mobile phone (in)security - hacking-lab
Post on 02-Jun-2022
9 Views
Preview:
TRANSCRIPT
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Mobile Phone (In)Security
Live Demos with Mobile Phone Technology
Walter Sprenger
© Compass Security AG Slide 2www.csnc.ch
Extract from the latest status report on IT security of the BSI (German Federal Office for Information Security)
„Cyber criminals use besides botnets, spamming and phishing-Emails more and more the infiltration through mobile phones and WLAN“
Latest information
© Compass Security AG Slide 3www.csnc.ch
The Present
Devices vs. Applications (Marketshares 06/2010)
Devices
Applications
© Compass Security AG Slide 4www.csnc.ch
How do Trojans and spyware get on mobile devices?
Mobile Phone Malware
Applications (Apps)
Bluetooth
Updates
Internet SitesLAN / WAN / WLAN/UMTS
GSM
© Compass Security AG Slide 5www.csnc.ch
Mobile devices: critical and often forgotten children ...
� Mobile devices often work without a protecting company-firewall
� They are frequently transported and can easily be moved
� They communicate with foreign networks through unsafe techniques
� The users often have administrator rights
� Can easily be stolen, pinched or destroyed ...
� Are often forgotten or deliberately ignored in the security concept
General
© Compass Security AG Slide 6www.csnc.ch
Situation in Enterprises: Situation in Enterprises: Situation in Enterprises: Situation in Enterprises: GotGotGotGot Boss, Boss, Boss, Boss, gotgotgotgot iPhoneiPhoneiPhoneiPhone????
SmartPhone and Enterprises
Oh…?!
I am theBoss…goget me an iPhone!
But Boss, iPhonesare the source of
all evil. It‘s so vulnerable. Wewould expose ournetwork, open thefirewall, dataleakage and muchmore!!!
However…I am theBoss…go get me an iPhone!
*sigh*
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
The Mobile Network - Positioning
© Compass Security AG Slide 8www.csnc.ch
Everybody sending out signals can in principle also be located.
In reverse you can locate yourself by evaluating signals sent out from known positions.
General
© Compass Security AG Slide 9www.csnc.ch
Reference points in the mobile network
The Mobile Switching Centre (MSC), serves as a router for the transmission of the calls and text messages within the network or to the fixed line network. The MSC communicates via the Signalling System #7 (SS/)
The cell is the direct radio interface to the subscriber
The Base Transceiver Station (BSC)BSC)BSC)BSC)controls several base stations (BTS), assigns the frequencies to be used and can initiate the Handover.
The Home Location Register (HLRHLRHLRHLR) of a network provider contains the personal data of all customers.
The Visitor Location Register (VLRVLRVLRVLR), memorises the data of the users using the MSC but are not customers of the respective network provider.
© Compass Security AG Slide 10www.csnc.ch
Transmission in the GSM-Network
PSTNHLR/ AuCHLR/ AuCHLR/ AuCHLR/ AuC
MSCMSCMSCMSCMSCMSCMSCMSC MSCMSCMSCMSC
BSCBSCBSCBSC BSCBSCBSCBSC
BTSBTSBTSBTSBTSBTSBTSBTS BTSBTSBTSBTS
VLRVLRVLRVLR VLRVLRVLRVLRVLRVLRVLRVLR
BTSBTSBTSBTS
BTSBTSBTSBTS
BTSBTSBTSBTS
BTSBTSBTSBTS
=LAC
=CellID
© Compass Security AG Slide 11www.csnc.ch
Reading out locally relevant data of the presently active/located Cell (Example iPhone)
� Activate the “Fieldtest” mode
Locating via LBS Location Based ID
© Compass Security AG Slide 12www.csnc.ch
Reading out locally relevant data of the presently active/located Cell (Example iPhone)
� Activate the “Fieldtest” mode
� Reading out of the GSM Cell data
Locating via LBS Location Based ID
© Compass Security AG Slide 13www.csnc.ch
Reading out locally relevant data of the presently active/located Cell (Example iPhone)
� Activate the “Fieldtest” mode
� Reading out of the GSM Cell data
� MCC (Mobile Country Code)
Locating via LBS Location Based ID
© Compass Security AG Slide 14www.csnc.ch
MCC (Mobile Country Code)
� Based on the first digit you can assign a continent : 0 not defined
1 not defined
2222 EuropeEuropeEuropeEurope
3 North America and the Caribbean
4 Asia, India, Middle East
5 Australia and Oceania
6 Africa
7 South America
8 not defined
9 world
See also www.nobbi.com/wiki/doku.php/mcc
Locating via LBS Location Based ID
© Compass Security AG Slide 15www.csnc.ch
MCC (Mobile Country Code)
� The second and the third digit define the country (selection): 262262262262 GermanyGermanyGermanyGermany
228228228228 SwitzerlandSwitzerlandSwitzerlandSwitzerland
232 Austria
234 United Kingdom
235 United Kingdom
310 through
316 United States of America
See also www.nobbi.com/wiki/doku.php/mcc
Locating via LBS Location Based ID
© Compass Security AG Slide 16www.csnc.ch
Reading out locally relevant data of the presently active/located Cell (Example iPhone)
� Activate the “Fieldtest” mode
� Reading out of the GSM Cell data
� MCC (Mobile Country Code)
� MNC (Mobile Network Code)
Locating via LBS Location Based ID
© Compass Security AG Slide 17www.csnc.ch
MNC (Mobile Network Code)
� The MNC stands for the net provider
Germany01010101 ,06,06,06,06 TTTT----MobileMobileMobileMobile
02 ,04,09 Vodafone
07 ,08,11 O2
Switzerland01 Swisscom Mobile
02 Sunrise
03 03 03 03 OrangeOrangeOrangeOrange
Locating via LBS Location Based ID
© Compass Security AG Slide 18www.csnc.ch
Reading out locally relevant data of the presently active/located Cell (Example iPhone)
� Activate the “Fieldtest” mode
� Auslesen der GSM Cell Daten
� MCC (Mobile Country Code)
� MNC (Mobile Network Code)
� LAC (Location Area Code) organisational grouping of cells
Locating via LBS Location Based ID
© Compass Security AG Slide 19www.csnc.ch
Reading out locally relevant data of the presently active/located Cell (Example iPhone)
� Activate the “Fieldtest” mode
� Auslesen der GSM Cell Daten
� MCC (Mobile Country Code)
� MNC (Mobile Network Code)
� LAC (Location Area Code) organisational grouping of cells
� Cell ID, two bytes identifying a cell within an LAC
Locating via LBS Location Based ID
© Compass Security AG Slide 20www.csnc.ch
In our example the unambiguous location based ID would be
MCC – MNC – LAC – CID
262 – 01 – 38914 – 57564
Present Location(LAI)
HEX: 228 01 2929 00a53c3
Swisscom: 228 01 10537 676803
Orange: 228 03 7500 174692
LiveDemo Positioning
Locating via LBS Location Based ID
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo [Use Google's Dataset]
© Compass Security AG Slide 22www.csnc.ch
How does Google collect their data?
Transmission of data
Determination of the reference coordinates
© Compass Security AG Slide 23www.csnc.ch
Alternative tools to determine the Location Based ID
GPS Tracking transmitter TK102-2
Live DemoLive DemoLive DemoLive Demo
See also www.itakka.at/shop/ and www.positionx.de
Locating via LBS Location Based ID
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
And now? The detection of the location is also a matter of the right database
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Locating using silent text messages
© Compass Security AG Slide 26www.csnc.ch
What do you require silent text messages for
� After net authentication only the Location Area Identity (LAI) is memorised in the Visitor Location Register (VLR/HLR)
� As soon as the net wants to make contact with the mobile phone, allbase stations (BTS) within the BSC call the subscriber
� The information about the cells used during a conversation or at the time of the reception or sending of a text message are part of the pool data to be recorded by the net provider according to the law
� This kind of message behaves like a normal text message during transmission, but it is neither visibly nor acoustically announced on the mobile phone
� Access to the database of the net provider is essential
Locating using silent text messages
© Compass Security AG Slide 27www.csnc.ch
Locating using silent text messages
BSCBSCBSCBSC
BTSBTSBTSBTS
BTSBTSBTSBTS
BTSBTSBTSBTS
BTSBTSBTSBTS
=LAC
=CellID
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo [Silent SMS/PDUspy]
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Identification spoofing[Call-ID-Spoofing]
© Compass Security AG Slide 30www.csnc.ch
Why an attack with a falsified call ID?
� Often the call ID (CLIP) serves as an identification attribute of the caller (e.g. for telephone calls, remote access, applications, etc.)
� Access restriction using call ID authentication can be bypassed resp. applied supportively in social-engineering
� Matching of the call ID in EU end devices is applied only up to max. the 7th digit
Call-ID-Spoofing
© Compass Security AG Slide 31www.csnc.ch
Providers of commercial Call-ID-Spoofing services
http://spoofcard.com
Call-ID-Spoofing
© Compass Security AG Slide 32www.csnc.ch
Tools for Call-ID-Spoofing
� Telephone connection with service attribute CLIP -no screening-
or
� SIP-Gateway to the PSTN (z.B. www.sipgate.de)
� Softphone (e.g. www.phoner.de)
Call-ID-Spoofing
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo [Call-ID-Spoofing]
© Compass Security AG Slide 34www.csnc.ch
Call-ID-Spoofing (MITM-attack)
Incoming call:Incoming call:Incoming call:Incoming call:
+49666666666666+49666666666666+49666666666666+49666666666666
Paris Hilton
Freiton
CallCallCallCall----IDIDIDID----SpoofingSpoofingSpoofingSpoofing----attackattackattackattack
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Identification spoofing[SMS-ID-Spoofing]
© Compass Security AG Slide 36www.csnc.ch
Why an attack with a falsified phone number?
� Similar to the call ID authentication social engineering can be applied supportively
� Instead of number identification the sender can be named directly
� Phishing via text messages is still widely unknown and therefore more promising
� No content filter available (as e.g. for E-mails)
SMS-ID-Spoofing
© Compass Security AG Slide 37www.csnc.ch
Examples
SMS-ID-Spoofing
© Compass Security AG Slide 38www.csnc.ch
Example 1: SMS-Phishing using SMS-Spoofing
� Example of a Phishing-SMS
� Original message of the net provider
SMS-ID-Spoofing
© Compass Security AG Slide 39www.csnc.ch
Example 1: SMS-Phishing using SMS-Spoofing
� Example of a Phishing-SMS
� Falsified message based on the text message from the net provider
SMS-ID-Spoofing
© Compass Security AG Slide 40www.csnc.ch
Example 2: SMS-Phishing using SMS-Spoofing
� Leave the competitor at home
SMS-ID-Spoofing
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo [SMS-ID-Spoofing]
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
SIM-interface as an attacking vector on mobile end devices [SIM Application Toolkit]
© Compass Security AG Slide 43www.csnc.ch
Why an attack on the SIM interface?
� SIM interface as a universal attacking vector on mobile end devices
� Standardised interface
� Realisation: Hardware-based Man-in-the-middle-attack
� Distant impact of end devices (as partially already used by the network providers)
SIM Application Toolkit
© Compass Security AG Slide 44www.csnc.ch
Functions of the SIM Application Toolkit
� Sending and receiving of short messages
(SEND SHORT MESSAGE, SMS-PP Download)
� Initiating outbound calls (SET UP CALL)
� Diversion of outbound calls (CALL CONTROL)
� Positioning
� Data transmission via GPRS/UMTS
� Sending of AT-commands to the end device
� etc. ...
SIM Application Toolkit
© Compass Security AG Slide 45www.csnc.ch
Mode of operation of an SAT-attack
� SIM-Card can make use of the described SAT functions
� No cryptography between SIM and end device
� Infiltration of own SAT-commands possible
� SIM will be required further on for authentication
� Man-in-the-middle-attack by installation of a microcontroller(e.g. Atmel ATTiny85V)
SIM Application Toolkit
© Compass Security AG Slide 46www.csnc.ch
Development history
SIM Application Toolkit
© Compass Security AG Slide 47www.csnc.ch
SIM Application Toolkit
Freiton
ManManManMan----inininin----thethethethe----middlemiddlemiddlemiddle----attackattackattackattackExample VoiceExample VoiceExample VoiceExample Voice
Call +49 151 xxxxxxxx
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Attacks on mobile end devices via malware[Trojans, etc.]
© Compass Security AG Slide 49www.csnc.ch
Commercial Trojans: MOBILE SPY monitors iPhone and many other mobile phones from $49.00 a quarter
www.mobile-spy.com
Mobile Phone Malware
Inkl. 24/7 Support Inkl. 24/7 Support Inkl. 24/7 Support Inkl. 24/7 Support
© Compass Security AG Slide 50www.csnc.ch
Commercial Trojans: The classic „FlexiSpy“.
www.flexispy.com
Mobile Phone Malware
Für fast alle PlattformenFür fast alle PlattformenFür fast alle PlattformenFür fast alle Plattformenverfügbar…verfügbar…verfügbar…verfügbar…
© Compass Security AG Slide 51www.csnc.ch
www.flexispy.com
Mobile Phone Malware
Commercial Trojan: The classic „FlexiSpy“.
� Configuration menu of FlexiSpy
© Compass Security AG Slide 52www.csnc.ch
www.flexispy.com
Mobile Phone Malware
Commercial Trojan: The classic „FlexiSpy“.
� Configuration menu of FlexiSpy
© Compass Security AG Slide 53www.csnc.ch
Commercial Trojan: The classic „FlexiSpy“.
www.flexispy.com
Mobile Phone Malware
© Compass Security AG Slide 54www.csnc.ch
How does FlexiSpy collect the user data?
The Trojan transmits all data
such as text messages, calls,
eMails, etc. in defined intervals directly to the server.
WWW Database
Mobile Phone Malware
The attacker can download
the data at any time via the Internet..
Tel.+41 55-214 41 60Fax+41 55-214 41 61team@csnc.ch www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo [Mobile phone Trojans]
© Compass Security AG Slide 56www.csnc.ch
Open discussion
Questions?!
© Compass Security AG Slide 57www.csnc.ch
Contact
Compass Security Network Computing
Werkstrasse 20
Postfach 2038
CH - 8645 Jona
team@csnc.ch | www.csnc.ch | +41 55 214 41 60
Secure File Exchange: www.csnc.ch/filebox
PGP-Fingerprint:
top related