securitatea mobila - atacuri prin sms

of 41 /41
Securitate Securitate mobila mobila Atacuri Atacuri prin prin SMS SMS Prezentator Prezentator : : Bogdan Bogdan ALECU ALECU http://m http://m - - sec.net sec.net Twitter: @ Twitter: @ msecnet msecnet

Upload: defcamp

Post on 19-Jan-2015

370 views

Category:

Technology


3 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Securitatea mobila - Atacuri prin SMS

SecuritateSecuritate mobilamobila ––

AtacuriAtacuri prinprin SMSSMS

PrezentatorPrezentator::

BogdanBogdan ALECUALECU

http://mhttp://m--sec.netsec.net

Twitter: @Twitter: @msecnetmsecnet

Page 2: Securitatea mobila - Atacuri prin SMS

InformatiiInformatii generalegenerale despredespre SMSSMS

AmenintariAmenintari

WAPWAP

InterceptareInterceptare trafictrafic de datede date

DemoDemo

Page 3: Securitatea mobila - Atacuri prin SMS

InformatiiInformatii generalegenerale

SMS SMS -- Short Message Service Short Message Service reprezintareprezinta un un mod de mod de comunicarecomunicare prinprin mesajemesaje text text intreintretelefoaneletelefoanele mobile / mobile / fixefixe, , utilizandutilizand un protocol un protocol standardizatstandardizat. . EsteEste un mod de un mod de comunicarecomunicareeficaceeficace; ; utilizatorulutilizatorul scriescrie un text, un text, apasaapasa SEND SEND sisimesajulmesajul e e livratlivrat aproapeaproape instant instant catrecatre destinatardestinatar. .

FolositFolosit pentrupentru maimai multemulte scopuriscopuri: MMS : MMS ––Multimedia Messaging Service, OTA Multimedia Messaging Service, OTA –– Over The Over The Air Air –– configurareaconfigurarea telefonuluitelefonului, , notificarinotificari pentrupentrumesageriamesageria vocalavocala, email, fax, , email, fax, microplatimicroplati –– plataplataunorunor sumesume micimici pentrupentru diferitediferite serviciiservicii => => SECURITATE!SECURITATE!

Page 4: Securitatea mobila - Atacuri prin SMS

InformatiiInformatii generalegenerale

““Un Un dispozitivdispozitiv mobilmobil activactiv trebuietrebuie sasa fie fie

capabilcapabil de a de a primiprimi un un mesajmesaj scurtscurt de de

tipultipul TPDU TPDU -- Transfer protocol data unit Transfer protocol data unit

-- (SMS(SMS--DELIVER) in DELIVER) in oriceorice moment, moment,

indiferentindiferent dacadaca existaexista un un apelapel sausau trafictrafic

de date in de date in derularederulare. Un . Un raportraport vava fifi

trimistrimis intotdeaunaintotdeauna catrecatre SC (SC (ServiciulServiciul

de de mesajemesaje); ); confirmandconfirmand fie ca fie ca teltel a a

primitprimit mesajulmesajul sausau ca ca mesajulmesajul nunu a a fostfost

livratlivrat, , incluzindincluzind sisi motivulmotivul refuzuluirefuzului..””

ETSI TS 100 901 V7.5.0 (2001ETSI TS 100 901 V7.5.0 (2001--12), 12), pagpag

1313

Page 5: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

SMS SPAMSMS SPAM

SMS spoofingSMS spoofing

NotificariNotificari SMSSMS

AlteAlte tipuritipuri

Page 6: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

SMS SPAMSMS SPAM

CompaniileCompaniile oferaofera serviciiservicii de de publicitatepublicitate

prinprin SMSSMS

MesajeMesaje cu cu castiguricastiguri falsefalse

InginerieInginerie socialasociala –– ““SunaSuna--ma urgent ma urgent pepe nr nr

astaasta: 0900323421! Mama: 0900323421! Mama””

Page 7: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

SMS SpoofingSMS Spoofing

ServiciiServicii online online cece permit permit modificareamodificarea

expeditoruluiexpeditorului (numeric / (numeric / alfanumericalfanumeric))

GreuGreu de de opritoprit, , maimai ales ales dacadaca tinemtinem cont de cont de

roamingroaming

EficientaEficienta maimai mare in mare in atacurileatacurile de tip de tip

inginerieinginerie socialasociala

Page 8: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

NotificariNotificari SMSSMS

VoicemailVoicemail

FaxFax

EE--mailmail

VideoVideo

UtilizatorulUtilizatorul nunu poatepoate scoatescoate iconicon--ulul de de

notificarenotificare asupraasupra primiriiprimirii unuiunui astfelastfel de de

mesajmesaj

Page 9: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

NotificariNotificari SMS SMS

(voicemail)(voicemail)

Page 10: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

NotificariNotificari SMS SMS

(email)(email)

Page 11: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

AlteAlte tipuritipuri

Flash SMS (Class 0) Flash SMS (Class 0) –– utilizatorulutilizatorul vedevede

mesajulmesajul direct, direct, farafara a intra in Inboxa intra in Inbox

Silent SMS Silent SMS –– DCS 0xC0 = Message Waiting DCS 0xC0 = Message Waiting

Indication Group: Discard MessageIndication Group: Discard Message

Page 12: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

AlteAlte tipuritipuri

Flash SMSFlash SMS

Page 13: Securitatea mobila - Atacuri prin SMS

AmenintariAmenintari -- SMSSMS

AlteAlte tipuritipuri

Silent SMSSilent SMS

Page 14: Securitatea mobila - Atacuri prin SMS

WAPWAP

Wireless Application ProtocolWireless Application Protocol

Arhitectura de Arhitectura de retearetea specificaspecifica

Set de reguliSet de reguli

Limbaj specificLimbaj specific: Wireless Markup Language : Wireless Markup Language (WML)(WML)

PaginiPagini HTML HTML ajustateajustate pentrupentru dimensiuneadimensiuneaecranuluiecranului telefonuluitelefonului

Page 15: Securitatea mobila - Atacuri prin SMS

WAPWAP

Page 16: Securitatea mobila - Atacuri prin SMS

WAP PushWAP Push

PermitePermite trimitereatrimiterea de de continutcontinut WAP cu o WAP cu o

interventieinterventie minima din minima din parteapartea utilizatoruluiutilizatorului

2 2 tipuritipuri: Service Indication / Service Load: Service Indication / Service Load

Page 17: Securitatea mobila - Atacuri prin SMS

WAP PushWAP Push

Service Indication (SI) Service Indication (SI) permitepermite trimitereatrimiterea

de de notificarinotificari utilizatoruluiutilizatorului intrintr--un mod un mod

asincronasincron

Page 18: Securitatea mobila - Atacuri prin SMS

WAP PushWAP Push

Service Indication (SI)Service Indication (SI)

Page 19: Securitatea mobila - Atacuri prin SMS

WAP PushWAP Push

Service Load (SL) Service Load (SL) determinadetermina ““aplicatiaaplicatia”” de de

pepe telefontelefon sasa incarceincarce sisi execute un execute un

serviciuserviciu

Page 20: Securitatea mobila - Atacuri prin SMS

WAP PushWAP Push

Service Load (SL)Service Load (SL)

Page 21: Securitatea mobila - Atacuri prin SMS

WAP Push WAP Push -- securitatesecuritate

TeoriaTeoria: : DoarDoar un un anumitanumit numarnumar esteeste autorizatautorizat pentrupentrutrimiteretrimitere; ; PracticaPractica: : dacadaca nunu e e configuratconfigurat binebine, un , un telefontelefonacceptaaccepta de la de la oriceorice numarnumar astfelastfel de de mesajemesaje

PePe Windows Mobile Windows Mobile trebuiesctrebuiesc verificateverificate setarilesetarile din din HKLMHKLM\\SecuritySecurity\\PoliciesPolicies\\PoliciesPolicies

; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) ; SL Message Policy ; (default: SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINE[HKEY_LOCAL_MACHINE\\SecuritySecurity\\PoliciesPolicies\\Policies] Policies] "0000100c"=dword:800 ; SI Message Policy ; (default: "0000100c"=dword:800 ; SI Message Policy ; (default: SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED) [HKEY_LOCAL_MACHINE[HKEY_LOCAL_MACHINE\\SecuritySecurity\\PoliciesPolicies\\Policies] Policies] "0000100d"=dword:c00 "0000100d"=dword:c00

Page 22: Securitatea mobila - Atacuri prin SMS

WAP Push WAP Push -- securitatesecuritate

SECROLE_PPG_TRUSTED: Trusted Push Proxy SECROLE_PPG_TRUSTED: Trusted Push Proxy Gateway. Messages assigned this role indicate Gateway. Messages assigned this role indicate that the content sent by the Push Initiator is that the content sent by the Push Initiator is trusted by the Push Proxy Gateway. This role trusted by the Push Proxy Gateway. This role implies that the device trusts the Push Proxy implies that the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).Gateway (SECROLE_TRUSTED_PPG).

SECROLE_PPG_AUTH: Push Initiator SECROLE_PPG_AUTH: Push Initiator Authenticated. Messages assigned this role Authenticated. Messages assigned this role indicate that the Push Initiator is authenticated by indicate that the Push Initiator is authenticated by the Push Proxy Gateway. This role implies that the Push Proxy Gateway. This role implies that the device trusts the Push Proxy Gateway the device trusts the Push Proxy Gateway (SECROLE_TRUSTED_PPG).(SECROLE_TRUSTED_PPG).

Page 23: Securitatea mobila - Atacuri prin SMS

WAP Push WAP Push -- securitatesecuritate

Page 24: Securitatea mobila - Atacuri prin SMS

WAPWAP

ConfigurareaConfigurarea telefonuluitelefonului pentrupentru accesacces la Internet la Internet

/ date / date poatepoate fifi facutafacuta manualmanual

PentruPentru o o configurareconfigurare maimai usoarausoara, , rapidarapida sisi

pentrupentru eventualeleeventualele schimbarischimbari, a , a fostfost creatcreat un un

standard standard cece permitepermite configurareaconfigurarea de la de la distantadistanta

ProgramareaProgramarea Over The Air (OTA) Over The Air (OTA) folosestefoloseste

standardulstandardul OMA OMA –– Open Mobile AllianceOpen Mobile Alliance

ProgramareaProgramarea se face se face prinprin SMSSMS--uriuri special special

conceputeconcepute

Page 25: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

FolosesteFoloseste protocolulprotocolul WAPWAP

WBXML (WAP Binary XML) WBXML (WAP Binary XML) prinprin Wireless Wireless

Application EnvironmentApplication Environment

Wireless Session ProtocolWireless Session Protocol

Wireless Datagram ProtocolWireless Datagram Protocol

SMSSMS

Page 26: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

ConfigurareaConfigurarea se se scriescrie in XML (conform in XML (conform

specificatiilorspecificatiilor de la de la

http://http://www.openmobilealliance.orgwww.openmobilealliance.org))

XMLXML--ulul se se vava codificacodifica in WAP Binary XMLin WAP Binary XML

WBXML se WBXML se vava encapsulaencapsula intrintr--oo data de tip data de tip

Wireless Session Protocol Wireless Session Protocol

DateleDatele se se vorvor codificacodifica intrintr--un un mesajmesaj Push, Push, definitdefinit

in Wireless Session Protocolin Wireless Session Protocol

Page 27: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

MesajulMesajul Push Push continecontine diferitidiferiti parametriparametri, ,

unulunul fiindfiind parametrulparametrul ““SECSEC”” pentrupentru

autentificareautentificare pepe bazabaza de de ““cheiecheie”” comunacomuna

USERPIN: string ASCII USERPIN: string ASCII codificatcodificat in in

zecimalezecimale

NETWPIN: NETWPIN: cheiacheia esteeste specificaspecifica reteleiretelei sisi

cunoscutacunoscuta ((teoreticteoretic) ) doardoar de de catrecatre operatoroperator

USERNETWPIN: USERNETWPIN: combinatiecombinatie a a celorcelor 22

Page 28: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

NETWPIN: IMSI = MCC+MNC+MSIN NETWPIN: IMSI = MCC+MNC+MSIN

(Mobile Subscription Identification (Mobile Subscription Identification

Number)Number)

PretPret: 2: 2--5 euro5 euro--centicenti

In general In general limitatlimitat pentrupentru companiicompanii, se , se cerecere

un un volumvolum mare de mare de interogariinterogari

Page 29: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

<<wapwap--provisioningdocprovisioningdoc>>

<characteristic type="NAPDEF"><characteristic type="NAPDEF">

<<parmparm name="NAME" value="name="NAME" value="NewAPNNewAPN"/>"/>

<<parmparm name="NAPID" value="name="NAPID" value="NewAPN_NAPID_MENewAPN_NAPID_ME"/>"/>

<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--GPRS"/>GPRS"/>

<<parmparm name="NAPname="NAP--ADDRESS" value="ADDRESS" value="apn.operator.roapn.operator.ro"/>"/>

<<parmparm name="NAPname="NAP--ADDRTYPE" value="APN"/>ADDRTYPE" value="APN"/>

</characteristic></characteristic>

<characteristic type=<characteristic type=““APPLICATION">APPLICATION">

<<parmparm name="NAME" value="name="NAME" value="NewAPNNewAPN"/>"/>

<<parmparm name="APPID" value="w2"/>name="APPID" value="w2"/>

<<parmparm name="TOname="TO--NAPID" value="NAPID" value="NewAPN_NAPID_MENewAPN_NAPID_ME"/>"/></characteristic></characteristic>

<<wapwap--provisioningdocprovisioningdoc>>

Page 30: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

<<wapwap--provisioningdocprovisioningdoc> > -- continecontine toatatoata informatiainformatiatransmisatransmisa

<characteristic <characteristic ……> > -- grupeazagrupeaza informatiainformatia in in unitatiunitatilogicelogice

<<…… value="NAPDEF"/> value="NAPDEF"/> -- configuramconfiguram un un nounounetwork access pointnetwork access point

<<parmparm name="APPID" value="w2"/> name="APPID" value="w2"/> --mapeazamapeaza configuratiaconfiguratia la la activitatileactivitatile de de browsingbrowsing

InformatiiInformatii la la http://http://www.openmobilealliance.orgwww.openmobilealliance.org

Page 31: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

<<wapwap--provisioningdocprovisioningdoc>>

<characteristic type="BOOTSTRAP"><characteristic type="BOOTSTRAP">

<<parmparm name="NAME" value=name="NAME" value=““Operator NET"/>Operator NET"/>

<<parmparm name="PROXYname="PROXY--ID" ID" value="value="OpNET_ProxyOpNET_Proxy"/>"/>

</characteristic></characteristic>

<characteristic type="NAPDEF"><characteristic type="NAPDEF">

<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>

<<parmparm name="NAPID" value="name="NAPID" value="OpNET_NAPIDOpNET_NAPID"/>"/>

<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--GPRS"/>GPRS"/>

<<parmparm name="NAPname="NAP--ADDRESS" value="net"/>ADDRESS" value="net"/>

<<parmparm name="NAPname="NAP--ADDRTYPE" value="APN"/>ADDRTYPE" value="APN"/>

</characteristic></characteristic>

Page 32: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

<characteristic type="PXLOGICAL"><characteristic type="PXLOGICAL">

<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>

<<parmparm name="PROXYname="PROXY--ID" value="ID" value="OpNET_ProxyOpNET_Proxy"/>"/>

<characteristic type="PXPHYSICAL"><characteristic type="PXPHYSICAL">

<<parmparm name="PHYSICALname="PHYSICAL--PROXYPROXY--ID" ID" value="value="OpNET_PhProxyOpNET_PhProxy"/>"/>

<<parmparm name="PXADDR" value=name="PXADDR" value=““192.168.1.1"/>192.168.1.1"/>

<<parmparm name="PXADDRTYPE" value="IPV4"/>name="PXADDRTYPE" value="IPV4"/>

<<parmparm name="TOname="TO--NAPID" value="NAPID" value="OpNET_NAPIDOpNET_NAPID"/>"/>

<characteristic type="PORT"><characteristic type="PORT">

<<parmparm name="PORTNBR" value="8080"/>name="PORTNBR" value="8080"/>

</characteristic></characteristic>

</characteristic></characteristic>

</characteristic></characteristic>

Page 33: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

<characteristic type="APPLICATION"><characteristic type="APPLICATION">

<<parmparm name="APPID" value="w2"/>name="APPID" value="w2"/>

<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>

<<parmparm name="TOname="TO--PROXY" PROXY" value="value="OpNET_ProxyOpNET_Proxy"/>"/>

<characteristic type="RESOURCE"><characteristic type="RESOURCE">

<<parmparm name="NAME" value="name="NAME" value="OpNETOpNET"/>"/>

<<parmparm name="URI" name="URI" value="http://value="http://www.google.comwww.google.com"/>"/>

<<parmparm name="STARTPAGE"/>name="STARTPAGE"/>

</characteristic></characteristic>

</characteristic></characteristic>

</</wapwap--provisioningdocprovisioningdoc>>

Page 34: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

TeoreticTeoretic aceastaaceasta configurareconfigurare poatepoate fifi facutafacuta

doardoar de de catrecatre operator, de la un operator, de la un numarnumar

predefinitpredefinit

PutemPutem analizaanaliza SMSSMS--ulul prinprin WireSharkWireShark

PutemPutem adaugaadauga un alt un alt numarnumar

Page 35: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning<?xml version="1.0"?><?xml version="1.0"?>

<!DOCTYPE <!DOCTYPE wapwap--provisioningdocprovisioningdoc PUBLIC "PUBLIC "--//WAPFORUM//DTD PROV 1.0//EN" //WAPFORUM//DTD PROV 1.0//EN" "http://"http://www.wapforum.org/DTD/prov.dtdwww.wapforum.org/DTD/prov.dtd">">

<<wapwap--provisioningdocprovisioningdoc version="1.1">version="1.1">

<characteristic type="BOOTSTRAP"><characteristic type="BOOTSTRAP">

<<parmparm name="NAME" value=name="NAME" value=““NumeNume"/>"/>

</characteristic></characteristic>

<characteristic type="PXLOGICAL"><characteristic type="PXLOGICAL">

<<parmparm name="NAME" value=name="NAME" value=““NumeNume"/>"/>

<<parmparm name="PROXYname="PROXY--ID" value="ID" value="Trusted_ProxyTrusted_Proxy"/>"/>

<<parmparm name="NAME" value="Trusted Proxy"/>name="NAME" value="Trusted Proxy"/>

<characteristic type="PXPHYSICAL"><characteristic type="PXPHYSICAL">

<<parmparm name="PHYSICALname="PHYSICAL--PROXYPROXY--ID" value="ID" value="Trusted_PhProxyTrusted_PhProxy"/>"/>

<<parmparm name="PXADDR" value="40711111111"/>name="PXADDR" value="40711111111"/>

<<parmparm name="PXADDRTYPE" value="E164"/>name="PXADDRTYPE" value="E164"/>

<<parmparm name="TOname="TO--NAPID" value="NAPID" value="Trusted_NAPIDTrusted_NAPID"/>"/>

<<parmparm name="PUSHENABLED" value="1"/>name="PUSHENABLED" value="1"/>

<<parmparm name="PULLENABLED" value="1"/>name="PULLENABLED" value="1"/>

</characteristic></characteristic>

</characteristic></characteristic>

<characteristic type="NAPDEF"><characteristic type="NAPDEF">

<<parmparm name="NAME" value="Op"/>name="NAME" value="Op"/>

<<parmparm name="NAPID" value="name="NAPID" value="Trusted_NAPIDTrusted_NAPID"/>"/>

<<parmparm name="BEARER" value="GSMname="BEARER" value="GSM--SMS"/>SMS"/>

<<parmparm name="NAME" value="Trusted Proxy"/>name="NAME" value="Trusted Proxy"/>

<<parmparm name="NAPname="NAP--ADDRESS" value=" 40711111111 "/>ADDRESS" value=" 40711111111 "/>

<<parmparm name="NAPname="NAP--ADDRTYPE" value="E164"/>ADDRTYPE" value="E164"/>

</characteristic></characteristic>

Page 36: Securitatea mobila - Atacuri prin SMS

WAP WAP -- provisioningprovisioning

<<wapwap--provisioningdocprovisioningdoc>>

<characteristic type="<characteristic type="NetworkPolicyNetworkPolicy">">

<characteristic type="<characteristic type="WiFiWiFi">">

<characteristic type="Settings"><characteristic type="Settings">

<<parmparm name="Disabled" value="1"/>name="Disabled" value="1"/>

</characteristic></characteristic>

</characteristic></characteristic>

</characteristic></characteristic>

</</wapwap--provisioningdocprovisioningdoc>>

Page 37: Securitatea mobila - Atacuri prin SMS

InterceptareInterceptare trafictrafic

TraficulTraficul trecetrece prinprin proxyproxy--ulul nostrunostru

VariantaVarianta 1 1 –– Burp ProxyBurp Proxy

Page 38: Securitatea mobila - Atacuri prin SMS

InterceptareInterceptare trafictrafic

TraficulTraficul trecetrece prinprin proxyproxy--ulul nostrunostru

VariantaVarianta 2 2 –– sslstripsslstrip

http://http://www.thoughtcrime.org/software/sslstripwww.thoughtcrime.org/software/sslstrip//

Page 39: Securitatea mobila - Atacuri prin SMS

InterceptareInterceptare trafictrafic

DEMODEMO

Page 40: Securitatea mobila - Atacuri prin SMS

ProtectieProtectie

OperatorulOperatorul poatepoate filtrafiltra acesteaceste tipuritipuri de de mesajemesaje

ProducatoriiProducatorii de de telefoanetelefoane trebuietrebuie sasa se se concentrezeconcentreze maimai multmult pepe securitatesecuritate

VerificatiVerificati constant (la constant (la felfel cum cum facetifaceti cu cu facturafactura / / creditulcreditul disponibildisponibil) ) setarilesetarile de de InternetInternet

Page 41: Securitatea mobila - Atacuri prin SMS

IntrebariIntrebari??