black hat europe 2009
play

Black Hat Europe 2009 Hijacking Mobile Data Connections 1 Mobile - PowerPoint PPT Presentation

Oct 10, 2022 •122 likes •713 views

Black Hat Europe 2009 Hijacking Mobile Data Connections 1 Mobile Security Lab Provisioning & WAP primer Forging Messages Demo: Remote provisioning Provisioning: Process and Issues Attack scenario and exploiting Final

  1. Black Hat Europe 2009 Hijacking Mobile Data Connections 1 Mobile Security Lab

  2.  Provisioning & WAP primer  Forging Messages  Demo: Remote provisioning  Provisioning: Process and Issues  Attack scenario and exploiting  Final Demo  Wrap-Up

  3. Who, among the audience, has an Internet capable phone? Please raise your hands!!

  4.  Business: Mobile Operators business models mostly based on data revenues.  Users: Information reachability everywhere  Technical: Faster speeds, improved UIs  Social: Smartphones are cool !!!

  5.  Mobile Equipment must be configured to inter-operate with mobile infrastructures and services.  “ Provisioning is the process by which a WAP client is configured with a minimum user interaction. ”  Provisioning is performed using WAP architecture capabilities.  Normally performed by mobile operators...

  6.  “ Wireless Application Protocol defines industry-wide specification for developing applications that operate over wireless communication networks ”.  Application? MMS - Web Browsing - Provisioning - ... -

  7.  WAP specifies communication protocol framework.  WAP communication is based on two models: Pull Push  Push Model is normally used to send unsolicited data from server to the client.

  8. Application Session Service Transfer Service Transport Service Bearer Network

  9. Let's build a provisioning message

  10.  A Provisioning Document provides parameters related to: Network Access Points, application specific - configuration etc. Application  Use cases: Session Service Provide configuration to new customers - Transfer Service Reconfigure mis-configured phones - Transport Service Enable new services - Bearer Network  Provisioning Document is encoded in Wap Binary XML format (WBXML).

  11. XML provisioning document is encoded in WBXML

  12.  WSP provides connectionless service PUSH. Application  Delivering provisioning document requires: Media type: application/vnd.wap.connectivity- - wbxml Session Service Transfer Service Transport Service  … security information is usually required: Bearer Network SEC parameter to specify security mechanism - Security mechanism related information -

  13.  Message Authentication protects from accepting malicious messages from untrusted sources.  Messages with no authentication may be discarded.  Security based on HMAC to preserve sender authentication and document integrity.

  14.  Security mechanism used is typically based on “Shared Secret” USERP USERNET IN WPIN NETW PIN  “USERPIN”: key is numeric PIN code chosen by the sender  “NETWPIN”: key is IMSI  “USERNETWPIN”: hybrid approach

  15.  It's based on HMAC algorithm = K = M

  16.  Push primitive is used for sending unsolicited information from server to client Content-Type: application/vnd.wap.connectivity-wbxml Header Length Transaction ID MAC value 2f 1f 2d b6 91 81 92 30 44 38..... 37 44 01 06 Push Content

  17.  Transfer services provide reliable connection- oriented communications. Offers services necessary for interactive request/ - Application response applications Session Service Transfer Service  Transfer service is not required by provisioning Transport Service process. Bearer Network Configurations are sent without using this layer -

  18.  WDP provides connectionless datagram transport service. Application  WDP support is mandatory on any WAP compatible handset. Session Service Transfer Service Transport Service  WDP can be mapped onto a different bearer. Bearer Network  WDP over GSM SMS is used to send the message.

  19.  WDP over GSM-SMS header is defined using UDH headers.  UDH header contains information for port addressing and concatenated short messages Application Port Concatenated Addressing SMS Scheme UDH 05 04 0B 84 23 F0 00 03 ... Length

  20.  GSM SMS PDU mode supports binary data transfer. Application  Uncompressed 8-bit encoding scheme is used. Session Service  Concatenated SMS is needed to send a payload Transfer Service larger than 140 bytes. Transport Service Bearer Network  Performed tests suggest that no restrictions are imposed on sending SMS-encapsulated provisioning messages.

  21. Receiver phone SMS-SUBMIT number type of PDU message address: with UDH Receiver 91 – International Message Header Receiver Phone Format coding phone Number scheme: number 8-bit length encoding UDL 00 41 00 0C 91 939393939393 00 F5 Message Body Length

  22. Provisioning Document can be easily created Provisioning USERPIN is defined by the sender We don't need it!! WSP WDP support Transfer Service mandatory on WAP compatible handsets WDP SMS with Provisioning Document are typically unfiltered GSM SMS

  24. Provisioning Process

  25.  Many operators use USERPIN shared secret. An Info SMS carrying the shared PIN is sent A Provisioning SMS with network configuration details is sent after Info SMS

  26. User takes a note of the pin Operator Number used when sending Info SMS

  27. The device receives a new SMS notification. User types PIN provided by the Info SMS. New settings overview is showed to the user.

  28. UI asks to use the new settings as default. Settings are installed as a new Access Point.

  29. Mobile Operator Service Number Mobile Operator

  30.  UI designed to be user friendly …  … but this could lead to confusing or hidden information: Few technical details on provisioning content - Message source may be hidden or wrongly reported -

  31. Attack for L(a)unch

  32. Issue: Handset displays phone number of Info SMS sender Suspicious users may not accept the configuration message Solution: SMS sender spoofing Info SMS could appear as legitimate and sent by Operator

  34. Attacker Provisioning SMS is sent after Info SMS

  35. • Different attack “ flavours ”, depending on the handset: Attacker configuration is automatically installed as the default - User is asked at installation time if the configuration has to - be installed as the default User is asked at connection time which configuration should - be used for connection  In some cases (eg: customized handsets) it may not be possible to change the default configuration  Additional operations may be required from user

  36. No Push Messages filtering in place: both on handset and network Some UIs do not show enough information to users Tricks users into accepting malicious configurations

  37.  Provisioning message provides data connection parameters.  If a victim accepts a malicious message, connection parameters are under attacker control  Multiple interesting choices : APN - DNS address - Proxy -

  38. The parameter that seems to provide the best control of a victim is...

  39.  “ Domain Name System (DNS) is used to map between hostnames and IP addresses. ”  “DNS-ADDR” parameter indicates the DNS IP address used by the data connections.  By adding the DNS-ADDR parameter to the default data connection, the DNS can be subverted.  Victim DNS queries are then directed toward an attacker-chosen DNS server.

  40. Network Access Point Name NAPDEF Reference Network Type APN Address for Data Connection Format of the Address in NAP-ADDRESS DNS Address

  41. Are DNS queries allowed to exit an Operator Network?? The operator may force the use of specific DNS server - Tests have been performed on all the Operator Networks we had access to … and the answer is...

  42. Definitely YES!!! Dial-up using Handset as Modem Default route via Mobile Operator Network Successful query to external DNS server (OpenDNS)

  43. Modify default DNS in victim's phone Operator networks allow queries to external DNS server Redirection of victim DNS queries

  45.  Most inviting options is HTTP: Many mobile applications and services are based on  HTTP protocols: - Browsers - Messaging - ... Some Mobile Operators business models are based on  providing services via internal HTTP web sites.

  46. DNS Query DNS Answer GET / HTTP/1.1

  47. DNS Query GET / HTTP/1.1

  48. DNS Address Used to define Application Parameters Browsing Applications Link to APN Identifier defined by defined OMNA

  49. WBXML provisioning message (setting handset DNS address to Fake DNS) Fake DNS (answering any query with Evil Proxy IP Address) Evil Proxy (intercepting and forwarding the HTTP traffic)

  50. Serving the meal ...

  51.  Transparent proxy is just what we need.  Apache+Mod-Proxy is a good starting point:  Mod-Rewrite is used for proper redirection.

  52.  Now we are able to redirect the HTTP traffic as we want!  It would be cool to access the traffic...  … Mod-Security Audit feature is the solution!

  54.  User monitor and profiling  Hijacking and control of application specific data traffic IM, VoIP, Social Networks -  Traffic Injection Redirection to 3 rd party websites - Advertisements ( → Spamming) - Modification of served web pages -

Recommend

Rob Havelt Black Hat Europe, 2009 Greetings Black Hat Rob Havelt rhavelt@trustwave.com

Rob Havelt Black Hat Europe, 2009 Greetings Black Hat Rob Havelt rhavelt@trustwave.com

Rob Havelt Black Hat Europe, 2009 Greetings Black Hat Rob Havelt rhavelt@trustwave.com Im from Trustwaves SpiderLabs I manage the Pen Test Practice in the US. I like to take things apart. Also, Scotch and Godzilla 5/1/09 2

507 views • 29 slides
PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28,

PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28,

PSYCHOTRONICA nitesh dhanjani july 2009 black hat briefings 2009 (las vegas) Sunday, June 28, 2009 PSYCHOTRONIC Sunday, June 28, 2009 MySpace: 100 million users [january 2008] 1,400,000+ tweets [march 2009] generation y genuine data

768 views • 43 slides
Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat

Side Channel Analysis and Embedded Systems Impact and Countermeasures Job de Haas Black Hat Europe 2008 Black Hat Europe 2008 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

653 views • 42 slides
The Black Plague 1347 - 1351 Why did the plague hit Europe so hard? By 1300 Europeans were

The Black Plague 1347 - 1351 Why did the plague hit Europe so hard? By 1300 Europeans were

The Black Plague 1347 - 1351 Why did the plague hit Europe so hard? By 1300 Europeans were farming as much land as they could cultivate. There were three Some villages years of crop lost up to 15% failures between of their peasant

93 views • 6 slides
SMTP Information gathering Lluis Mora, Neutralbit llmora@neutralbit.com Black Hat Europe

SMTP Information gathering Lluis Mora, Neutralbit llmora@neutralbit.com Black Hat Europe

SMTP Information gathering Lluis Mora, Neutralbit llmora@neutralbit.com Black Hat Europe Amsterdam, NL // March 2007 sec urityinno vatio n Introduction E-mail is present in nearly every organization We all understand how it works

590 views • 23 slides
BLACK STURGEON WATER QUALITY MONITORING - 2009 to 2015 Summary of 2015 Results Lower Black

BLACK STURGEON WATER QUALITY MONITORING - 2009 to 2015 Summary of 2015 Results Lower Black

BLACK STURGEON WATER QUALITY MONITORING - 2009 to 2015 Summary of 2015 Results Lower Black Sturgeon Lake results within provincial water quality objectives for all parameters Why monitor water quality? All Canadian Shield lakes are

273 views • 24 slides
B2C Creative Presentation 31.07.2009 Travel in Europe The new identity card lets you go on

B2C Creative Presentation 31.07.2009 Travel in Europe The new identity card lets you go on

B2C Creative Presentation 31.07.2009 Travel in Europe The new identity card lets you go on holiday in Europe without your passport. Fingerprint technology makes the new identity card so secure that European countries even accept it instead of

571 views • 26 slides
Black Hat Europe - 2013 Saturday, January 19, 13 Meshing Stuff Up: Ad Hoc Mesh Networks with

Black Hat Europe - 2013 Saturday, January 19, 13 Meshing Stuff Up: Ad Hoc Mesh Networks with

Black Hat Europe - 2013 Saturday, January 19, 13 Meshing Stuff Up: Ad Hoc Mesh Networks with Android Saturday, January 19, 13 /whoami (m0nk) ~ software engineer for the last 12 years I like to: break / embed / repurpose things solder things

716 views • 37 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Black Hat Europe 2012 March 14 th 2012 Andy Davis Research Director Telephone: +44 (0) 208 401

Black Hat Europe 2012 March 14 th 2012 Andy Davis Research Director Telephone: +44 (0) 208 401

Black Hat Europe 2012 March 14 th 2012 Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Agenda Why am I

479 views • 36 slides
Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program control flow to the

592 views • 55 slides
October 22, 2009 October 22, 2009 Regional Structure - Global Centers Boart Longyear Europe

October 22, 2009 October 22, 2009 Regional Structure - Global Centers Boart Longyear Europe

October 22, 2009 October 22, 2009 Regional Structure - Global Centers Boart Longyear Europe (BLE) Burghaun Salt Lake City Boart Longyear Americas (BLA) Boart Longyear Far East Sandton (BLFE) Peru Adelaide Boart Longyear South Africa

827 views • 60 slides
PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda

PHP code audits OSCON 2009 San Jos, CA, USA July 21th 2009 samedi 25 juillet 2009 1 Agenda Workshop presentation Black box audit Source code audit samedi 25 juillet 2009 2 Who speaks? Philippe Gamache Parler Haut, Interagir

848 views • 73 slides
Black Hole Partition Functions and Duality Gabriel Lopes Cardoso April 8, 2009 Gabriel Lopes

Black Hole Partition Functions and Duality Gabriel Lopes Cardoso April 8, 2009 Gabriel Lopes

Black Hole Partition Functions and Duality Gabriel Lopes Cardoso April 8, 2009 Gabriel Lopes Cardoso (LMU) Black Hole Partition Functions and Duality GGI, April 8, 2009 1 / 14 Summary of Talk The OSV conjecture (2004) states that the

247 views • 14 slides
Lehman Brothers International (Europe) (In Administration) Update meetings with MFA / AIMA New

Lehman Brothers International (Europe) (In Administration) Update meetings with MFA / AIMA New

Lehman Brothers International (Europe) (In Administration) Update meetings with MFA / AIMA New York 8 Oct 2009 London 9 Oct 2009 This document is subject to the confidentiality agreement signed by the members of the LBIE Creditors

557 views • 34 slides
The Australian Bushfire Story The Victorian 2009 Black Saturday Bushfires. Bushfire takes away

The Australian Bushfire Story The Victorian 2009 Black Saturday Bushfires. Bushfire takes away

The Australian Bushfire Story The Victorian 2009 Black Saturday Bushfires. Bushfire takes away your control by Craig Lapsley Victoria State is one of the most Bushfire Prone Areas in the world. Victorian summers have: extreme

584 views • 23 slides
Black hole variability from limited data Simon Vaughan (Leicester) Do et al. (2009, ApJ, 619,

Black hole variability from limited data Simon Vaughan (Leicester) Do et al. (2009, ApJ, 619,

Black hole variability from limited data Simon Vaughan (Leicester) Do et al. (2009, ApJ, 619, 1021) Variability from limited data Outline 1. The periodogram (as a spectral estimator) 2. Problems with interpretation 3. In reverse: simulation

540 views • 41 slides
Address of Kori Udoviki , Assistant Administrator, Assistant December 7, 2009 Secretary

Address of Kori Udoviki , Assistant Administrator, Assistant December 7, 2009 Secretary

Address of Kori Udoviki , Assistant Administrator, Assistant December 7, 2009 Secretary General, UNDP Regional Director for Europe and the CIS at the Conference on the Social Impact of the Financial Crisis in Eastern Europe, Turkey and Central

398 views • 4 slides
Lockpicking Forensics datagram datagram.layerone@gmail.com Black Hat USA Briefings, 2009

Lockpicking Forensics datagram datagram.layerone@gmail.com Black Hat USA Briefings, 2009

Lockpicking Forensics datagram datagram.layerone@gmail.com Black Hat USA Briefings, 2009 Agenda How locks/picks work Normal wear Lock Analysis Key Analysis Investigative process Destructive entry still #1! How Locks Work

1.39k views • 117 slides
Focus Group meeting on Bioequivalence IFAH-Europe topics for discussion EMEA, 6 th May 2009

Focus Group meeting on Bioequivalence IFAH-Europe topics for discussion EMEA, 6 th May 2009

Focus Group meeting on Bioequivalence IFAH-Europe topics for discussion EMEA, 6 th May 2009 Focus Group meeting on Bioequivalence - EMEA, 6th May 2009 1 Content 1. Biowaivers, E. De Ridder 2. Statistical analysis, U. Sent 3. Study designs, R.

386 views • 24 slides
E-Voting and Forensics: Prying Open the Black Box Sean Peisert Matt Bishop Candice Hoke

E-Voting and Forensics: Prying Open the Black Box Sean Peisert Matt Bishop Candice Hoke

E-Voting and Forensics: Prying Open the Black Box Sean Peisert Matt Bishop Candice Hoke Mark Graff David Jefferson given at EVT/WOTE09 Montreal, Canada August 10, 2009 Monday, August 10, 2009 Key Questions That We Address

551 views • 35 slides
Security Failures In Secure Devices Black Hat Europe March 27, 2008 Christopher Tarnovsky

Security Failures In Secure Devices Black Hat Europe March 27, 2008 Christopher Tarnovsky

March 27, 2008 Security Failures In Secure Devices Black Hat Europe March 27, 2008 Christopher Tarnovsky Flylogic Engineering, LLC. chris@flylogic.net www.flylogic.net March 27, 2008 Who am I? Last 10 years with NDS

811 views • 54 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Europe Matters A Communicating Europe Project run by ATD Ireland The project Europe

Europe Matters A Communicating Europe Project run by ATD Ireland The project Europe

Europe Matters A Communicating Europe Project run by ATD Ireland The project Europe Matters was designed to raise awareness about the current dialogue on the future of Europe in deprived communities , and to highlight the opportunity

300 views • 4 slides

More recommend