ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] SMS reprogramming attack



Интересное обсуждение, в котором высказываются различные точки зрения на 
возможность такого вида атак...


> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 27 Nov 2006 08:21:31 -0500
> From: "Dude VanWinkle" <dudevanwinkle@xxxxxxxxx>
> Subject: [Dailydave] Seeking more info on: Devastating mobile attack
>       under   spotlight
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID:
>       <e024ccca0611270521x17f8e978o5b0e909c2418752b@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Hi Guys,
> 
> I am looking for some opinions or more info on this SMS reprogramming
> attack. If anyone has any more info I would appreciate it.
> 
> 
> from: http://www.techworld.com/mobility/news/index.cfm?newsid=7425
> 
> Mobility & Wireless News
> 
> 24 November 2006
> Devastating mobile attack under spotlight
> 
> By Peter Judge, Techworld
> 
> All mobile phones may be open to a simple but devastating attack that
> enables a third-party to eavesdrop on any phone conversation, receive
> any and all SMS messages, and download the phone's address book.
> 
> The attack, outlined by a German security expert, would amount to the
> largest ever breach of privacy for billions of mobile phone users
> across the world. But it remains uncertain exactly how easy and how
> widespread the problem could be thanks to a concerted effort by mobile
> operators to muddy the issue while they assess its extent.
> 
> The official response of the mobile phone operators when asked about
> the threat is that the attack is phoney. But despite three days of
> inquiries by Techworld, none have provided any evidence that there is
> an adequate defence to it. One operator told us all its security
> experts were at a meeting in Denmark, although, oddly for mobile
> company employees, they were also incommunicado.
> 
> Wilfried Hafner of SecurStar claims he can reprogram a phone using a
> "service SMS" or "binary SMS" message, similar to those used by the
> phone operators to update software on the phone. He demonstrated a
> Trojan which appears to use this method at the Systems show in Munich
> last month - a performance which can be seen in a German-language
> video.
> 8
> Phone operators use SMS messages to make changes to their customers'
> phone without user intervention. These changes can vary from small
> tweaks to an overhaul of the phone's internal systems. Hafner claims
> however that phones do not check the source of such messages and
> verify whether they are legitimate, so by sending a bogus message he
> is able to pose as a mobile operator and re-program people's mobiles
> to do what he wants.
> 
> "I found this on a very old Siemens C45 phone, and then tried it on a
> Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of
> them authenticated the sender of the service SMS. We could not believe
> no one had found this possibility before us."
> 
> On all these phones, Hafner was able to launch an example Trojan
> called "Rexspy", which he says ran undetected. Rexspy copies all SMS
> messages to the attacker, and allows the attacker to eavesdrop on any
> phone conversation by instructing the phone to silently conference the
> attacker into every call.
> 
> However, Hafner's demonstration does not constitute proof - it was
> done with his own phones, which could have been prepared. Known
> software such as Flexispy does the same job as Rexspy, but has to be
> installed manually on a phone. Hafner has also refused to provide
> Techworld with a demonstration, claiming that he does not want the
> code put into the wild. Hafner has also put out a press release about
> his alleged discovery which heavily pushes his company's products.
> 
> 
> -snip-
> 
> 
> 
> -JP<who has been wanting to check in on his ex for a while ;-)>
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 27 Nov 2006 16:44:07 +0100 (CET)
> From: Paul Wouters <paul@xxxxxxxxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
>       attack under spotlight
> To: Dude VanWinkle <dudevanwinkle@xxxxxxxxx>
> Cc: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <Pine.LNX.4.64.0611271616580.27487@xxxxxxxxxxxxxxxxx>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> On Mon, 27 Nov 2006, Dude VanWinkle wrote:
> 
> > All mobile phones may be open to a simple but devastating 
> attack that
> > enables a third-party to eavesdrop on any phone 
> conversation, receive
> > any and all SMS messages, and download the phone's address book.
> 
> > Wilfried Hafner of SecurStar claims he can reprogram a phone using a
> > "service SMS" or "binary SMS" message, similar to those used by the
> > phone operators to update software on the phone. He demonstrated a
> > Trojan which appears to use this method at the Systems show 
> in Munich
> > last month - a performance which can be seen in a German-language
> > video.
> 
> These must be referencing two things. Writing a Trojan in under 160
> characters would be more impressive then Slammer's 1 UDP packet hack
> (which only fit in 1 UDP packet because it called a bunch of window's
> DLL functions)
> 
> > Phone operators use SMS messages to make changes to their customers'
> > phone without user intervention. These changes can vary from small
> > tweaks to an overhaul of the phone's internal systems.
> 
> I thought those messages only set some phone numbers, such as the
> SMS center, preference of roaming providers, etc. That's not an
> "overhaul".
> 
> > however that phones do not check the source of such messages and
> > verify whether they are legitimate, so by sending a bogus message he
> > is able to pose as a mobile operator and re-program people's mobiles
> > to do what he wants.
> 
> This part I can believe.
> 
> > "I found this on a very old Siemens C45 phone, and then 
> tried it on a
> > Nokia E90 and a Qtek Windows Mobile 2005 phone," said 
> Hafner. "None of
> > them authenticated the sender of the service SMS. We could 
> not believe
> > no one had found this possibility before us."
> 
> This is becoming harder to believe. The C45 in an ancient phone, and
> has no real OS environment like moderm 
> smartphones/winphones/pdaphones.
> The qtek (I think is based on the HTC/XDA hardware) runs 
> windows ce, so
> sure. And the Nokia E90 is still in the rumor phase and not 
> even listed
> on the nokia website. But most nokia's run Symbian as OS. So 
> I doubt all
> these OS'es would have the same exploit.  Which means the 
> exploit would
> have to be in the Baseband Processor code (BP) and not the Application
> Processor code (AP). Usually phones have a dual chip design, one is
> completely sealed off (and FCC approved) and controls the 
> radio and runs
> a realtime OS. It exports the radio functionality via some 
> kind of serial
> connection to the other processor, which actually runs your phone OS.
> 
> Now if the exploit is in he BP, per definition it is hidden 
> from the user.
> And I can see how multiple phones could use the same realtime OS setup
> and be vulnerable. And how the OS on the AP can not prevent this.
> 
> > On all these phones, Hafner was able to launch an example Trojan
> > called "Rexspy", which he says ran undetected. Rexspy copies all SMS
> > messages to the attacker, and allows the attacker to 
> eavesdrop on any
> > phone conversation by instructing the phone to silently 
> conference the
> > attacker into every call.
> 
> This would have to be the BP's realtime OS then. Running some 
> rogue program
> on the BP by sending one or more SMSes that then talk to the AP to get
> access to things like the phone book and message store seems unlikely.
> One other option is that he only gained access to the SIM 
> card memory on
> the AP (still an amazing feat), but no one uses it these days to store
> messages or phone numbers on it. There is just not enough 
> storage in there.
> 
> Doing an unnoticable call would also be a very interesting hack.
> 
> > However, Hafner's demonstration does not constitute proof - it was
> > done with his own phones, which could have been prepared. Known
> > software such as Flexispy does the same job as Rexspy, but has to be
> > installed manually on a phone. Hafner has also refused to provide
> > Techworld with a demonstration, claiming that he does not want the
> > code put into the wild. Hafner has also put out a press 
> release about
> > his alleged discovery which heavily pushes his company's products.
> 
> Yeah. I'm sceptical until I see more.
> 
> Paul
> 

> ------------------------------
> 
> Message: 5
> Date: Mon, 27 Nov 2006 18:31:51 +0100
> From: Robert Clark <Robert.Clark@xxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
>       attack under spotlight
> To: Paul Wouters <paul@xxxxxxxxxxxxx>
> Cc: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <456B2107.2010409@xxxxxxx>
> Keywords: CERN SpamKiller Note: -52 Charset: west-latin
> Content-Type: text/plain; charset=ISO-8859-1
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Paul Wouters wrote:
> 
> >> Phone operators use SMS messages to make changes to their 
> customers'
> >> phone without user intervention. These changes can vary from small
> >> tweaks to an overhaul of the phone's internal systems.
> > 
> > I thought those messages only set some phone numbers, such as the
> > SMS center, preference of roaming providers, etc. That's not an
> > "overhaul".
> 
> Whilst not an "overhaul" is it not feasible that a changing these
> settings could be extremely useful to a would be attacker?
> 
> A MiTM on SMS using a change to the message centre number for 
> example...
> 
> - --
> /**
>   * Robert Clark
>   * Technical Student ALICE/DAQ
>   * Software Engineer CERN PH/AID
>   * Phone: (+41) (0)22 767 8338
>   */
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> 
> iD8DBQFFayEHEZx+NSIX0WgRAogVAKDFBwGoXYG+oI3D/vuuA2xMY3dkggCfSpSd
> YwMVRFir4Xng+0cDYfVDTss=
> =PyDy
> -----END PGP SIGNATURE-----
> 
> 
> ------------------------------
> ------------------------------
> 
> Message: 8
> Date: Mon, 27 Nov 2006 19:05:39 +0100
> From: Nicolas RUFF <nruff@xxxxxxxxxxxxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
>       attack under spotlight
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <456B28F3.1020609@xxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=windows-1252
> 
> > I am looking for some opinions or more info on this SMS 
> reprogramming
> > attack. If anyone has any more info I would appreciate it.
> 
> Unfortunately, I feel this could be true. I am no SIM card expert, but
> for what I've read in various books[*]:
> 
> - Modern SIM cards are JavaCards, meaning that they embed 
> Java applets.
> This is totally unrelated with the phone capabilities (i.e. your phone
> does not have to be able to run Java applets).
> 
> And the upcoming MegaSIMs do have AES-encryption and 1 GB of Flash
> memory ? they are full-fledge computer systems.
> http://www.m-systems.com/site/en-US/Products/MegaSIM/MegaSIM
> 
> - "Over The Air" (OTA) update of Java applets is possible. There is a
> "secret" password which for some manufacturers is the same across the
> whole product line.
> http://www.gemplus.com/techno/ota/
> 
> - The message does not have to fit a single SMS - if it is over 160
> bytes it will be split in multiple messages.
> 
> - The SIM card has some sort of "boot" capability, meaning that it can
> dynamically modify the phone configuration at boot time (e.g. add some
> service icons).
> 
> At the end, I would take this very seriously...
> 
> [*] Some readings on SIM cards for French eyes only:
> http://www.dunod.com/pages/ouvrages/ficheauteurs.asp?id=44685&;
> auteur=5187
> 
> Regards,
> - Nicolas RUFF
> 
> 
> ------------------------------
> 
> Message: 9
> Date: Mon, 27 Nov 2006 18:43:21 -0000
> From: "Dave Korn" <dave.korn@xxxxxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
>       attack  under spotlight
> To: "'Paul Wouters'" <paul@xxxxxxxxxxxxx>,    "'Dude VanWinkle'"
>       <dudevanwinkle@xxxxxxxxx>
> Cc: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <00d301c71253$e9863220$a501a8c0@xxxxxxxxxxxxxx>
> Content-Type: text/plain;     charset="US-ASCII"
> 
> On 27 November 2006 15:44, Paul Wouters wrote:
> 
> > On Mon, 27 Nov 2006, Dude VanWinkle wrote:
> > 
> >> All mobile phones may be open to a simple but devastating 
> attack that
> >> enables a third-party to eavesdrop on any phone 
> conversation, receive
> >> any and all SMS messages, and download the phone's address book.
> > 
> >> Wilfried Hafner of SecurStar claims he can reprogram a 
> phone using a
> >> "service SMS" or "binary SMS" message, similar to those used by the
> >> phone operators to update software on the phone. He demonstrated a
> >> Trojan which appears to use this method at the Systems 
> show in Munich
> >> last month - a performance which can be seen in a German-language
> >> video.
> > 
> > These must be referencing two things. Writing a Trojan in under 160
> > characters would be more impressive then Slammer's 1 UDP packet hack
> > (which only fit in 1 UDP packet because it called a bunch 
> of window's
> > DLL functions)
> 
>   I suppose you also think that ringtones, logos, screensavers and
> downloadable java games have to fit in 160 chars, yes?
> 
>   Look up WAP PUSH sms.  I suspect the only thing missing 
> from the description
> is some kind of user-interaction, but see also 
> immediate-vs-deferred delivery;
> perhaps that can be leveraged somehow.
> 
> http://en.wikipedia.org/wiki/Multimedia_Messaging_Service
> 
> > I thought those messages only set some phone numbers, such as the
> > SMS center, preference of roaming providers, etc. That's not an
> > "overhaul".
> 
>   Did you think this based on reading documentation and 
> looking up standards,
> or are you guessing?
> 
> > on the nokia website. But most nokia's run Symbian as OS. 
> So I doubt all
> > these OS'es would have the same exploit.  
> 
>   It is the incorrect assumption you have made here ...
> 
> > Which means the exploit would
> > have to be in the Baseband Processor code (BP) and not the 
> Application
> > Processor code (AP). 
> 
> ... which leads you to the false inference here ...
> 
> > This would have to be the BP's realtime OS then. Running 
> some rogue program
> > on the BP by sending one or more SMSes that then talk to 
> the AP to get
> > access to things like the phone book and message store 
> seems unlikely.
> > One other option is that he only gained access to the SIM 
> card memory on
> > the AP (still an amazing feat), but no one uses it these 
> days to store
> > messages or phone numbers on it. There is just not enough 
> storage in there.
> 
> ... which leads you to misidentify a non-problem here ...
> 
> > Yeah. I'm sceptical until I see more.
> 
> ... which leads to your expression of scepticism here.  
> You're thinking in too
> limited terms: not every "exploit" is a buffer overflow.  In 
> this case, I
> reckon the exploit consists in leveraging the SMS/MMS 
> functionality defined by
> the relevant specs in order to get some java program to 
> download and run
> without it being obvious what is happening, and perhaps without any
> user-interaction at all.  If the vulnerability is in the 
> specification, any
> compliant phone would be bulnerable
> 
>   The actual trojan itself is nothing new: I watched the 
> video, and although I
> don't speak german I caught numerous references to 
> "FlexiSPY".  Look it up;
> all that you need is a way of tricking a phone to 
> auto-install it.  The video
> itself doesn't (as far as I could tell) show the actual 
> infection process.
> 
>   Those who would like to do some research, as opposed to 
> speculating, could
> start by googling "binary sms" (with the quotes, for an exact 
> phrase match);
> you get lots of interesting-looking documentation for sms 
> gateway/servers.
> >From the list of hits, 
> 
>   http://www.ozeki.hu/index.php?owpn=488 
> 
> shows a list of (some?all?) different sms types.
> 
>     cheers,
>       DaveK
> -- 
> Can't think of a witty .sigline today....
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 
> 
> End of Dailydave Digest, Vol 16, Issue 16
> *****************************************
> 



 




Copyright © Lexa Software, 1996-2009.