Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

1. Internet Services Mobile networks: exploiting HTTP headers and data traffic Bogdan ALECU

2. About me • Independent security researcher • Sysadmin • Passionate about security, specially when it’s related to mobile devices, CISSP, CEH, CISA,CCSP • Started with NetMonitor (thanks Cosconor), continued with VoIP and finally GSM networks / mobile phones • @msecnet / www.m-sec.net Bogdan Alecu December 2012

3. THANK YOU! The End! Questions? Bogdan Alecu December 2012

4. This talk is NOT about • SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) or anything alike ANY DEMO THAT WILL BE SHOWN HAS TO BE TREATED JUST LIKE AN EXAMPLE AND NOTHING MORE HAVE NO INTENT TO DISCREDIT ANY OF THE OPERATORS JUST A HEADS UP – RAISE SECURITY AWARENESS AMONG USERS, PROGRAMMERS, MOBILE OPERATORS Bogdan Alecu December 2012

5. Mobile operators have their own WAP / WEB page for customers: • Balance check • Money transfer • Download music, videos, wallpapers, etc • Subscribe to services (eg. custom ringback tones) Usually the page is available only on the mobile phone Bogdan Alecu December 2012

6. Bogdan Alecu December 2012

7. Bogdan Alecu December 2012 September2012

9. HOWEVER Bogdan Alecu December 2012

11. User Agent Switcher - https://addons.mozilla.org/en- US/firefox/addon/user-agent-switcher/ Bogdan Alecu December 2012

12. User Agent Switcher – impersonate the browser to pretend that you’re actually browsing from a phone Description: NokiaE71 User Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71- 1/110.07.127; Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413 App Code Name: Series 60 App Name: Browser App Version: Series60/3.1 Platform: E71 Vendor: Nokia Bogdan Alecu December 2012

13. User Agent Switcher not much to do: just browse the mobile version of the site could be used to overpass the mobile-only data traffic plan no access to your subscriptions Some sites provide with application/vnd.wap.xhtml+xml content XHTML Mobile Profile https://addons.mozilla.org/en-US/firefox/addon/xhtml- mobile-profile/ Bogdan Alecu December 2012

14. How the mobile operators know who should be charged? • Once you connect to the Internet, the operator knows your mobile number no attack here; can’t spoof the number physical access necessary to another SIM • They use specific HTTP headers to send the number used specially for 3rd party websites hard to find those headers can be easily attacked / changed Bogdan Alecu December 2012

15. How the mobile operators know who should be charged? - HTTP headers Where are the headers coming from? 1. Your phone’s browser 2. Operator’s proxy Bogdan Alecu December 2012

16. Tested around 20 operators from Romania, Germany, Austria, Italy, France, Poland, United Kingdom, Brazil, Netherlands No user has been affected as for most of the tests I had my own SIM card Some tests could not be fully performed Bogdan Alecu December 2012

17. Discovered in January 2012 First report in March to an affected mobile operator Reported to GSMA in April (later got confirmation from different operators that GSMA issued a warning) Most of the operators responded quickly and also fixed the vulnerability Informed operators and GSMA about this public disclosure Bogdan Alecu December 2012

18. How the mobile operators know who should be charged? - HTTP headers How to find the headers? 1st idea: - connect your phone to computer and sniff the traffic - find the headers names where phone # is stored - headers might be specific to each carrier - find a way to modify the value of the headers - ATTACK! Bogdan Alecu December 2012

19. How the mobile operators know who should be charged? - HTTP headers 1st idea: - Result FAIL! Bogdan Alecu December 2012

20. How the mobile operators know who should be charged? - HTTP headers How to find the headers? 2nd idea: - search the web for headers - headers might be specific to each carrier - find a way to modify the value of the headers - ATTACK! Bogdan Alecu December 2012

21. How the mobile operators know who should be charged? - HTTP headers How to find the headers? 2nd idea: - search the web for headers That’s good, but there must be something more! Bogdan Alecu December 2012

22. How the mobile operators know who should be charged? - HTTP headers How to find the headers? 2nd idea: - search the web for headers Found a paper called “Privacy Leaks in Mobile Phone Internet Access” by Collin Mulliner - http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf Bogdan Alecu December 2012

24. How the mobile operators know who should be charged? - HTTP headers Chosen HTTP headers: o X-UP-CALLING-LINE-ID o X_FH_MSISDN o MSISDN o X-MSISDN o X-NOKIA-MSISDN o M o X_NETWORK_INFO Bogdan Alecu December 2012

25. How the mobile operators know who should be charged? - HTTP headers - find a way to modify the value of the headers Modify Headers – Firefox Extension https://addons.mozilla.org/en-US/firefox/addon/modify-headers/ Bogdan Alecu December 2012

26. Action: Modify Value: mobile number in E.164 format Bogdan Alecu December 2012

27. We have the headers We know how to change them We know how to impersonate the browser The attack: 1. From inside of the mobile operator network 2. From outside of the mobile operator network (2 types) Bogdan Alecu December 2012

28. 1. From inside of the mobile operator network Steps: a) Use a GSM modem and SIM card b) Configure the profile settings to match those of your operator c) Connect to the Internet and change the User Agent to match a mobile phone browser d) Inject HTTP headers with the MSISDN of the target Bogdan Alecu December 2012

29. 1. From inside of the mobile operator network DEMO Bogdan Alecu December 2012

30. 1. From inside of the mobile operator network • “It just works!” • No need to know any complicated password Bogdan Alecu December 2012

31. 2. From outside of the mobile operator network (2 types) 2a) Use your own Internet connection Connect to the Internet and change the User Agent to match a mobile phone browser Inject HTTP headers with the MSISDN of the target Bogdan Alecu December 2012

32. Things I noticed after these 2 types of attack: Attack works either on the operator's website, either on the 3rd party site or both Some operators let you access their mobile site only if you are connected to their network, while others do not have such restriction Sometimes you need to also set the proxy in order to set a different MSISDN in the HTTP headers Bogdan Alecu December 2012

33. Things I noticed after these 2 types of attack: Few have implemented a unique session ID for each connection instead of the phone number Just one operator from the ones I tested was ignoring any additional headers sent, but there might be others that do that Bogdan Alecu December 2012

34. 2. From outside of the mobile operator network (2 types) 2b) The old fashioned way ☺ Bogdan Alecu December 2012

35. 2. From outside of the mobile operator network (2 types) 2b) The old fashioned way ☺ aka CSD (Circuit Switched Data) Bogdan Alecu December 2012

36. 2. From outside of the mobile operator network (2 types) 2b) CSD o Think about it like dial-up o Since it involves actually placing a phonecall, it is exposed to the same vulnerabilities like a regular call Bogdan Alecu December 2012

37. 2. From outside of the mobile operator network (2 types) 2b) CSD o 1st idea: - search for CSD settings - see what it can be changed - test Bogdan Alecu December 2012

38. 2. From outside of the mobile operator network (2 types) 2b) CSD o 1st idea: Bogdan Alecu December 2012

39. 2. From outside of the mobile operator network (2 types) 2b) CSD o 1st idea: OOPS! I need to have Data Call enabled Changing the username to match another number did not help Bogdan Alecu December 2012

40. 2. From outside of the mobile operator network (2 types) 2b) CSD o 2nd idea: - spoof the caller ID - connect to the Internet - test Bogdan Alecu December 2012

41. 2. From outside of the mobile operator network (2 types) 2b) CSD o 2nd idea: - spoof the caller ID DEMO Bogdan Alecu December 2012

42. To be noted: On some operators you still have to send the HTTP headers Sometimes there was a poor way to detect if the call was coming from their network. Easy to pass it: call first a number from the network which has call forwarding setup to the CSD number Not all operators have a full CSD number available (eg *231) Bogdan Alecu December 2012

43. How to profit . and get caught Create a LLC (Limited Liability Company) Sign a partnership with the operators to provide 3rd party web content on their portal Attack different users or just subscribe them to your services (yes, you can do that without asking for any permissions) Profit Bogdan Alecu December 2012

44. Few recommendations: Check if the web page is accessed from your network (IP) Do not rely solely on the Caller ID Implement username/password access for sensitive zones (like modifying active services) Send SMS to the customer informing that a purchase has been made, a service has been modified, etc Be careful with the 3rd party content providers Bogdan Alecu December 2012

45. Conclusion: Sometimes there might be issues in the mobile operator’s system “Our technology does not allow unauthorized access. Occurrence of errors in billing regarding data traffic is excluded.” (Customer Support) Bogdan Alecu December 2012

46. Conclusion: Depending on the destination, the cost of the attack might be higher than the revenue Mobile operators reacted promptly Unfortunately there are still issues – mostly on 3rd party services Check if your operator allows you to disable access to premium rate content Test yourself and report the issue to your operator Bogdan Alecu December 2012

47. Data traffic vulnerability (2 types) o You should be able to access the operator’s webpage in order to top-up or view account details . But we can exploit this Bogdan Alecu December 2012

48. Data traffic vulnerability (2 types) 1. Setup a VPN server on port 53, UDP (DNS port) and connect to your server pass the traffic to the Internet UNLIMITED & UNCOUNTED MOBILE DATA TRAFFIC! Bogdan Alecu December 2012

49. Data traffic vulnerability (2 types) 2. DNS tunneling What if: - You had your own DNS server - Delegate all DNS requests to your server - Encapsulate in the reply the traffic WAIT! THERE IS A WAY! Bogdan Alecu December 2012

50. Data traffic vulnerability (2 types) 2. DNS tunneling a.sub.domain.com. IN NS sub.domain.com. sub.domain.com. IN A 79.122.100.20 (your IP) Request: www.google.com.up.a.sub.domain.com Answer: www.google.com.down.a.sub.domain.com IN AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6 EsAavqHgBzH2khqsQHQjEf355jS7cT G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7Gdn gGm9jpvReXX7S/2oqAIUFCn0M8= Bogdan Alecu December 2012

51. Data traffic vulnerability (2 types) 2. DNS tunneling - Already built solution: Iodine http://code.kryo.se/iodine/ (for Linux, Windows, Android) Bogdan Alecu December 2012

52. THANK YOU! Special thanks to: Tobias Engel Collin Mulliner all security guys from mobile operators Bogdan Alecu December 2012

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Similar to Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012(20)

More from DefCamp

More from DefCamp(20)

Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012