Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Securitatea mobila - Atacuri prin SMS

  1. 1. Securitate mobila – Atacuri prin SMS Prezentator: Bogdan ALECU http://m-sec.net Twitter: @msecnet
  2. 2. Informatii generale despre SMS Amenintari WAP Interceptare trafic de date Demo
  3. 3. Informatii generale SMS - Short Message Service reprezinta un mod de comunicare prin mesaje text intre telefoanele mobile / fixe, utilizand un protocol standardizat. Este un mod de comunicare eficace; utilizatorul scrie un text, apasa SEND si mesajul e livrat aproape instant catre destinatar. Folosit pentru mai multe scopuri: MMS – Multimedia Messaging Service, OTA – Over The Air – configurarea telefonului, notificari pentru mesageria vocala, email, fax, microplati – plata unor sume mici pentru diferite servicii => SECURITATE!
  4. 4. Informatii generale “Un dispozitiv mobil activ trebuie sa fie capabil de a primi un mesaj scurt de tipul TPDU - Transfer protocol data unit - (SMS-DELIVER) in orice moment, indiferent daca exista un apel sau trafic de date in derulare. Un raport va fi trimis intotdeauna catre SC (Serviciul de mesaje); confirmand fie ca tel a primit mesajul sau ca mesajul nu a fost livrat, incluzind si motivul refuzului.” ETSI TS 100 901 V7.5.0 (2001-12), pag 13
  5. 5. Amenintari - SMS SMS SPAM SMS spoofing Notificari SMS Alte tipuri
  6. 6. Amenintari - SMS SMS SPAM Companiile ofera servicii de publicitate prin SMS Mesaje cu castiguri false Inginerie sociala – “Suna-ma urgent pe nr asta: 0900323421! Mama”
  7. 7. Amenintari - SMS SMS Spoofing Servicii online ce permit modificarea expeditorului (numeric / alfanumeric) Greu de oprit, mai ales daca tinem cont de roaming Eficienta mai mare in atacurile de tip inginerie sociala
  8. 8. Amenintari - SMS Notificari SMS Voicemail Fax E-mail Video Utilizatorul nu poate scoate icon-ul de notificare asupra primirii unui astfel de mesaj
  9. 9. Amenintari - SMS Notificari SMS (voicemail)
  10. 10. Amenintari - SMS Notificari SMS (email)
  11. 11. Amenintari - SMS Alte tipuri Flash SMS (Class 0) – utilizatorul vede mesajul direct, fara a intra in Inbox Silent SMS – DCS 0xC0 = Message Waiting Indication Group: Discard Message
  12. 12. Amenintari - SMS Alte tipuri Flash SMS
  13. 13. Amenintari - SMS Alte tipuri Silent SMS
  14. 14. WAP Wireless Application Protocol Arhitectura de retea specifica Set de reguli Limbaj specific: Wireless Markup Language (WML) Pagini HTML ajustate pentru dimensiunea ecranului telefonului
  15. 15. WAP
  16. 16. WAP Push Permite trimiterea de continut WAP cu o interventie minima din partea utilizatorului 2 tipuri: Service Indication / Service Load
  17. 17. WAP Push Service Indication (SI) permite trimiterea de notificari utilizatorului intr-un mod asincron
  18. 18. WAP Push Service Indication (SI)
  19. 19. WAP Push Service Load (SL) determina “aplicatia” de pe telefon sa incarce si execute un serviciu
  20. 20. WAP Push Service Load (SL)
  21. 21. WAP Push - securitate Teoria: Doar un anumit numar este autorizat pentru trimitere; Practica: daca nu e configurat bine, un telefon accepta de la orice numar astfel de mesaje Pe Windows Mobile trebuiesc verificate setarile din HKLMSecurityPoliciesPolicies ; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINESecurityPoliciesPolicies] "0000100c"=dword:800 ; SI Message Policy ; (default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINESecurityPoliciesPolicies] "0000100d"=dword:c00
  22. 22. WAP Push - securitate SECROLE_PPG_TRUSTED: Trusted Push Proxy Gateway. Messages assigned this role indicate that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG). SECROLE_PPG_AUTH: Push Initiator Authenticated. Messages assigned this role indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).
  23. 23. WAP Push - securitate
  24. 24. WAP Configurarea telefonului pentru acces la Internet / date poate fi facuta manual Pentru o configurare mai usoara, rapida si pentru eventualele schimbari, a fost creat un standard ce permite configurarea de la distanta Programarea Over The Air (OTA) foloseste standardul OMA – Open Mobile Alliance Programarea se face prin SMS-uri special concepute
  25. 25. WAP - provisioning Foloseste protocolul WAP WBXML (WAP Binary XML) prin Wireless Application Environment Wireless Session Protocol Wireless Datagram Protocol SMS
  26. 26. WAP - provisioning Configurarea se scrie in XML (conform specificatiilor de la http://www.openmobilealliance.org) XML-ul se va codifica in WAP Binary XML WBXML se va encapsula intr-o data de tip Wireless Session Protocol Datele se vor codifica intr-un mesaj Push, definit in Wireless Session Protocol
  27. 27. WAP - provisioning Mesajul Push contine diferiti parametri, unul fiind parametrul “SEC” pentru autentificare pe baza de “cheie” comuna USERPIN: string ASCII codificat in zecimale NETWPIN: cheia este specifica retelei si cunoscuta (teoretic) doar de catre operator USERNETWPIN: combinatie a celor 2
  28. 28. WAP - provisioning NETWPIN: IMSI = MCC+MNC+MSIN (Mobile Subscription Identification Number) Pret: 2-5 euro-centi In general limitat pentru companii, se cere un volum mare de interogari
  29. 29. WAP - provisioning <wap-provisioningdoc> <characteristic type="NAPDEF"> <parm name="NAME" value="NewAPN"/> <parm name="NAPID" value="NewAPN_NAPID_ME"/> <parm name="BEARER" value="GSM-GPRS"/> <parm name="NAP-ADDRESS" value="apn.operator.ro"/> <parm name="NAP-ADDRTYPE" value="APN"/> </characteristic> <characteristic type=“APPLICATION"> <parm name="NAME" value="NewAPN"/> <parm name="APPID" value="w2"/> <parm name="TO-NAPID" value="NewAPN_NAPID_ME"/> </characteristic> <wap-provisioningdoc>
  30. 30. WAP - provisioning <wap-provisioningdoc> - contine toata informatia transmisa <characteristic …> - grupeaza informatia in unitati logice <… value="NAPDEF"/> - configuram un nou network access point <parm name="APPID" value="w2"/> - mapeaza configuratia la activitatile de browsing Informatii la http://www.openmobilealliance.org
  31. 31. WAP - provisioning <wap-provisioningdoc> <characteristic type="BOOTSTRAP"> <parm name="NAME" value=“Operator NET"/> <parm name="PROXY-ID" value="OpNET_Proxy"/> </characteristic> <characteristic type="NAPDEF"> <parm name="NAME" value="OpNET"/> <parm name="NAPID" value="OpNET_NAPID"/> <parm name="BEARER" value="GSM-GPRS"/> <parm name="NAP-ADDRESS" value="net"/> <parm name="NAP-ADDRTYPE" value="APN"/> </characteristic>
  32. 32. WAP - provisioning <characteristic type="PXLOGICAL"> <parm name="NAME" value="OpNET"/> <parm name="PROXY-ID" value="OpNET_Proxy"/> <characteristic type="PXPHYSICAL"> <parm name="PHYSICAL-PROXY-ID" value="OpNET_PhProxy"/> <parm name="PXADDR" value=“192.168.1.1"/> <parm name="PXADDRTYPE" value="IPV4"/> <parm name="TO-NAPID" value="OpNET_NAPID"/> <characteristic type="PORT"> <parm name="PORTNBR" value="8080"/> </characteristic> </characteristic> </characteristic>
  33. 33. WAP - provisioning <characteristic type="APPLICATION"> <parm name="APPID" value="w2"/> <parm name="NAME" value="OpNET"/> <parm name="TO-PROXY" value="OpNET_Proxy"/> <characteristic type="RESOURCE"> <parm name="NAME" value="OpNET"/> <parm name="URI" value="http://www.google.com"/> <parm name="STARTPAGE"/> </characteristic> </characteristic> </wap-provisioningdoc>
  34. 34. WAP - provisioning Teoretic aceasta configurare poate fi facuta doar de catre operator, de la un numar predefinit Putem analiza SMS-ul prin WireShark Putem adauga un alt numar
  35. 35. WAP - provisioning <?xml version="1.0"?> <!DOCTYPE wap-provisioningdoc PUBLIC "-//WAPFORUM//DTD PROV 1.0//EN" wap- "- "http://www.wapforum.org/DTD/prov.dtd"> "http://www.wapforum.org/DTD/prov.dtd"> <wap-provisioningdoc version="1.1"> wap- <characteristic type="BOOTSTRAP"> <parm name="NAME" value=“Nume"/> value=“ Nume"/> </characteristic> <characteristic type="PXLOGICAL"> <parm name="NAME" value=“Nume"/> value=“ Nume"/> <parm name="PROXY-ID" value="Trusted_Proxy"/> name="PROXY- value="Trusted_Proxy"/> <parm name="NAME" value="Trusted Proxy"/> <characteristic type="PXPHYSICAL"> <parm name="PHYSICAL-PROXY-ID" value="Trusted_PhProxy"/> name="PHYSICAL- PROXY- value="Trusted_PhProxy"/> <parm name="PXADDR" value="40711111111"/> <parm name="PXADDRTYPE" value="E164"/> <parm name="TO-NAPID" value="Trusted_NAPID"/> name="TO- value="Trusted_NAPID"/> <parm name="PUSHENABLED" value="1"/> <parm name="PULLENABLED" value="1"/> </characteristic> </characteristic> <characteristic type="NAPDEF"> <parm name="NAME" value="Op"/> <parm name="NAPID" value="Trusted_NAPID"/> value="Trusted_NAPID"/> <parm name="BEARER" value="GSM-SMS"/> value="GSM- <parm name="NAME" value="Trusted Proxy"/> <parm name="NAP-ADDRESS" value=" 40711111111 "/> name="NAP- <parm name="NAP-ADDRTYPE" value="E164"/> name="NAP- </characteristic>
  36. 36. WAP - provisioning <wap-provisioningdoc> <characteristic type="NetworkPolicy"> <characteristic type="WiFi"> <characteristic type="Settings"> <parm name="Disabled" value="1"/> </characteristic> </characteristic> </characteristic> </wap-provisioningdoc>
  37. 37. Interceptare trafic Traficul trece prin proxy-ul nostru Varianta 1 – Burp Proxy
  38. 38. Interceptare trafic Traficul trece prin proxy-ul nostru Varianta 2 – sslstrip http://www.thoughtcrime.org/software/sslstrip/
  39. 39. Interceptare trafic DEMO
  40. 40. Protectie Operatorul poate filtra aceste tipuri de mesaje Producatorii de telefoane trebuie sa se concentreze mai mult pe securitate Verificati constant (la fel cum faceti cu factura / creditul disponibil) setarile de Internet
  41. 41. Intrebari?

×