Mobile-phone web sessions hijacked via SMS
At the Black Hat security conference, three Italian IT security experts have shown how all of the web traffic on a mobile phone can be diverted to a proxy server controlled by an attacker. In their presentation, "Hijacking Mobile Data Connections", Cristofaro Mune, Roberto Gassira and Roberto Piccirillo explain that a comparatively simple SMS is all it takes to make a successful attack.
The three security experts use a well documented method for their attack, not a new vulnerability. The SMS sent by an attacker contains only the data the mobile phone needs in order to learn the settings required for internet access, such as APN (Access Point Name), proxy server or DNS server. Network operators often send such provisioning SMSs at the request of mobile phone owners who want to connect up to the internet with phones that have not previously been configured, or who have changed providers.
With a tool they developed themselves, Mune, Gassire and Piccirillo can generate such an SMS in the WBXML (WAP Binary XML) format and are able to give the SMS any values they please. The values are accepted by the mobile phone and entered into the internet settings. The user has to confirm the settings with a PIN code, which was sent to him earlier in another SMS.
Since the PIN can be freely chosen by the SMS sender, there is no need to bypass any security mechanisms of the provider involved. In order to make the SMS look as though it really has come from the network operator, the researchers use a mass SMS sender that allows them a free choice of caller number.
They demonstrated an attack by manipulating the DNS entry in a mobile phone with a malicious SMS, and displaying it on a server controlled by them. This server always returned the same IP address when queried for a name resolution. The IP belongs to an equally malicious proxy server (Apache together with mod_proxy), which taps into all of the HTTP traffic. The trio showed another tool that immediately shows in a browser the web sites delivered to querying mobile phones.
There are clear limits to the eavesdropping attack, however: for SSL connections, the proxy server must match up. All the same, the developers comment that the proxy, in combination with an application such as sslstrip, could clear this hurdle too. However, an attack won't work if the mobile phone is only serving as a modem for a PC or a notebook, because the DNS settings on the PC then apply, not those on the mobile phone.
All modern mobile phones that can be supplied with settings via the OMA (Open Mobile Alliance) standard are vulnerable to this kind of attack. The demonstrations were run on devices from Sony Ericsson and Nokia. The MSECLAB researchers wouldn't say whether other smartphones such as Apple's iPhone or the Blackberry models were also vulnerable.
Mune, Gassire and Piccirillo advise that such attacks can be prevented in various ways. For example, a network operator can filter all SMSs containing provisioning data not originated by themselves or they can block access to third-party DNS servers outside the IP domain of the mobile phone operator.
(Uli Ries)
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
