SlideShare a Scribd company logo

DefCamp 2013 - 0Class2DOS

DefCamp
DefCamp

This document discusses short message service (SMS) and issues that can arise from improper SMS implementation. It begins with an introduction to SMS and how it works. It then describes ways to send different SMS message types for fun or malicious purposes, including "silent messages", service loads, and denial of service attacks using "flash messages". The document concludes by emphasizing the importance of thoroughly testing SMS implementations and provides an example of an Android application that helps prevent flash message attacks.

TechnologyBusiness
1 of 25
Download to read offline
0class2DOS Bogdan ALECU www.m-sec.net @msecnet
ABOUT… Independent security researcher Sysadmin @ Levi9 Passionate about security, specially when it’s related to mobile devices; started with NetMonitor (thanks Cosconor), continued with VoIP and finally GSM networks / mobile phones @msecnet / www.m-sec.net
TOPICS ▪ SMS Intro ▪ Fun stuff with SMS ▪ Wrong implementation of SMS ▪ Can it be fixed? ▪ Conclusions
SMS INTRO ▪ SMS stands for Short Message Service and represents a way of communication via text between mobile phones and/or fixed lines, using a standardized protocol. It is an effective way of communication as the user just writes some text and it’s almost instantly delivered to the destination. ▪ The provision of SMS makes use of a Service Center, which acts as a store and forward center for short messages
SMS INTRO • Two different point-to-point services have been defined: mobile originated and mobile terminated • An active MS shall be able to receive a short message TPDU - Transfer protocol data unit - (SMS-DELIVER) OR to submit a short message TPDU (SMS-SUBMIT) at any time … independently of whether or not there is a speech or data call in progress
SMS DEVELOPMENT How can you send other types of SMS? ▪ By using a modem and manually composing the message ▪ By using a software that will create the message
FUN STUFF WITH SMS • Notifications http://mobiletidings.com/2009/07/08/voicemail-waitingindication-sms/ DCS: 0xC8 – turn on voicemail 0xC9 – turn on fax 0xCA – turn on email 0xCB – turn on other message 0xC0 – turn off voicemail 0xC1 – turn off fax 0xC2 – turn off email 0xC3 – turn off other message
FUN STUFF WITH SMS • “Silent” message The receiving device must acknowledge receipt of the message (so you can get a delivery receipt), but the content of the message is to be discarded Some carriers might restore it PID: 0x40 DCS: 0xC0
FUN STUFF WITH SMS • Service Load (WAP Push) PID: 0x00 DCS: 0x04 (binary encoding)
WHEN THINGS GO WRONG
WHEN THINGS GO WRONG Octets Description 00 Info about SMSC – here the length is 0, which means that the SMSC stored on SIM should be used. 01 There is no reply path, User Data Header, Status Report Request, Validity Period 00 TP-Message-Reference. The "00" value here lets the phone set the message reference number itself 0B Address-Length. Length of phone number (11) 91 Type-of-Address. Here it is the international format of the phone number 4421436587F9 The phone number in semi octets – 44123456789 00 PID, none specified 00 DCS, none specified 0B User-Data-Length. Length of message = length of septets = 11 E8329BFD06DDDF723619 User-Data. These octets represent the message "hello world"
WHEN THINGS GO WRONG a) Set the modem in PDU mode: AT+CMGF=0 b) Check if modem is able to process SMS: AT+CSMS=0 c) Send the message: AT+CMGS=23 > 0001000B914421436587F900000BE8329BFD06DDDF723619
WHEN THINGS GO WRONG Class 0 /flash message defined in Data Coding Scheme (ETSI GSM 03.38) DCS = 10 (hex) When a mobile terminated message is class 0 and the MS has the capability of displaying short messages, the MS shall display the message immediately […] The message shall not be automatically stored in the SIM or ME
WHEN THINGS GO WRONG
WHEN THINGS GO WRONG Sending multiple class 0 messages
WHEN THINGS GO WRONG Sending multiple class 0 messages
WHEN THINGS GO WRONG PoC videos: https://vimeo.com/80539057 https://vimeo.com/69643571
WHEN THINGS GO WRONG Class 0 message Denial-of-Service When sending over 30 messages to a Google device running Android: • Messaging application stops • Phone reboots • Radio application restarts, but Internet no longer works If SIM PIN protection is enabled -> no phone signal, no calls
WHEN THINGS GO WRONG Class 0 message Denial-of-Service • Reported to Google over 1 year ago • Finally got a reply in July • Still have no idea when / if this will be fixed • Tested on Galaxy Nexus, Nexus 4 with Android 4.1-4.3 • Google devices with Android 4.4 KitKat (Nexus 5) are also affected!
FIX ME!
FIX ME! • Class0Firewall application available in Google Play • Thanks to Michael Mueller (@c0rnholio) • You define the threshold, then Class0Firewall will block any incoming “flash” messages https://play.google.com/store/apps/details?id=com. silentservices.class0firewall
FIX ME!
CONCLUSIONS • Be careful on how you implement SMS • Check as many messages types as possible • Sometimes it may not be the number of messages that causes the problem, but the type of message
Thank you! msecnet www.mwww.m-sec.net alecu@malecu@m-sec.net

Recommended

Pushe mail product-brochure
Pushe mail product-brochurePushe mail product-brochure
Pushe mail product-brochure
Neeharika Jaiswal
 
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloadedDefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp
 
Web Applications - Security and Scalability Checklist - DefCamp 2012
Web Applications - Security and Scalability Checklist - DefCamp 2012Web Applications - Security and Scalability Checklist - DefCamp 2012
Web Applications - Security and Scalability Checklist - DefCamp 2012DefCamp
 
Defcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hacker
DefCamp
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp
 
Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
DefCamp
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Mobile Computing
Mobile ComputingMobile Computing
Mobile Computing
JAINIK PATEL
 

Recommended

Pushe mail product-brochure
Pushe mail product-brochurePushe mail product-brochure
Pushe mail product-brochure
Neeharika Jaiswal
 
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloadedDefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp 2013 - Peering in the Soul of Hackers: HPP V2.0 reloaded
DefCamp
 
Web Applications - Security and Scalability Checklist - DefCamp 2012
Web Applications - Security and Scalability Checklist - DefCamp 2012Web Applications - Security and Scalability Checklist - DefCamp 2012
Web Applications - Security and Scalability Checklist - DefCamp 2012DefCamp
 
Defcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hackerDefcamp 2013 - Does it pay to be a blackhat hacker
Defcamp 2013 - Does it pay to be a blackhat hacker
DefCamp
 
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp 2013 - Night talks - Hacking, phreaking, carding & social engineering...
DefCamp
 
Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012
DefCamp
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Mobile Computing
Mobile ComputingMobile Computing
Mobile Computing
JAINIK PATEL
 
Whatsapp Business API Solution
Whatsapp Business API SolutionWhatsapp Business API Solution
Whatsapp Business API Solution
RouteMob
 
I mode
I modeI mode
I mode
Shashwat Shriparv
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
Sam Bowne
 
SMS & MMS Technologies
SMS & MMS TechnologiesSMS & MMS Technologies
SMS & MMS Technologies
Arun Shukla
 
128-ch2.pptx
128-ch2.pptx128-ch2.pptx
128-ch2.pptx
HiraAshfaqSubhan
 
CCNA
CCNA CCNA
CCNA
manish kesari
 
3Com 7030-10060
3Com 7030-100603Com 7030-10060
3Com 7030-10060
savomir
 
3Com 3C10116 / 655-0040-0
3Com 3C10116 / 655-0040-03Com 3C10116 / 655-0040-0
3Com 3C10116 / 655-0040-0
savomir
 
3Com 7030-10062
3Com 7030-100623Com 7030-10062
3Com 7030-10062
savomir
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-Concepts
Duy Do Phan
 
Leveraging Zend Framework for Sending Push Notifications
Leveraging Zend Framework for Sending Push NotificationsLeveraging Zend Framework for Sending Push Notifications
Leveraging Zend Framework for Sending Push Notifications
Mike Willbanks
 
3Com 7030-10190
3Com 7030-101903Com 7030-10190
3Com 7030-10190
savomir
 
3Com 7025015118640
3Com 70250151186403Com 7025015118640
3Com 7025015118640
savomir
 
3Com 7030-10021
3Com 7030-100213Com 7030-10021
3Com 7030-10021
savomir
 
3Com 1667-010-050-3.01
3Com 1667-010-050-3.013Com 1667-010-050-3.01
3Com 1667-010-050-3.01
savomir
 
3Com 3C10115 / 655-0010-0
3Com 3C10115 / 655-0010-03Com 3C10115 / 655-0010-0
3Com 3C10115 / 655-0010-0
savomir
 
3Com 02-0020-004
3Com 02-0020-0043Com 02-0020-004
3Com 02-0020-004
savomir
 
3Com 3C6010
3Com 3C60103Com 3C6010
3Com 3C6010
savomir
 
I - Mode Technology
I - Mode TechnologyI - Mode Technology
I - Mode Technology
vasanthimuniasamy
 
3Com 7030-10150
3Com 7030-101503Com 7030-10150
3Com 7030-10150
savomir
 
Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp
 

More Related Content

Similar to DefCamp 2013 - 0Class2DOS

Whatsapp Business API Solution
Whatsapp Business API SolutionWhatsapp Business API Solution
Whatsapp Business API Solution
RouteMob
 
I mode
I modeI mode
I mode
Shashwat Shriparv
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
Sam Bowne
 
SMS & MMS Technologies
SMS & MMS TechnologiesSMS & MMS Technologies
SMS & MMS Technologies
Arun Shukla
 
128-ch2.pptx
128-ch2.pptx128-ch2.pptx
128-ch2.pptx
HiraAshfaqSubhan
 
CCNA
CCNA CCNA
CCNA
manish kesari
 
3Com 7030-10060
3Com 7030-100603Com 7030-10060
3Com 7030-10060
savomir
 
3Com 3C10116 / 655-0040-0
3Com 3C10116 / 655-0040-03Com 3C10116 / 655-0040-0
3Com 3C10116 / 655-0040-0
savomir
 
3Com 7030-10062
3Com 7030-100623Com 7030-10062
3Com 7030-10062
savomir
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-Concepts
Duy Do Phan
 
Leveraging Zend Framework for Sending Push Notifications
Leveraging Zend Framework for Sending Push NotificationsLeveraging Zend Framework for Sending Push Notifications
Leveraging Zend Framework for Sending Push Notifications
Mike Willbanks
 
3Com 7030-10190
3Com 7030-101903Com 7030-10190
3Com 7030-10190
savomir
 
3Com 7025015118640
3Com 70250151186403Com 7025015118640
3Com 7025015118640
savomir
 
3Com 7030-10021
3Com 7030-100213Com 7030-10021
3Com 7030-10021
savomir
 
3Com 1667-010-050-3.01
3Com 1667-010-050-3.013Com 1667-010-050-3.01
3Com 1667-010-050-3.01
savomir
 
3Com 3C10115 / 655-0010-0
3Com 3C10115 / 655-0010-03Com 3C10115 / 655-0010-0
3Com 3C10115 / 655-0010-0
savomir
 
3Com 02-0020-004
3Com 02-0020-0043Com 02-0020-004
3Com 02-0020-004
savomir
 
3Com 3C6010
3Com 3C60103Com 3C6010
3Com 3C6010
savomir
 
I - Mode Technology
I - Mode TechnologyI - Mode Technology
I - Mode Technology
vasanthimuniasamy
 
3Com 7030-10150
3Com 7030-101503Com 7030-10150
3Com 7030-10150
savomir
 

Similar to DefCamp 2013 - 0Class2DOS (20)

Whatsapp Business API Solution
Whatsapp Business API SolutionWhatsapp Business API Solution
Whatsapp Business API Solution
 
I mode
I modeI mode
I mode
 
CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
 
SMS & MMS Technologies
SMS & MMS TechnologiesSMS & MMS Technologies
SMS & MMS Technologies
 
128-ch2.pptx
128-ch2.pptx128-ch2.pptx
128-ch2.pptx
 
CCNA
CCNA CCNA
CCNA
 
3Com 7030-10060
3Com 7030-100603Com 7030-10060
3Com 7030-10060
 
3Com 3C10116 / 655-0040-0
3Com 3C10116 / 655-0040-03Com 3C10116 / 655-0040-0
3Com 3C10116 / 655-0040-0
 
3Com 7030-10062
3Com 7030-100623Com 7030-10062
3Com 7030-10062
 
SMS-SMPP-Concepts
SMS-SMPP-ConceptsSMS-SMPP-Concepts
SMS-SMPP-Concepts
 
Leveraging Zend Framework for Sending Push Notifications
Leveraging Zend Framework for Sending Push NotificationsLeveraging Zend Framework for Sending Push Notifications
Leveraging Zend Framework for Sending Push Notifications
 
3Com 7030-10190
3Com 7030-101903Com 7030-10190
3Com 7030-10190
 
3Com 7025015118640
3Com 70250151186403Com 7025015118640
3Com 7025015118640
 
3Com 7030-10021
3Com 7030-100213Com 7030-10021
3Com 7030-10021
 
3Com 1667-010-050-3.01
3Com 1667-010-050-3.013Com 1667-010-050-3.01
3Com 1667-010-050-3.01
 
3Com 3C10115 / 655-0010-0
3Com 3C10115 / 655-0010-03Com 3C10115 / 655-0010-0
3Com 3C10115 / 655-0010-0
 
3Com 02-0020-004
3Com 02-0020-0043Com 02-0020-004
3Com 02-0020-004
 
3Com 3C6010
3Com 3C60103Com 3C6010
3Com 3C6010
 
I - Mode Technology
I - Mode TechnologyI - Mode Technology
I - Mode Technology
 
3Com 7030-10150
3Com 7030-101503Com 7030-10150
3Com 7030-10150
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Recently uploaded

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 

Recently uploaded (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 

DefCamp 2013 - 0Class2DOS

  • 2. ABOUT… Independent security researcher Sysadmin @ Levi9 Passionate about security, specially when it’s related to mobile devices; started with NetMonitor (thanks Cosconor), continued with VoIP and finally GSM networks / mobile phones @msecnet / www.m-sec.net
  • 3. TOPICS ▪ SMS Intro ▪ Fun stuff with SMS ▪ Wrong implementation of SMS ▪ Can it be fixed? ▪ Conclusions
  • 4. SMS INTRO ▪ SMS stands for Short Message Service and represents a way of communication via text between mobile phones and/or fixed lines, using a standardized protocol. It is an effective way of communication as the user just writes some text and it’s almost instantly delivered to the destination. ▪ The provision of SMS makes use of a Service Center, which acts as a store and forward center for short messages
  • 5. SMS INTRO • Two different point-to-point services have been defined: mobile originated and mobile terminated • An active MS shall be able to receive a short message TPDU - Transfer protocol data unit - (SMS-DELIVER) OR to submit a short message TPDU (SMS-SUBMIT) at any time … independently of whether or not there is a speech or data call in progress
  • 6. SMS DEVELOPMENT How can you send other types of SMS? ▪ By using a modem and manually composing the message ▪ By using a software that will create the message
  • 7. FUN STUFF WITH SMS • Notifications http://mobiletidings.com/2009/07/08/voicemail-waitingindication-sms/ DCS: 0xC8 – turn on voicemail 0xC9 – turn on fax 0xCA – turn on email 0xCB – turn on other message 0xC0 – turn off voicemail 0xC1 – turn off fax 0xC2 – turn off email 0xC3 – turn off other message
  • 8.
  • 9. FUN STUFF WITH SMS • “Silent” message The receiving device must acknowledge receipt of the message (so you can get a delivery receipt), but the content of the message is to be discarded Some carriers might restore it PID: 0x40 DCS: 0xC0
  • 10. FUN STUFF WITH SMS • Service Load (WAP Push) PID: 0x00 DCS: 0x04 (binary encoding)
  • 11. WHEN THINGS GO WRONG
  • 12. WHEN THINGS GO WRONG Octets Description 00 Info about SMSC – here the length is 0, which means that the SMSC stored on SIM should be used. 01 There is no reply path, User Data Header, Status Report Request, Validity Period 00 TP-Message-Reference. The "00" value here lets the phone set the message reference number itself 0B Address-Length. Length of phone number (11) 91 Type-of-Address. Here it is the international format of the phone number 4421436587F9 The phone number in semi octets – 44123456789 00 PID, none specified 00 DCS, none specified 0B User-Data-Length. Length of message = length of septets = 11 E8329BFD06DDDF723619 User-Data. These octets represent the message "hello world"
  • 13. WHEN THINGS GO WRONG a) Set the modem in PDU mode: AT+CMGF=0 b) Check if modem is able to process SMS: AT+CSMS=0 c) Send the message: AT+CMGS=23 > 0001000B914421436587F900000BE8329BFD06DDDF723619
  • 14. WHEN THINGS GO WRONG Class 0 /flash message defined in Data Coding Scheme (ETSI GSM 03.38) DCS = 10 (hex) When a mobile terminated message is class 0 and the MS has the capability of displaying short messages, the MS shall display the message immediately […] The message shall not be automatically stored in the SIM or ME
  • 15. WHEN THINGS GO WRONG
  • 16. WHEN THINGS GO WRONG Sending multiple class 0 messages
  • 17. WHEN THINGS GO WRONG Sending multiple class 0 messages
  • 18. WHEN THINGS GO WRONG PoC videos: https://vimeo.com/80539057 https://vimeo.com/69643571
  • 19. WHEN THINGS GO WRONG Class 0 message Denial-of-Service When sending over 30 messages to a Google device running Android: • Messaging application stops • Phone reboots • Radio application restarts, but Internet no longer works If SIM PIN protection is enabled -> no phone signal, no calls
  • 20. WHEN THINGS GO WRONG Class 0 message Denial-of-Service • Reported to Google over 1 year ago • Finally got a reply in July • Still have no idea when / if this will be fixed • Tested on Galaxy Nexus, Nexus 4 with Android 4.1-4.3 • Google devices with Android 4.4 KitKat (Nexus 5) are also affected!
  • 22. FIX ME! • Class0Firewall application available in Google Play • Thanks to Michael Mueller (@c0rnholio) • You define the threshold, then Class0Firewall will block any incoming “flash” messages https://play.google.com/store/apps/details?id=com. silentservices.class0firewall
  • 24. CONCLUSIONS • Be careful on how you implement SMS • Check as many messages types as possible • Sometimes it may not be the number of messages that causes the problem, but the type of message