INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien
Agenda
Introduction Mobile Thread Statistics SMS Android USSD Exploit Recent Vulnerabilities Build a GSM Test System GSM network structure
2 / 44
Organizational Aspects
INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien
The evaluation by students takes place between 13.11.2012 and 13.02.2013. Please participate at the course evaluation in TISS, also if you liked the course :-)
You can give us also feedback during our oce hours, via e-mail or using the TISS feedback box feature (Stimmungszettel) You help us to improve the course! Thank you! Adv. Security for Systems Engineering WS12 | Mobile
4 / 44
INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien
Introduction
Mobile device gets more and more important for daily life Contacts, e-mail, calendar, banking, payment, ... Who cares about security of the mobile device? What security issues arise for mobile devices? Integrity, Authenticity, Condentiality GSM, WLAN, NFC, Bluetooth, ... Telephony is just another App
6 / 44
Symbian: 21 new families and variants were discovered in the third quarter of 2012, a 17% increase compared to the second quarter Android: 51,447 unique samples detected. After introducing Bouncer as additional security layer in Android Play Store (Google: Bouncer drop 40% of malicious apps)
Examples for multiple mobile platforms threats (Android, Symbian, iOS, and Windows Mobile): FinSpy takes screenshots, key logger, intercept Skype communications, track device location, and monitor SMS and call activities on the device
Example iOS, Android: Fidall app sends contacts from the device to a remote server, then sends spam SMS messages to the contacts with a download link for the application
(See F-Secure, Mobile Threat Report Q3/2012)
7 / 44
8 / 44
9 / 44
INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien
SMS
Message Disclosure
No encryption of the content Interception during transmission Condentiality of the message on the mobile phone (e.g., spyware, lost devices) Man-in-the-Middle Attacks, e.g., see Nico Golde at 29C3 Let Me Answer That for You
DoS Attacks
Killer SMS to attack the mobile device Flooding to overload the network infrastructure
Spoong
Similar to e-mail, no protection to spoof sender address Adv. Security for Systems Engineering WS12 | Mobile
11 / 44
Mobile phones microphone can be activated for eavesdropping Also remote activation possible Eavesdropping technique functioned whether the phone was powered on or o
(See Schneier http://www.schneier.com/blog/archives/2006/12/ remotely_eavesd_1.html)
Other examples:
Specic apps for phones available to turn own phone to a spy phone Intercepting bluetooth connection, e.g., head sets or cars (Tool: The Car Whisperer) VoIP Cisco phones (no mobile phone but similar attack): see (29C3) Ang Cui Hacking Cisco Phones Adv. Security for Systems Engineering WS12 | Mobile
12 / 44
13 / 44
USSD is a protocol to communicate with your service provider USSD codes can be used to e.g. enable/disable international roaming Manufacturer use USSD codes to utilize phone functions Dialing *#06# shows your IMEI
Causes your Android to dial *#350# *#350# is the command for rebooting your phone (Samsung Android variant)
14 / 44
Why is it dangerous?
Wipe your phone remotely without conrmation (Samsung) Kill your SIM card (HTC, Motorola) Can be exploited by URL, SMS, QR Code Fixed with Android 4.1 - 93% of all Android phones are vulnerable!
15 / 44
Recent Vulnerabilities
Permission misconguration R/W access to /dev/exynos-mem for all users Permits RAM dumps, Code injection, ...
2012-11-24: Windows Phone 8 Malware Prototype on MalCon 2012-09-25: Samsung smartphones vulnerable to remote wipe exploit
16 / 44
Recent Vulnerabilities
SMS can have additional reply-to header set Most carriers do not check this header iOS shows the reply-to number as sender Could be used for Phising, misusing trust relationships, ...
2012-08-08: DoS vulnerability aects older iPhones, Droids, even a Ford car
Firmware bug in wireless chips used by some phone models Prepared 802.11 frames used to disable wireless connectivity Out-of-bounds read error condition (improper length check? integer over/underow?) Adv. Security for Systems Engineering WS12 | Mobile
17 / 44
Recent Vulnerabilities
NFC tags can contain URLs, phone numbers, ... Smartphone automatically executes actions based on NFC communications Dial expensive toll numbers, use web-based exploits, ...
Drive-by download Attack to popular browser engine breaks most OS! Used for eavesdropping and location monitoring Adv. Security for Systems Engineering WS12 | Mobile
18 / 44
IMSI Detach
by turning the phone o, phone sends detach message to the gsm network this message is unauthenticated if you know the IMSI of someones phone, you can interrupt calls sending detach periodically for jamming a specic phone
19 / 44
Baseband Fuzzing
attacks the GSM Layer 1 - 3 on mobile stations could be used to nd exploits in GSM Baseband implementations hard, SRC needed however, fuzzing the trac to the MS results in most phones to crash same could be done from MS to BTS
20 / 44
INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien
(See http://bsi.bund.de/)
22 / 44
MS - Mobile Station
Consists of Mobile Equipment (ME) e.g. GSM phone and Subscriber Identity Module (SIM) SIM uses algorithms fu r Authentication (A3) and Key Generation (A8) to encrypt communication IMSI, Ki (Secret Key)
23 / 44
Takes care of all radiocommunication aspects Connects MS with GSM network using the Air Interface (Um) Consists out of BTS and BSC
24 / 44
Sends data to / receives data from MS Supplies at least one radio cell (more using sectorial antennas) Synchronisation, encryption, determines radio reception level/quality
25 / 44
,,Intelligence Controls one or more BTS Controls power output Handover to own BTS if applicable, to MSC otherwise
26 / 44
Routing between BSS and telephone network (SS7) Interfaces to BSC, other MSC and other GSM network components Multiple BSC assigned Handles all incoming and outgoing calls of the related network segment
27 / 44
Transcoder and Rate Adaption Unit (TRAU): Between BTS and BSC or BSC and MSC, speach encoding/decoding Home Location Register (HLR): Telephone number, IMSI, allowed services, location, ... Visitor Location Register (VLR): Roaming Authentication Center (AuC): Saves IMSI, Ki and LAI, generates key Triplets Short Message Service Centre (SMSC) Equipment Identity Register (EIR) + Constituent parts for GPRS and UMTS
28 / 44
Identities (GSM)
IMEI: Serial number mobile phone IMSI: Worldwide unique ID, assigned to SIM MSISDN: Telephone number belonging to IMSI TMSI: Temporary IMSI (like session key), temporary stored on SIM on power o Ki: Subscriber Authentication Key PIN LAI: Location Area Identity Kc: Encryption Key for Air Interface
29 / 44
GSM
Ki Secret Key, on SIM card and in HLR, 128bit A3 Used for authentication within the network (SIM) A8 Calculates Cypher Key Kc. (SIM) A5/x - Uses Cypher Key Kc
30 / 44
Authentication MS - BSS
31 / 44
Encryption MS - BSS
32 / 44
OpenBTS
Open Source implementation of Air (Um) Interface between MS and BTS Based on GnuRadio Utilizes a Software Dened Radio (SDR) as hardware Open Source and commercial variants 2G (GSM) features, calls and SMS Backend software Asterisk No GSM encryption A5/1 A5/2 A5/3 support (yet)
33 / 44
Software library for Software Dened Radio Runs on cheap hardware Denes graphs for signal processing - built using functional blocks (signal sources, lter, etc) and interconnections
34 / 44
OpenBTS - Structure
(See http://gnuradio.org/)
35 / 44
OpenBTS - Hardware
USRP: Universal Software Radio Peripheral from Ettus with Daughterboard(s) for GSM band
(See https://www.ettus.com/)
36 / 44
SDR + Mini PC OpenBTS, Asterisk, Ubuntu 10.04, subscriber registry and SMS server Ready to start
(See http://www.rangenetworks.com/)
fairwaves Dev Kit January 2013 rudimentary BTS with mobilephone ( Calypso GSM Chipset ) Adv. Security for Systems Engineering WS12 | Mobile
37 / 44
OpenBSC
Open Source implementation of a BSC Abis interface between BTS and BSC Integrates one or more existing BTS to the system Implements some GSM subsystems like MSC, HLR (but not there interfaces) A5/1 A5/2 A5/3 ,,Closer to carrier operated networks
38 / 44
OpenBSC
Osmo-nitb standalone GSM Network in-a-box with BSC, MSC, HLR, AuC und EIR Osmso-bsc BSC only mode, can connect to an existing GSM network (A/SCCP) Osmo-sgsn serving GPRS Support Node
39 / 44
OpenBSC - Hardware
Con vs OpenBTS:
Works only with certain BTS stations Hardware hard to get Hardware mostly expensive
Pro vs OpenBTS:
40 / 44
OsmocomBB
Open Source Mobile Communications Baseband Implements Layer 1 - 3 of the GSM protocol (Air Interface) on client side Runs on mobile phones with ,,Calypso chipset ( like Motorola C123, Neo Freerunner)
41 / 44
42 / 44
Conclusion
Mobile phones get more and more complex, Complexity is the worst enemy of security (Schneier) Increased dependency from mobile phones during daily life, e.g., Payment, Contacts, ... Research in the mobile phone area required Test systems for further research important
43 / 44
Thank You!
http://security.inso.tuwien.ac.at/
INSO - Industrial Software Institut f ur Rechnergest utzte Automation | Fakult at f ur Informatik | Technische Universit at Wien