Re: Seeking more info on: Devastating mobile attack under spotlight

[Paul Wouters <paul () xelerance com>]

On Mon, 27 Nov 2006, Dude VanWinkle wrote:

> All mobile phones may be open to a simple but devastating attack that
> enables a third-party to eavesdrop on any phone conversation, receive
> any and all SMS messages, and download the phone's address book.

> Wilfried Hafner of SecurStar claims he can reprogram a phone using a
> "service SMS" or "binary SMS" message, similar to those used by the
> phone operators to update software on the phone. He demonstrated a
> Trojan which appears to use this method at the Systems show in Munich
> last month - a performance which can be seen in a German-language
> video.

These must be referencing two things. Writing a Trojan in under 160
characters would be more impressive then Slammer's 1 UDP packet hack
(which only fit in 1 UDP packet because it called a bunch of window's
DLL functions)

> Phone operators use SMS messages to make changes to their customers'
> phone without user intervention. These changes can vary from small
> tweaks to an overhaul of the phone's internal systems.

I thought those messages only set some phone numbers, such as the
SMS center, preference of roaming providers, etc. That's not an
"overhaul".

> however that phones do not check the source of such messages and
> verify whether they are legitimate, so by sending a bogus message he
> is able to pose as a mobile operator and re-program people's mobiles
> to do what he wants.

This part I can believe.

> "I found this on a very old Siemens C45 phone, and then tried it on a
> Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of
> them authenticated the sender of the service SMS. We could not believe
> no one had found this possibility before us."

This is becoming harder to believe. The C45 in an ancient phone, and
has no real OS environment like moderm smartphones/winphones/pdaphones.
The qtek (I think is based on the HTC/XDA hardware) runs windows ce, so
sure. And the Nokia E90 is still in the rumor phase and not even listed
on the nokia website. But most nokia's run Symbian as OS. So I doubt all
these OS'es would have the same exploit.  Which means the exploit would
have to be in the Baseband Processor code (BP) and not the Application
Processor code (AP). Usually phones have a dual chip design, one is
completely sealed off (and FCC approved) and controls the radio and runs
a realtime OS. It exports the radio functionality via some kind of serial
connection to the other processor, which actually runs your phone OS.

Now if the exploit is in he BP, per definition it is hidden from the user.
And I can see how multiple phones could use the same realtime OS setup
and be vulnerable. And how the OS on the AP can not prevent this.

> On all these phones, Hafner was able to launch an example Trojan
> called "Rexspy", which he says ran undetected. Rexspy copies all SMS
> messages to the attacker, and allows the attacker to eavesdrop on any
> phone conversation by instructing the phone to silently conference the
> attacker into every call.

This would have to be the BP's realtime OS then. Running some rogue program
on the BP by sending one or more SMSes that then talk to the AP to get
access to things like the phone book and message store seems unlikely.
One other option is that he only gained access to the SIM card memory on
the AP (still an amazing feat), but no one uses it these days to store
messages or phone numbers on it. There is just not enough storage in there.

Doing an unnoticable call would also be a very interesting hack.

> However, Hafner's demonstration does not constitute proof - it was
> done with his own phones, which could have been prepared. Known
> software such as Flexispy does the same job as Rexspy, but has to be
> installed manually on a phone. Hafner has also refused to provide
> Techworld with a demonstration, claiming that he does not want the
> code put into the wild. Hafner has also put out a press release about
> his alleged discovery which heavily pushes his company's products.

Yeah. I'm sceptical until I see more.

Paul
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave