Beruflich Dokumente
Kultur Dokumente
Home Blog Binary SMS - The old backdoor to your new thing
Last Name: *
Email Address: *
For users on a budget, you can send SMS PDUs as a regular subscriber
over an existing public carrier using a GSM modem but you must check
your carrier's terms and conditions first.Using Vodafone's Terms and
Conditions for example, customers are not allowed to use the service to
break the law or use automated means to send texts. Scripting your
testing to attack someone else's phone would definitely not be allowed
but manually sending an SMS PDU (or two) to test a phone you own could
be OK. It is up to you to satisfy yourself that you are compliant with your
carrier's terms and conditions.
A public carrier is (potentially) much cheaper and quicker to use, with just
a 3G dongle, but forfeits control and is subject to the terms and conditions
of your carrier which may not allow testing with their network.
KIT LIST
All prices are approximate. A cellar or room with double concrete walls
could be used instead of a faraday cage providing your licensing authority
are satisfied it will suppress emissions sufficiently (>60dB). Twelve inch
concrete blocks have 35dB of attenuation at 900MHz.
BUILDING
Open source BTS tutorials age off quicker than a Gentoo kernel due to the
fast moving world of open source GSM and the dynamic dependencies
required. We recommend focusing on learning the standard and concepts
rather than particular packages but if you want a recent tutorial, you'll
find a comprehensive tutorial for an open source BTS (Yate) on a Pi here.
OpenBTS and YateBTS don't prescribe hardware or drivers so you can use
it with multiple radios, providing they support the precise timing
requirements of a GSM base station which are for an error rate of 0.05
ppm. This is more relaxed for pico cells at 0.1ppm.
If you attempt to stand up a BTS without a precision clock source you will
find it is unstable. You may get lucky and get your handset to see the
network and attach to it briefly at close range but it won't last and will
quickly fall over once you commence testing. A precision clock is
essential.
The GPS unit we used requires an external GPS receive antenna and does
take a while to acquire a fix (Green LED) initially.
A key configuration change for using a low power PC like a Pi is the third
party radio driver which must be defined within ../etc/yate/ybts.conf. We
had success with the official Ettus UHD driver but opted for the ARM
friendly osmo-trx transceiver compiled with UHD 003.010 defined as
Path=./osmo-trx and homed at ../lib/yate/server/bts/osmo-trx
TESTING
Understanding the many unique aspects of the GSM air interface is not
necessary to perform SMS testing but having a basic understanding of
paging will help. Getting your handset to attach initially is half the battle,
after that the rest is quite straightforward and very much in the realm of
computing not RF.
The gsmtap PCAP output is an invaluable tool in testing your setup and
monitoring traffic on the air interface. To use it, enter Yate's web UI and
update the monitoring IP to your own, check the gsmtap box, then spin up
wireshark on your external interface. This feature can be used remotely
which is convenient for users on a LAN. The gsmtap UDP packets for both
the uplink and downlink will be sent blindly to port 4729 on your host and
will likely elicit ICMP port closed responses.
In the screenshot below, a concatenated 3 part SMS has been sent over
our YateBTS by subscriber 12345. Only when the final fragment arrives is
it reassembled into a complete SMS. Each fragment is acknowledged
separately which is helpful for debugging concatenation issues.
WIRESHARK FILTERS
To send a PDU with YateBTS you can either use the dedicated script in the
web interface at /nib_web/custom_sms.php or the more flexible telnet
interface on TCP port 5038.Both methods require the IMSI of the recipient
which you can find from the registered subscribers list or by monitoring
handset registration and paging on the air interface.We wrapped the
telnet interface with our own PHP script using the socket API like so:
// PHP
$cmd="control custom_sms called=$imsi $type=rpdu";$socket = fsockopen("loca
");
With our SMS web API we were not only able to let other researchers on
the LAN send PDUs but also de-skill the knowledge required to perform
SMS testing.
The PDU sent on the air interface looks different than the PDU sent over
the public network because of differences in SMS-DELIVER (BTS > MS)
and SMS-SUBMIT (MS > BTS) formats. To learn more about PDUs see the
PDU section.
Using the £20 Huawei E3533 as an example, you will need to ensure the
device is connected in GSM modem mode, not Ethernet adapter or mass
storage etc. To do this with Linux issue a usb_modeswitch command as
follows:
The serial commands are easily scripted using Python's serial library.
Before firing up your Python interpreter, bear in mind your carrier's terms
and conditions regarding automated sending of SMS messages. So long
as you are in control of each message's transmission you should be ok.
Here's a basic Python client for sending a PDU via a GSM modem.
# Python
ser = serial.Serial(tty, 115200, timeout=5)ser.write('AT
')if "OK" in ser.read(64): print "CONNECTED TO MODEM OK" ser.write("A
") # PDU mode ser.write("AT+CMGS=%d
" % ((len(pdu)/2)-8)) time.sleep(1) ser.write('%s' % pdu) print ser.r
There are different types of SMS PDUs. PDUs from the handset to the
network are SMS-SUBMIT and could start with byte 0x01, PDUs from the
network down to the handset are SMS-DELIVER and could start with byte
0x00 and are normally longer due to the addition of a 7 octet date service
centre time stamp. The first byte is a bitmask of multiple flags and
contains a lot of information.
PDU encoding is complicated but thankfully there are many free online
encoders and programming libraries like Python's smspdu to validate
your PDU against the GSM 03.40 standard. Before jumping straight in and
using one it's important you understand some key fields and the
significant difference between DELIVER and SUBMIT PDUs as many
online decoders only do SUBMIT and not DELIVER. We've tested lots and
recommend Python's smspdu library.
The Protocol Identifier (PID) field refers to the application layer protocol
used. The default value 0x00 is used for plain short messages. Setting the
PID to 0x64 would be a silent SMS known as a 'type 0' SMS which all
handsets receive and must acknowledge without indicating its receipt to
the user. As previously mentioned, this has been used by law enforcement
to actively 'ping' a handset on a network.
When you want to target an application on a phone you need to define the
destination port within the User Data Header (UDH) which sits between
the PDU header and User Data (UD) and is declared early on with the User
Data Header Indicator (UDHI) flag in the first octet.
The UDH is also where Concatenated SMS (C-SMS) fragments are
described.
0A050B8457320003FF0201
01000C9144214365870900000CC8329BFD065DDF72363904
Bear in mind that data encoding varies between sections. Some sections
are special bit-masks, some are GSM 7 bit encoded and some are just
plain old hexadecimal.
00: Message type 0 (bits 0-1)Reject duplicates flag set (bit 2) (Bitmask)
0000: Protocol identifier 0: Plain old SMS, Data Coding Scheme 0: Flash
message (Bit mask)
With an Android phone you would see the following activity in the log when
an SMS PDU is received. This shows the Radio Interface Layer (RIL)
notifying the kernel of an incoming unsolicited PDU of length 168 (21
bytes). The full PDU is written to a SQLITE database, an automatic
acknowledgement is sent (SMS-DELIVER-ACK) back to the network and
finally the PDU is delivered to Android's privileged SMS receiver for
onward processing, in this case to the message store although it could be
routed to a listening application if a destination port is specified in the
UDH.
The only check is within the SmsHandler() which checks if SMS messages
are allowed. There is no concept of packet inspection or port filters like an
IP firewall.
PDU bytes:
41000C9144214365870900009B0B05040B8457320003FF0201C2E170381C0E87C3E1703
81C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E1703
81C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E1703
81C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E1703
81C0E87C3E17018
C2E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E1703
81C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E170381C0E87C3E1703
Conclusion
SMS is a weak link in a handset's security. With it you can interact,
remotely, with an application on someone's phone when the phone is not
connected to the internet. Significantly it has no firewall so bad packets
are always forwarded.
Despite being an old specification it has received much less scrutiny than
Internet Protocol for example and many applications (and non-
conventional devices now) handle SMS PDUs with a greater level of trust
than they afford IP packets for comparison.
In our next SMS blog we'll employ these concepts to attack the application
layer on a phone remotely...
Brisbane
Australia
T: +61 1300 565 352
© 2020 Context Information Security Cookies and Privacy Terms & Conditions