Dailydave mailing list archives
Re: Seeking more info on: Devastating mobile attack under spotlight
From: "Dave Korn" <dave.korn () artimi com>
Date: Mon, 27 Nov 2006 18:43:21 -0000
On 27 November 2006 15:44, Paul Wouters wrote:
On Mon, 27 Nov 2006, Dude VanWinkle wrote:All mobile phones may be open to a simple but devastating attack that enables a third-party to eavesdrop on any phone conversation, receive any and all SMS messages, and download the phone's address book.Wilfried Hafner of SecurStar claims he can reprogram a phone using a "service SMS" or "binary SMS" message, similar to those used by the phone operators to update software on the phone. He demonstrated a Trojan which appears to use this method at the Systems show in Munich last month - a performance which can be seen in a German-language video.These must be referencing two things. Writing a Trojan in under 160 characters would be more impressive then Slammer's 1 UDP packet hack (which only fit in 1 UDP packet because it called a bunch of window's DLL functions)
I suppose you also think that ringtones, logos, screensavers and downloadable java games have to fit in 160 chars, yes? Look up WAP PUSH sms. I suspect the only thing missing from the description is some kind of user-interaction, but see also immediate-vs-deferred delivery; perhaps that can be leveraged somehow. http://en.wikipedia.org/wiki/Multimedia_Messaging_Service
I thought those messages only set some phone numbers, such as the SMS center, preference of roaming providers, etc. That's not an "overhaul".
Did you think this based on reading documentation and looking up standards, or are you guessing?
on the nokia website. But most nokia's run Symbian as OS. So I doubt all these OS'es would have the same exploit.
It is the incorrect assumption you have made here ...
Which means the exploit would have to be in the Baseband Processor code (BP) and not the Application Processor code (AP).
... which leads you to the false inference here ...
This would have to be the BP's realtime OS then. Running some rogue program on the BP by sending one or more SMSes that then talk to the AP to get access to things like the phone book and message store seems unlikely. One other option is that he only gained access to the SIM card memory on the AP (still an amazing feat), but no one uses it these days to store messages or phone numbers on it. There is just not enough storage in there.
... which leads you to misidentify a non-problem here ...
Yeah. I'm sceptical until I see more.
... which leads to your expression of scepticism here. You're thinking in too limited terms: not every "exploit" is a buffer overflow. In this case, I reckon the exploit consists in leveraging the SMS/MMS functionality defined by the relevant specs in order to get some java program to download and run without it being obvious what is happening, and perhaps without any user-interaction at all. If the vulnerability is in the specification, any compliant phone would be bulnerable The actual trojan itself is nothing new: I watched the video, and although I don't speak german I caught numerous references to "FlexiSPY". Look it up; all that you need is a way of tricking a phone to auto-install it. The video itself doesn't (as far as I could tell) show the actual infection process. Those who would like to do some research, as opposed to speculating, could start by googling "binary sms" (with the quotes, for an exact phrase match); you get lots of interesting-looking documentation for sms gateway/servers.
From the list of hits,
http://www.ozeki.hu/index.php?owpn=488 shows a list of (some?all?) different sms types. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Seeking more info on: Devastating mobile attack under spotlight Dude VanWinkle (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Paul Wouters (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Robert Clark (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight liquidfish (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Dave Korn (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Robert Clark (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Nicolas RUFF (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Roy M. Silvernail (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Gadi Evron (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight Matt Richard (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight Gadi Evron (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight liquidfish (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight Gadi Evron (Nov 29)
- Re: Seeking more info on: Devastating mobile attack under spotlight liquidfish (Nov 29)
- Re: Seeking more info on: Devastating mobile attack under spotlight Roy M. Silvernail (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Paul Wouters (Nov 27)
- Re: Seeking more info on: Devastating mobile attack under spotlight Nicolas RUFF (Nov 28)
- Re: Seeking more info on: Devastating mobile attack under spotlight Gadi Evron (Nov 29)