash to break the mechanisms to free their device, whilst unwittingly driving mobile phone theft. The ultimate result is an arms race between the hacking community and the device security engineers. A race of engineering wit and skill, combined with some war-like strategy and tactics.

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,219
On Slideshare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
39
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Phone Hacking: A lucrative, but largely hidden history

  1. 1. Mobile Phone Hacking: A lucrative, but largely hidden history DC4420 David Rogers 27th May 2014 Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved. http://www.mobilephonesecurity.org
  2. 2. Car Radio Hacking – 1990s / 2000s  PIN locks to deter and remove value of theft  Hacking tools reset / calculate / remove security codes Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  3. 3. Some Phone Terms: SIMlock & IMEI  SIMlock: – used to secure the device to a particular network during the period of the subsidy, can be unlocked with CK codes by calling operator – Different variants of locks – Recent court case in the US over legality (and lots of other previous fights)  IMEI : – the International Mobile Equipment Identity number – unique to each device – can be blocked if device is stolen  Other interesting information on device that would be hacked – E.g. to change language packs, phone lock removal, text etc.  Big battle between mobile industry and hacking groups between c.1999 and now – has evolved to jailbreak / root community Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  4. 4. ‘Unlocking’ and IMEI changing  What is ‘unlocking? – SIMlocks – Most hacking used to be aimed at the SIMlock area  The security area in the handset would protect all sensitive data – including IMEI and SIMlock  What is a dirty hack? – Hacks targeted against the security area would often cause corruption to data – including the IMEI. – Data such as RF calibration settings would often be wiped out  Hacking tools usually dual-use (SIMlock and IMEI) – Causes problems in countries where IMEI changing is illegal – difficult and costly to get direct proof Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  5. 5. INTERNET Historic Criminal Structure EMBEDDED HACKER HACKING GROUP INTERNET SHOP SHOP OR STALL REPAIR CENTRE APPLICATION HACKER ORGANISED CRIME RE-SELLER END-USERTHIEF DRUG DEALER MASS THEFT SUBSCRIPTION FRAUD STREET CRIME BLACK MARKET EXPORTER (UNLOCKING / IMEI CHANGING) EBAY COUNTERFEITING IP THEFT ‘USER’ CRIMES MURDER ETC. Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  6. 6. INTERNET EMBEDDED HACKER HACKING GROUP INTERNET SHOP SHOP OR STALL REPAIR CENTRE APPLICATION HACKER ORGANISED CRIME RE-SELLER FREE SOFTWARE END-USERTHIEF DRUG DEALER VALUE METHOD £10 - £30 CASH DEBIT / CREDIT CARD £50 - £500 WESTERN UNION PAYPAL POSTAL ORDER £500 - £5000 WESTERN UNION £5000+ WESTERN UNION Mobile Phone Security - David Rogers Historic Financial Structure Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  7. 7. Examples of Hacking Hardware  Standard service repair equipment – Fraudulent purchasing of manufacturer’s equipment  Mass produced hardware by hacking groups – Griffin Box – UFS-3 (Twister) – Blazer – Clips  Evolution – New equipment was constantly developed as new models were released – New technologies and hardware security to ensure revenue Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  8. 8. Mass Manufacture of Hacking Hardware Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  9. 9. Examples of Hacking Hardware (2) • Most hacks steal their solutions from already existing hacks — May seem to be 22 hacks available – just old hacks re-packaged. — Different front-end to software — Different hardware — the ‘golden’ part of the source code is from 1 hack • Lots of ‘ghost’ hacks that are aimed at defrauding people — same in 2012 with jailbreaking on iOS6 Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  10. 10. Hardware Hacking Methods  EEPROM cloning or ‘Chipping’ – Old method – Copied EEPROM with basic equipment – Main aim to put EEPROM with no SIMlock on – Result: IMEI number was cloned  PIC’s (Programmable Integrated Circuits) – Execute small sequences of commands – Placed in-line to ‘snatch’ or modify data  Flash device hot-swapping (almost impossible now)  Exploitation of boundary scan ports  External clips and dongles  Note: less economical than software hacks Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  11. 11. In-line PIC Between SIM and Device Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  12. 12. Software Hacking Methods  Direct change – Breaking a programming algorithm – Finding the correct test interface protocol command • Still used(!) serial communications / USB monitoring equipment  Modifying binary files (software download files) – Inserting jump code – Hijacking other functions in the code to subvert security – Taking advantage of software design flaws  Abuse of boundary scan to monitor phone processes  ‘Dumping’ to logs of data from secure areas  Brute force cracking of algorithms  Theft of information from Design Centres / Factories / Service Centres  “Voodoo Galaxy SIII SIM unlock” tool required device to be rooted… Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  13. 13. Typical (Old) Software Hack Methodology MARKETING LAUNCH AT TRADE SHOW PHONE RELEASED TO MARKET RESEARCH THEFT OF EARLY MODEL NETWORK OPERATOR SAMPLES MANUFACTURER HACKER OPEN SOURCE INFO AND HACKING TOOLS TIMESCALE 0 MONTHS 6 - 12 MONTHS HACKING SOLUTION DISTRIBUTE APPLICATION PROTECT APPLICATION APPLICATION PROTECTION TOOLS PRODUCT SECURITY DETECTION Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  14. 14. Use of Hardware Clips – 5 Second Unlocking!  Simple to use, takes it’s power from the handset  Contains a Programmable Integrated Circuit  Bombards the handset with commands in a repetitive sequence  The handset eventually gives up and resets itself – unfortunately resetting the SIMlock!  This type of attack was used on many different makes of handsets  Clips have now evolved and the term is usually used in reference to dongles Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  15. 15. “Logs”  Used as a method of continually generating revenue for the real hackers and re-sellers at the top of the food chain – a historical issues for hackers  Original concept by 3 Nokia hackers and dealers from Serbia: – George, Boban (Slobodan Andrics) and Dejan (Dejan Kaljevic)  How do logs work? – Encrypted by hackers to avoid cracking by other hackers – An example: • Crack the master security locks -> generate an encrypted log of security area information -> close the security lock on the handset again!  ‘Logs’ will be available only if the hacking solution is two part – ‘Dumb’ client application to communicate with handset – Data is sent to hacker / re-seller – Corresponding data to unlock / change IMEI received from hacker / re- seller Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  16. 16.  Some manufacturers and ODMs used symmetric algorithms based on the IMEI number to generate CK codes – Broken and every possible iteration for each IMEI available  Later versions cracked the factory / service tools because they were leaked rather than cracking the handset  Down to poor manufacturer security and breaking principle of no stored, shared secrets! CK Algorithm Breaches Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  17. 17. De-capping and Focused Ion Beam Equipment Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  18. 18. Newer Hardware and System Level Attacks  George Hotz – original iPhone jailbreak – Used hardware flaw to XOR data address and insert jump code to empty memory where he could execute his own bootloader – Allegedly assisted by European Infineon hacking teams  Rooting – Various methods, exploiting vulnerabilities – Usually used as a staging area for other attacks (e.g. malware) – Examples: • RageAgainstTheCage, uboot, zergRush, gingerbreak • Other private exploits – Some manufacturers providing it as a service in order to prevent people hacking  Legal battles around this area (e.g. US copyright office 2010, 2012) – OK to remove SIMlocks and root devices Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  19. 19. Newer Motivations  Main targets / motivations recently have been:  Rooting / jailbreak device – for piracy / other apps / custom OS / spyware  SIM unlocking – break out of subsidy (cheap device) / fraud / export of stolen devices  IMEI changing – re-enable stolen handsets in same country  Launchpad attacks – spyware / malware / anti-theft tools / in- app billing  Fixing issues – e.g. old SIMlocked device, can’t contact operator Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  20. 20. 2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012 EICTA / GSMA 9 Principles OMTP Trusted Environment: OMTP TR0 OMTP Advanced Trusted Environment: OMTP TR1 TCG MPWG Specification GSMA Pay-Buy-Mobile FragmentedSecurity Handset Embedded Security Evolution (to 2012) Google / Apple Proprietary hardware security features Banking / film industry requirements WAC RIM / Nokia proprietary security features webinos Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  21. 21. Evad3rs, i0n1c, geohot, RedSn0w – iOS6 & iOS7  iOS6 hack “used more zero-days than stuxnet”*  Millions of downloads – huge market  Evasi0n iOS7 jailbreak rushed out due to competition (and 7.1 release), packaged with Chinese app store (Taig) – Rumoured to be $1million – Rumours of dirty tricks / questionable sources for some holes – Strategic and tactical thinking, all ‘untethered’  Some holes allegedly held back by various teams for future cracks on iOS8  Teams still reverse and hack each others tools (like SIMlock)  George Hotz tried to sell to a Chinese team (via a broker) for $350,000 – Audio clip released with negotiation discussions * Ref: http://www.forbes.com/sites /andygreenberg/2013/02/05 /inside-evasi0n-the-most- elaborate-jailbreak-to-ever- hack-your-iphone/ Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  22. 22. May 2014 – Root Bounty for Verizon & AT&T Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  23. 23. Kill Switch / Anti-Theft Mechanism Targeting?  Obvious this would happen Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
  24. 24. Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved. Car Radio Hacking - 2014
  25. 25. Questions? david.rogers {@} copperhorse.co.uk @drogersuk Mobile Systems Security course: http://www.cs.ox.ac.uk/softeng/subjects/MSS.html Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a- guide-for-users/paperback/product-21197551.html Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved. http://www.mobilephonesecurity.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×