Re: Seeking more info on: Devastating mobile attack under spotlight

["Dave Korn" <dave.korn () artimi com>]

On 27 November 2006 15:44, Paul Wouters wrote:

> On Mon, 27 Nov 2006, Dude VanWinkle wrote:
>
> > All mobile phones may be open to a simple but devastating attack that
> > enables a third-party to eavesdrop on any phone conversation, receive
> > any and all SMS messages, and download the phone's address book.
>
> > Wilfried Hafner of SecurStar claims he can reprogram a phone using a
> > "service SMS" or "binary SMS" message, similar to those used by the
> > phone operators to update software on the phone. He demonstrated a
> > Trojan which appears to use this method at the Systems show in Munich
> > last month - a performance which can be seen in a German-language
> > video.
>
> These must be referencing two things. Writing a Trojan in under 160
> characters would be more impressive then Slammer's 1 UDP packet hack
> (which only fit in 1 UDP packet because it called a bunch of window's
> DLL functions)

  I suppose you also think that ringtones, logos, screensavers and
downloadable java games have to fit in 160 chars, yes?

  Look up WAP PUSH sms.  I suspect the only thing missing from the description
is some kind of user-interaction, but see also immediate-vs-deferred delivery;
perhaps that can be leveraged somehow.

http://en.wikipedia.org/wiki/Multimedia_Messaging_Service

> I thought those messages only set some phone numbers, such as the
> SMS center, preference of roaming providers, etc. That's not an
> "overhaul".

  Did you think this based on reading documentation and looking up standards,
or are you guessing?

> on the nokia website. But most nokia's run Symbian as OS. So I doubt all
> these OS'es would have the same exploit.  

  It is the incorrect assumption you have made here ...

> Which means the exploit would
> have to be in the Baseband Processor code (BP) and not the Application
> Processor code (AP). 

... which leads you to the false inference here ...

> This would have to be the BP's realtime OS then. Running some rogue program
> on the BP by sending one or more SMSes that then talk to the AP to get
> access to things like the phone book and message store seems unlikely.
> One other option is that he only gained access to the SIM card memory on
> the AP (still an amazing feat), but no one uses it these days to store
> messages or phone numbers on it. There is just not enough storage in there.

... which leads you to misidentify a non-problem here ...

> Yeah. I'm sceptical until I see more.

... which leads to your expression of scepticism here.  You're thinking in too
limited terms: not every "exploit" is a buffer overflow.  In this case, I
reckon the exploit consists in leveraging the SMS/MMS functionality defined by
the relevant specs in order to get some java program to download and run
without it being obvious what is happening, and perhaps without any
user-interaction at all.  If the vulnerability is in the specification, any
compliant phone would be bulnerable

  The actual trojan itself is nothing new: I watched the video, and although I
don't speak german I caught numerous references to "FlexiSPY".  Look it up;
all that you need is a way of tricking a phone to auto-install it.  The video
itself doesn't (as far as I could tell) show the actual infection process.

  Those who would like to do some research, as opposed to speculating, could
start by googling "binary sms" (with the quotes, for an exact phrase match);
you get lots of interesting-looking documentation for sms gateway/servers.
> From the list of hits, 

  http://www.ozeki.hu/index.php?owpn=488 

shows a list of (some?all?) different sms types.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave