Dailydave mailing list archives
Re: Seeking more info on: Devastating mobile attack under spotlight
From: Paul Wouters <paul () xelerance com>
Date: Mon, 27 Nov 2006 16:44:07 +0100 (CET)
On Mon, 27 Nov 2006, Dude VanWinkle wrote:
All mobile phones may be open to a simple but devastating attack that enables a third-party to eavesdrop on any phone conversation, receive any and all SMS messages, and download the phone's address book.
Wilfried Hafner of SecurStar claims he can reprogram a phone using a "service SMS" or "binary SMS" message, similar to those used by the phone operators to update software on the phone. He demonstrated a Trojan which appears to use this method at the Systems show in Munich last month - a performance which can be seen in a German-language video.
These must be referencing two things. Writing a Trojan in under 160 characters would be more impressive then Slammer's 1 UDP packet hack (which only fit in 1 UDP packet because it called a bunch of window's DLL functions)
Phone operators use SMS messages to make changes to their customers' phone without user intervention. These changes can vary from small tweaks to an overhaul of the phone's internal systems.
I thought those messages only set some phone numbers, such as the SMS center, preference of roaming providers, etc. That's not an "overhaul".
however that phones do not check the source of such messages and verify whether they are legitimate, so by sending a bogus message he is able to pose as a mobile operator and re-program people's mobiles to do what he wants.
This part I can believe.
"I found this on a very old Siemens C45 phone, and then tried it on a Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of them authenticated the sender of the service SMS. We could not believe no one had found this possibility before us."
This is becoming harder to believe. The C45 in an ancient phone, and has no real OS environment like moderm smartphones/winphones/pdaphones. The qtek (I think is based on the HTC/XDA hardware) runs windows ce, so sure. And the Nokia E90 is still in the rumor phase and not even listed on the nokia website. But most nokia's run Symbian as OS. So I doubt all these OS'es would have the same exploit. Which means the exploit would have to be in the Baseband Processor code (BP) and not the Application Processor code (AP). Usually phones have a dual chip design, one is completely sealed off (and FCC approved) and controls the radio and runs a realtime OS. It exports the radio functionality via some kind of serial connection to the other processor, which actually runs your phone OS. Now if the exploit is in he BP, per definition it is hidden from the user. And I can see how multiple phones could use the same realtime OS setup and be vulnerable. And how the OS on the AP can not prevent this.
On all these phones, Hafner was able to launch an example Trojan called "Rexspy", which he says ran undetected. Rexspy copies all SMS messages to the attacker, and allows the attacker to eavesdrop on any phone conversation by instructing the phone to silently conference the attacker into every call.
This would have to be the BP's realtime OS then. Running some rogue program on the BP by sending one or more SMSes that then talk to the AP to get access to things like the phone book and message store seems unlikely. One other option is that he only gained access to the SIM card memory on the AP (still an amazing feat), but no one uses it these days to store messages or phone numbers on it. There is just not enough storage in there. Doing an unnoticable call would also be a very interesting hack.
However, Hafner's demonstration does not constitute proof - it was done with his own phones, which could have been prepared. Known software such as Flexispy does the same job as Rexspy, but has to be installed manually on a phone. Hafner has also refused to provide Techworld with a demonstration, claiming that he does not want the code put into the wild. Hafner has also put out a press release about his alleged discovery which heavily pushes his company's products.
Yeah. I'm sceptical until I see more. Paul _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Seeking more info on: Devastating mobile attack under spotlight Dude VanWinkle (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Paul Wouters (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Robert Clark (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight liquidfish (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Dave Korn (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Robert Clark (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Nicolas RUFF (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Roy M. Silvernail (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Gadi Evron (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight Matt Richard (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight Gadi Evron (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight liquidfish (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight Gadi Evron (Nov 29)
- Re: Seeking more info on: Devastating mobile attack under spotlight Roy M. Silvernail (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Paul Wouters (Nov 27)