SCS3 2011 Sprenger-2

Mobile Phone (In)Security
Live Demos with Mobile Phone Technology
Walter Sprenger
Compass Security AG Tel.+41 55-214 41 60
Werkstrasse 20 Fax+41 55-214 41 61
Postfach 2038 team@csnc.ch
CH-8645 Jona www.csnc.ch
Latest information
Extract from the latest status report on IT security of the

BSI (German Federal Office for Information Security)
„Cyber criminals use besides botnets,

spamming and phishing-Emails more and
more the infiltration through mobile
phones and WLAN“
© Compass Security AG www.csnc.ch Slide 2

The Present
Devices vs. Applications (Marketshares 06/2010)
Devices
Applications

Mobile Phone Malware
How do Trojans and spyware get on mobile devices?
Bluetooth GSM
Applications (Apps) Updates
eMail Internet Sites

LAN / WAN / WLAN/UMTS

General
Mobile devices: critical and often forgotten children ...
Mobile devices often work without a protecting company-firewall

They are frequently transported and can easily be moved
They communicate with foreign networks through unsafe techniques
The users often have administrator rights
Can easily be stolen, pinched or destroyed ...
Are often forgotten or deliberately ignored in the security concept

SmartPhone and Enterprises
Situation in Enterprises: Got Boss, got iPhone?

iPhone?
I am the But Boss, iPhones However…I am the

are the source of Boss…go get me an
Boss…go
all evil. It‘s so
get me an iPhone!
vulnerable. We
iPhone! would expose our
network, open the
Oh…
firewall, data
leakage and much ?! *sigh*
more!!!

The Mobile Network - Positioning

General
Everybody sending out signals can in principle also be

located.
In reverse you can locate yourself by evaluating signals
sent out from known positions.

Reference points in the mobile
network
The Base Transceiver Station (BSC)

BSC)
The Mobile Switching Centre (MSC),
controls several base stations (BTS),
serves as a router for the transmission
assigns the frequencies to be used
of the calls and text messages within
and can initiate the Handover.
the network or to the fixed line
network. The MSC communicates via
the Signalling System #7 (SS/)
The Home Location Register (HLR

HLR)
HLR of
a network provider contains the
The Visitor Location Register (VLR
VLR),
VLR
personal data of all customers.
memorises the data of the users using
the MSC but are not customers of the
respective network provider.
The cell is the direct radio interface to

the subscriber

Transmission in the GSM-Network
HLR/ AuC
PSTN
MSC MSC MSC
VLR VLR VLR
BSC BSC
=LAC
BTS
BTS
=CellID
BTS
BTS
BTS BTS BTS

Locating via LBS Location Based ID
Reading out locally relevant data of the presently

active/located Cell (Example iPhone)
Activate the “Fieldtest” mode



Reading out of the GSM Cell data



MCC (Mobile Country Code)

Based on the first digit you can assign a continent :

0 not defined
1 not defined
2 Europe
3 North America and the Caribbean
4 Asia, India, Middle East
5 Australia and Oceania
6 Africa
7 South America
8 not defined
9 world
See also www.nobbi.com/wiki/doku.php/mcc

The second and the third digit define the country (selection):
262 Germany
228 Switzerland
232 Austria
234 United Kingdom
235 United Kingdom
310 through
316 United States of America
See also www.nobbi.com/wiki/doku.php/mcc



MNC (Mobile Network Code)

The MNC stands for the net provider
Germany
01 ,06 T-Mobile
02 ,04,09 Vodafone
07 ,08,11 O2
Switzerland
01 Swisscom Mobile
02 Sunrise
03 Orange



Auslesen der GSM Cell Daten
LAC (Location Area Code)
organisational grouping of
cells



Auslesen der GSM Cell Daten
LAC (Location Area Code)
organisational grouping of
cells
Cell ID, two bytes identifying
a cell within an LAC

In our example the unambiguous location based ID would be
MCC – MNC – LAC – CID
262 – 01 – 38914 – 57564
Present Location(LAI)
HEX: 228 01 2929 00a53c3
Swisscom: 228 01 10537 676803
Orange: 228 03 7500 174692
LiveDemo Positioning

Live Demo [Use Google's Dataset]

Determination of the reference
coordinates
How does Google collect their data?
Transmission of data

Alternative tools to determine the Location Based ID
GPS Tracking transmitter TK102-2
Live Demo
See also www.itakka.at/shop/ and www.positionx.de

And now? The detection of the
location is also a matter of the right
database

Locating using silent text messages

What do you require silent text messages for
After net authentication only the Location Area Identity (LAI) is

memorised in the Visitor Location Register (VLR/HLR)
As soon as the net wants to make contact with the mobile phone, all
base stations (BTS) within the BSC call the subscriber
The information about the cells used during a conversation or at the
time of the reception or sending of a text message are part of the pool
data to be recorded by the net provider according to the law
This kind of message behaves like a normal text message during
transmission, but it is neither visibly nor acoustically announced on the
mobile phone
Access to the database of the net provider is essential

BSC
=LAC
BTS
BTS
=CellID
BTS
BTS

Live Demo [Silent SMS/PDUspy]

Identification spoofing
[Call-ID-Spoofing]

Call-ID-Spoofing
Why an attack with a falsified call ID?
Often the call ID (CLIP) serves as an identification attribute of the caller

(e.g. for telephone calls, remote access, applications, etc.)
Access restriction using call ID authentication can be bypassed resp.
applied supportively in social-engineering
Matching of the call ID in EU end devices is applied only up to max.
the 7th digit

Call-ID-Spoofing
Providers of commercial Call-ID-Spoofing services
http://spoofcard.com

Call-ID-Spoofing
Tools for Call-ID-Spoofing
Telephone connection with service attribute CLIP -no screening-

or
SIP-Gateway to the PSTN (z.B. www.sipgate.de)
Softphone (e.g. www.phoner.de)

Live Demo [Call-ID-Spoofing]

Call-ID-Spoofing (MITM-attack)
Call-
Call-ID-
ID-Spoofing-
Spoofing-attack
Incoming call:
+49666666666666
Paris Hilton
Freiton

Identification spoofing
[SMS-ID-Spoofing]

SMS-ID-Spoofing
Why an attack with a falsified phone number?
Similar to the call ID authentication social engineering can be applied

supportively
Instead of number identification the sender can be named directly
Phishing via text messages is still widely unknown and therefore more
promising
No content filter available (as e.g. for E-mails)

SMS-ID-Spoofing
Examples

SMS-ID-Spoofing
Example 1: SMS-Phishing using SMS-Spoofing
Example of a Phishing-SMS
Original message of the net

provider

SMS-ID-Spoofing
Example of a Phishing-SMS
Falsified message based on the

text message from the net provider

SMS-ID-Spoofing
Leave the competitor at home

Live Demo [SMS-ID-Spoofing]

SIM-interface as an attacking vector on
mobile end devices
[SIM Application Toolkit]

SIM Application Toolkit
Why an attack on the SIM interface?
SIM interface as a universal attacking vector on mobile end devices

Standardised interface
Realisation: Hardware-based Man-in-the-middle-attack
Distant impact of end devices (as partially already used by the network
providers)

Functions of the SIM Application Toolkit
Sending and receiving of short messages

(SEND SHORT MESSAGE, SMS-PP Download)
Initiating outbound calls (SET UP CALL)
Diversion of outbound calls (CALL CONTROL)
Positioning
Data transmission via GPRS/UMTS
Sending of AT-commands to the end device
etc. ...

Mode of operation of an SAT-attack
SIM-Card can make use of the described SAT functions

No cryptography between SIM and end device
Infiltration of own SAT-commands possible
SIM will be required further on for authentication
Man-in-the-middle-attack by installation of a microcontroller
(e.g. Atmel ATTiny85V)

Development history

Man-
Man -in-
in -the-
the -middle-
middle -attack
Example Voice
Freiton
Call +49 151 xxxxxxxx

Attacks on mobile end devices via
malware
[Trojans, etc.]

Commercial Trojans: MOBILE SPY monitors iPhone and many

other mobile phones from $49.00 a quarter
Inkl. 24/7 Support
www.mobile-spy.com

Commercial Trojans: The classic „FlexiSpy“.
Für fast alle Plattformen

verfügbar…
www.flexispy.com

Commercial Trojan: The classic „FlexiSpy“.
Configuration menu of FlexiSpy
www.flexispy.com

Configuration menu of FlexiSpy
www.flexispy.com

www.flexispy.com

How does FlexiSpy collect the user data?
The Trojan transmits all data The attacker can download

such as text messages, calls, the data at any time via the
eMails, etc. in defined intervals Internet..
directly to the server.
WWW
Database

Live Demo [Mobile phone Trojans]

Open discussion
Questions?!

Contact
Compass Security Network Computing
Werkstrasse 20
Postfach 2038
CH - 8645 Jona
team@csnc.ch | www.csnc.ch | +41 55 214 41 60
Secure File Exchange: www.csnc.ch/filebox
PGP-Fingerprint:

SCS3 2011 Sprenger-2

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SCS3 2011 Sprenger-2

Hochgeladen von

Copyright:

Verfügbare Formate

Mobile Phone (In)Security

Live Demos with Mobile Phone Technology

Extract from the latest status report on IT security of the

„Cyber criminals use besides botnets,

© Compass Security AG www.csnc.ch Slide 2

Devices vs. Applications (Marketshares 06/2010)

© Compass Security AG www.csnc.ch Slide 3

How do Trojans and spyware get on mobile devices?

Applications (Apps) Updates

eMail Internet Sites

© Compass Security AG www.csnc.ch Slide 4

Mobile devices: critical and often forgotten children ...

Mobile devices often work without a protecting company-firewall

© Compass Security AG www.csnc.ch Slide 5

Situation in Enterprises: Got Boss, got iPhone?

I am the But Boss, iPhones However…I am the

© Compass Security AG www.csnc.ch Slide 6

Compass Security AG Tel.+41 55-214 41 60

Everybody sending out signals can in principle also be

© Compass Security AG www.csnc.ch Slide 8

The Base Transceiver Station (BSC)

The Home Location Register (HLR

The cell is the direct radio interface to

© Compass Security AG www.csnc.ch Slide 9

MSC MSC MSC

VLR VLR VLR

© Compass Security AG www.csnc.ch Slide 10

Reading out locally relevant data of the presently

Activate the “Fieldtest” mode

© Compass Security AG www.csnc.ch Slide 11

Reading out locally relevant data of the presently

Activate the “Fieldtest” mode

© Compass Security AG www.csnc.ch Slide 12

Reading out locally relevant data of the presently

Activate the “Fieldtest” mode

© Compass Security AG www.csnc.ch Slide 13

MCC (Mobile Country Code)

Based on the first digit you can assign a continent :

See also www.nobbi.com/wiki/doku.php/mcc

© Compass Security AG www.csnc.ch Slide 14

MCC (Mobile Country Code)

See also www.nobbi.com/wiki/doku.php/mcc

© Compass Security AG www.csnc.ch Slide 15

Reading out locally relevant data of the presently

Activate the “Fieldtest” mode

© Compass Security AG www.csnc.ch Slide 16

MNC (Mobile Network Code)

The MNC stands for the net provider

© Compass Security AG www.csnc.ch Slide 17

Reading out locally relevant data of the presently

Activate the “Fieldtest” mode

© Compass Security AG www.csnc.ch Slide 18

Reading out locally relevant data of the presently

Activate the “Fieldtest” mode

© Compass Security AG www.csnc.ch Slide 19

In our example the unambiguous location based ID would be

MCC – MNC – LAC – CID

262 – 01 – 38914 – 57564

© Compass Security AG www.csnc.ch Slide 20

Compass Security AG Tel.+41 55-214 41 60

How does Google collect their data?

© Compass Security AG www.csnc.ch Slide 22

Alternative tools to determine the Location Based ID

GPS Tracking transmitter TK102-2