Black Hat: Easier SMS scams

Only a small minority of today's hundreds of millions of email users remember a time when all email was trusted and in-boxes contained only wanted messages. However, probably all of those hundreds of millions of email users do feel safe in trusting anything their GSM phones receive via SMS and its fancier versions, MMS and EMS. Yesterday at the Black Hat conference, Zane Lackey, senior security consultant with iSec Partners, and independent security researcher Luis Miras demonstrated that it isn't safe to trust SMS, either.

Lackey and Miras began with a demonstration: they sent a text message that offered the victim a free $20 credit if they logged into the Web link provided to get it added to their account. The kicker: the message appeared to come from 611, the number most US carriers use for customer service. Anyone receiving it could be excused for thinking it was a legitimate offer instead of a scam.

Mobile phone messaging offers unusual opportunities to attackers: it's always on, the functionality is increasing to include ringtones, videos, and pictures. "The attack surface really opened up in SMS."

Early mobile phones ran custom operating systems that varied even between minor releases. Most of today's much smarter phones, however, use a commodity operating system such as Windows Mobile or Linux. The 17 million (and counting) iPhones sold are even more mono-cultural than desktop Windows, because mobile phone users typically have much less opportunity to customise their configuration. All of that opens the way for attacks. "The technology hurdles for attackers are dropping," said Miras.

Every SMS – using SMS as an umbrella term to include MMS and EMS – passes through a store-and-forward system that involves one or more servers and may require several conversions to pass between carriers who use different formats. Like email, each SMS has a header. Most of it is system header, largely inaccessible to attackers. The exception is a few bytes at the end known as the user data header (UDH), which defines additional functionality such as MMS, multi-part messages, ring tones, and so on. Surprisingly, the AT command set some users may remember from the days of dial-up is still used by GSM modems.

What Lackey and Miras found is that administrator messages such as voice mail notifications sent from the carrier to phones can be forged; they are just specially crafted SMSs. There is, they said, no source checking or cryptographic protection on these messages, and phones are built on the assumption that these special messages will only ever be generated and sent by carriers.

Forging such messages opens up the ability, not only to send scams like their initial demonstration, but also to push new configuration settings to a phone. In their demonstration version, the message that arrived said the phone had received new settings and asked the user whether or not to install them: yes or no? With no other context available, the user has no way to verify the source of the new settings and has no idea what they do. They could, for example, change the proxy value for Internet traffic so that all traffic routes to the attacker's server to be sniffed or spoofed.

Spoofed control messages could also allow an attacker to send malware to a phone, backdate messages, bypass carrier malware and spam checking, or fingerprint mobile phones to aid more targeted attacks. "This is just the beginning of this vulnerability class," said Lackey. Miras added, "Attacking SMS was hard. Now, it's much less difficult, and in the future it will be even easier." These flaws will, they said, probably be exploitable for some time; they have been disclosed to carriers, but blocking is not a quick patch. "We are working with the GSM Alliance to notify all GSM carriers."

As The H has reported, mobile internet services, such as those provided by Twitter, may also be vulnerable to source spoofing. A recent authentication weakness in the Twitter service allowed anyone who knew a user's mobile number to spoof their messages, provided that the user's mobile number was set up to post and receive Twitter messages.

(Wendy Grossman)

(trk)