Adv.

Security for Systems Engineering - VO 09: Mobile Application Security

Conrad Wandl, Paul Gu ltekin, Christian Schanes

INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien

Agenda

Introduction Mobile Thread Statistics SMS Android USSD Exploit Recent Vulnerabilities Build a GSM Test System GSM network structure

Adv. Security for Systems Engineering WS12 | Mobile

2 / 44

Organizational Aspects

INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien

TISS Course evaluation

The evaluation by students takes place between 13.11.2012 and 13.02.2013. Please participate at the course evaluation in TISS, also if you liked the course :-)

Anonymous participation Praise Ideas for improvements

You can give us also feedback during our oce hours, via e-mail or using the TISS feedback box feature (Stimmungszettel) You help us to improve the course! Thank you! Adv. Security for Systems Engineering WS12 | Mobile
4 / 44

Mobile Application Security

INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien

Introduction

Mobile device gets more and more important for daily life Contacts, e-mail, calendar, banking, payment, ... Who cares about security of the mobile device? What security issues arise for mobile devices? Integrity, Authenticity, Condentiality GSM, WLAN, NFC, Bluetooth, ... Telephony is just another App

Adv. Security for Systems Engineering WS12 | Mobile

6 / 44

Mobile Thread Statistics

Symbian: 21 new families and variants were discovered in the third quarter of 2012, a 17% increase compared to the second quarter Android: 51,447 unique samples detected. After introducing Bouncer as additional security layer in Android Play Store (Google: Bouncer drop 40% of malicious apps)

Examples for multiple mobile platforms threats (Android, Symbian, iOS, and Windows Mobile): FinSpy takes screenshots, key logger, intercept Skype communications, track device location, and monitor SMS and call activities on the device

Example iOS, Android: Fidall app sends contacts from the device to a remote server, then sends spam SMS messages to the contacts with a download link for the application
(See F-Secure, Mobile Threat Report Q3/2012)

Adv. Security for Systems Engineering WS12 | Mobile

7 / 44

Mobile Threats Families/Variants 2011-2012

(See F-Secure, Mobile Threat Report Q3/2012)

Adv. Security for Systems Engineering WS12 | Mobile

8 / 44

Mobile Threats Top-10 Android Detection Hits

(See F-Secure, Mobile Threat Report Q3/2012)

Adv. Security for Systems Engineering WS12 | Mobile

9 / 44

Attacking Mobile Systems

INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien

SMS

Message Disclosure

No encryption of the content Interception during transmission Condentiality of the message on the mobile phone (e.g., spyware, lost devices) Man-in-the-Middle Attacks, e.g., see Nico Golde at 29C3 Let Me Answer That for You

DoS Attacks

Killer SMS to attack the mobile device Flooding to overload the network infrastructure

Spoong

Similar to e-mail, no protection to spoof sender address Adv. Security for Systems Engineering WS12 | Mobile
11 / 44

Eavesdropping on Cell Phone Microphones

Mobile phones microphone can be activated for eavesdropping Also remote activation possible Eavesdropping technique functioned whether the phone was powered on or o
(See Schneier http://www.schneier.com/blog/archives/2006/12/ remotely_eavesd_1.html)

Other examples:

Specic apps for phones available to turn own phone to a spy phone Intercepting bluetooth connection, e.g., head sets or cars (Tool: The Car Whisperer) VoIP Cisco phones (no mobile phone but similar attack): see (29C3) Ang Cui Hacking Cisco Phones Adv. Security for Systems Engineering WS12 | Mobile
12 / 44

More and More Functionalities Example for USSD Exploit

Adv. Security for Systems Engineering WS12 | Mobile

13 / 44

Android USSD Exploit

What are USSD codes?

USSD is a protocol to communicate with your service provider USSD codes can be used to e.g. enable/disable international roaming Manufacturer use USSD codes to utilize phone functions Dialing *#06# shows your IMEI

Do you remember this URL? http://tinyurl.com/bh8qoef

Causes your Android to dial *#350# *#350# is the command for rebooting your phone (Samsung Android variant)

Adv. Security for Systems Engineering WS12 | Mobile

14 / 44

Android USSD Exploit

Why is it dangerous?

Wipe your phone remotely without conrmation (Samsung) Kill your SIM card (HTC, Motorola) Can be exploited by URL, SMS, QR Code Fixed with Android 4.1 - 93% of all Android phones are vulnerable!

How to protect myself?

E.g., install TelStop App by Colin Mulliner

Adv. Security for Systems Engineering WS12 | Mobile

15 / 44

Recent Vulnerabilities

2012-12-27: Samsung Exynos 4 exploit grants dangerous R/W access to RAM

Permission misconguration R/W access to /dev/exynos-mem for all users Permits RAM dumps, Code injection, ...

2012-11-24: Windows Phone 8 Malware Prototype on MalCon 2012-09-25: Samsung smartphones vulnerable to remote wipe exploit

Adv. Security for Systems Engineering WS12 | Mobile

16 / 44

Recent Vulnerabilities

2012-08-17: Never trust SMS - iOS text spoong

SMS can have additional reply-to header set Most carriers do not check this header iOS shows the reply-to number as sender Could be used for Phising, misusing trust relationships, ...

2012-08-08: DoS vulnerability aects older iPhones, Droids, even a Ford car

Firmware bug in wireless chips used by some phone models Prepared 802.11 frames used to disable wireless connectivity Out-of-bounds read error condition (improper length check? integer over/underow?) Adv. Security for Systems Engineering WS12 | Mobile
17 / 44

Recent Vulnerabilities

2012-07-25: Researcher uses NFC to attack Android, Nokia smartphones

NFC tags can contain URLs, phone numbers, ... Smartphone automatically executes actions based on NFC communications Dial expensive toll numbers, use web-based exploits, ...

2012-03-14: WebKit Vulnerability Plagues BlackBerry, iOS, & Android

Drive-by download Attack to popular browser engine breaks most OS! Used for eavesdropping and location monitoring Adv. Security for Systems Engineering WS12 | Mobile
18 / 44

IMSI Detach

by turning the phone o, phone sends detach message to the gsm network this message is unauthenticated if you know the IMSI of someones phone, you can interrupt calls sending detach periodically for jamming a specic phone

Adv. Security for Systems Engineering WS12 | Mobile

19 / 44

Baseband Fuzzing

attacks the GSM Layer 1 - 3 on mobile stations could be used to nd exploits in GSM Baseband implementations hard, SRC needed however, fuzzing the trac to the MS results in most phones to crash same could be done from MS to BTS

Adv. Security for Systems Engineering WS12 | Mobile

20 / 44

Build a GSM Test System

INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien

GSM network structure

(See http://bsi.bund.de/)

Adv. Security for Systems Engineering WS12 | Mobile

22 / 44

MS - Mobile Station

Consists of Mobile Equipment (ME) e.g. GSM phone and Subscriber Identity Module (SIM) SIM uses algorithms fu r Authentication (A3) and Key Generation (A8) to encrypt communication IMSI, Ki (Secret Key)

Adv. Security for Systems Engineering WS12 | Mobile

23 / 44

BSS - Base Station Subsystem

Takes care of all radiocommunication aspects Connects MS with GSM network using the Air Interface (Um) Consists out of BTS and BSC

Adv. Security for Systems Engineering WS12 | Mobile

24 / 44

BTS - Base Transceiver Station

Sends data to / receives data from MS Supplies at least one radio cell (more using sectorial antennas) Synchronisation, encryption, determines radio reception level/quality

Adv. Security for Systems Engineering WS12 | Mobile

25 / 44

BSC Base Station Controller

,,Intelligence Controls one or more BTS Controls power output Handover to own BTS if applicable, to MSC otherwise

Adv. Security for Systems Engineering WS12 | Mobile

26 / 44

MSC Mobile Switching Center

Routing between BSS and telephone network (SS7) Interfaces to BSC, other MSC and other GSM network components Multiple BSC assigned Handles all incoming and outgoing calls of the related network segment

Adv. Security for Systems Engineering WS12 | Mobile

27 / 44

Additional GSM network components

Transcoder and Rate Adaption Unit (TRAU): Between BTS and BSC or BSC and MSC, speach encoding/decoding Home Location Register (HLR): Telephone number, IMSI, allowed services, location, ... Visitor Location Register (VLR): Roaming Authentication Center (AuC): Saves IMSI, Ki and LAI, generates key Triplets Short Message Service Centre (SMSC) Equipment Identity Register (EIR) + Constituent parts for GPRS and UMTS

Adv. Security for Systems Engineering WS12 | Mobile

28 / 44

Identities (GSM)

IMEI: Serial number mobile phone IMSI: Worldwide unique ID, assigned to SIM MSISDN: Telephone number belonging to IMSI TMSI: Temporary IMSI (like session key), temporary stored on SIM on power o Ki: Subscriber Authentication Key PIN LAI: Location Area Identity Kc: Encryption Key for Air Interface

Adv. Security for Systems Engineering WS12 | Mobile

29 / 44

Crypto and Authentication

Hardware based Security

SIM card (carrier) ARM Trustzone, internal Secure Element,...

GSM

Ki Secret Key, on SIM card and in HLR, 128bit A3 Used for authentication within the network (SIM) A8 Calculates Cypher Key Kc. (SIM) A5/x - Uses Cypher Key Kc

Adv. Security for Systems Engineering WS12 | Mobile

30 / 44

Authentication MS - BSS

(See Glendrange, Hove and Hvideberg)

Adv. Security for Systems Engineering WS12 | Mobile

31 / 44

Encryption MS - BSS

(See Glendrange, Hove and Hvideberg)

Adv. Security for Systems Engineering WS12 | Mobile

32 / 44

OpenBTS

Open Source implementation of Air (Um) Interface between MS and BTS Based on GnuRadio Utilizes a Software Dened Radio (SDR) as hardware Open Source and commercial variants 2G (GSM) features, calls and SMS Backend software Asterisk No GSM encryption A5/1 A5/2 A5/3 support (yet)

Adv. Security for Systems Engineering WS12 | Mobile

33 / 44

OpenBTS - GNU Radio

Software library for Software Dened Radio Runs on cheap hardware Denes graphs for signal processing - built using functional blocks (signal sources, lter, etc) and interconnections

Adv. Security for Systems Engineering WS12 | Mobile

34 / 44

OpenBTS - Structure

(See http://gnuradio.org/)

Adv. Security for Systems Engineering WS12 | Mobile

35 / 44

OpenBTS - Hardware

USRP: Universal Software Radio Peripheral from Ettus with Daughterboard(s) for GSM band

(See https://www.ettus.com/)

Adv. Security for Systems Engineering WS12 | Mobile

36 / 44

OpenBTS - Hardware - Out of the Box Appliance

Development Kit from RangeNetworks

SDR + Mini PC OpenBTS, Asterisk, Ubuntu 10.04, subscriber registry and SMS server Ready to start
(See http://www.rangenetworks.com/)

fairwaves Dev Kit January 2013 rudimentary BTS with mobilephone ( Calypso GSM Chipset ) Adv. Security for Systems Engineering WS12 | Mobile
37 / 44

OpenBSC

Open Source implementation of a BSC Abis interface between BTS and BSC Integrates one or more existing BTS to the system Implements some GSM subsystems like MSC, HLR (but not there interfaces) A5/1 A5/2 A5/3 ,,Closer to carrier operated networks

Adv. Security for Systems Engineering WS12 | Mobile

38 / 44

OpenBSC

The project is divided in following modules:

Osmo-nitb standalone GSM Network in-a-box with BSC, MSC, HLR, AuC und EIR Osmso-bsc BSC only mode, can connect to an existing GSM network (A/SCCP) Osmo-sgsn serving GPRS Support Node

Adv. Security for Systems Engineering WS12 | Mobile

39 / 44

OpenBSC - Hardware

Con vs OpenBTS:

Works only with certain BTS stations Hardware hard to get Hardware mostly expensive

Pro vs OpenBTS:

A5 Encryption ,,Closer to a real commercial GSM network

Adv. Security for Systems Engineering WS12 | Mobile

40 / 44

OsmocomBB

Open Source Mobile Communications Baseband Implements Layer 1 - 3 of the GSM protocol (Air Interface) on client side Runs on mobile phones with ,,Calypso chipset ( like Motorola C123, Neo Freerunner)

Adv. Security for Systems Engineering WS12 | Mobile

41 / 44

BA/MA/PR in Mobile Security

If you are interested in mobile security research we provide:

Practical work Bachelor thesis Master thesis

Adv. Security for Systems Engineering WS12 | Mobile

42 / 44

Conclusion

Mobile phones get more and more complex, Complexity is the worst enemy of security (Schneier) Increased dependency from mobile phones during daily life, e.g., Payment, Contacts, ... Research in the mobile phone area required Test systems for further research important

Adv. Security for Systems Engineering WS12 | Mobile

43 / 44

Thank You!

http://security.inso.tuwien.ac.at/

INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien