Mobile security: SMS and WAP

Slides:



Advertisements
Similar presentations
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Advertisements

Wireless Markup Language
Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA MESH VOIP.
Software Security & Privacy Risks in Mobile E-Commerce Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols.
Mobile Communication MMS.
Wireless & Mobile Communications Chapter 8: Support for Mobility  File systems  Data bases  WWW and Mobility  WAP - Wireless Application Protocol.
Mobile IP and Wireless Application Protocol
A Modular WAP Reference Stack Protocol Implementation
SESSION : Pltaforms for Mobile Applications
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
 WAP WAP  Foundation Of WAP Foundation Of WAP  Benefits… Benefits…  Architecture… Architecture…  Layers of WAP protocol stack Layers of WAP protocol.
A Survey of WAP Security Architecture Neil Daswani
"CSC8530 Distributed Systems", Summer WAP Overview Amarnath Chitti.
Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.
Wireless Application Protocol Intro (Continued) WebTP Meeting H. Wilson So 28 Feb, 2000.
Wireless Application Protocol John Bollen MBA 651.
Intro Wireless Application Protocol WebTP Meeting H. Wilson So 14 Feb, 2000.
CM2502 E-Business Mobile Services. Desktop restrictions Mobile technologies Bluetooth WAP Summary.
WAP-Wireless application Protocol
Mobile IP and Wireless Application Protocol
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WAP: Wireless Application Protocol Mike Mc Ardle ACSG April, 2005.
WAP Wireless Application Protocol CSI 668 Professor Meihua, Chen Presented by Min, Wu April 04,2001.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Mobile System SMS bytes that saved an industry Johan Montelius
Black Hat Briefings Las Vegas July 11th, 2001 Mobile security: SMS & WAP Job de Haas.
Wireless Application Protocol (WAP) Reference: Chapter 12, section 2, Wireless Communications and Networks, by William Stallings, Prentice Hall.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
An Introduction to WAP/WML. What is WAP? WAP stands for Wireless Application Protocol. WAP is for handheld devices such as mobile phones. WAP is designed.
IT 210 The Internet & World Wide Web introduction.
UNIT 4 MOBILE TCP/IP & WAP.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 Design and Implementation of a WAP Gateway A Master’s thesis by Lars Wirzenius CSCI – Independent study Fall 2002 Presented by: Obaidullah Khan.
Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.
Secure Systems Research Group - FAU Wireless Web Services Security Christopher Lo.
Networks: L16 1 WAP : Wireless Application Protocol a standard developed by the WAP Forum : –Nokia, Ericsson, Motorola et al. – – now consolidated.
Chapter 6: Packet Filtering
WAP (Wireless Application Protocol). W – World W – Wide W -- Web W – World W – Wide W – Wireless W -- Web The Two Paradigms.
1.1 What is the Internet What is the Internet? The Internet is a shared media (coaxial cable, copper wire, fiber optics, and radio spectrum) communication.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Lectured By: Vivek Dimri Assistant Professor, CSE Dept. SET, Sharda University, Gr. Noida.
Security in WAP and WTSL By Yun Zhou. Overview of WAP (Wireless Application Protocol)  Proposed by the WAP Forum (Phone.com, Ericsson, Nokia, Motorola)
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
Ericsson Competence Solutions Rev A16/11/011 Mobile Learning Course for R380 and R520 Presented by Michelle Almeida Course Structure Design Guidelines.
TECHNICAL SEMINAR Presented by :- Satya Prakash Pattnaik TECHNICAL SEMINAR By Satya Prakash Pattnaik EC Under the guidance of Mr.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Mobile Communication The SMS implies of several additional elements in the network architecture There is also another Element called.
1 FAQ’S ABOUT WAP Presented By Abhilash Pillai CSCI 5939-Independent Study.
FYP: LYU0001 Wireless-based Mobile E-Commerce on the Web Supervisor: Prof. Michael R. Lyu By: Tony, Wat Hong Fai Harris, Yan Wai Keung.
WIRELESS APPLICATION PROTOCOL Definition It is universal, open standard developed by the WAP Forum to provide mobile users of wireless phones and other.
Wireless Application Protocol. WAP- Wireless Application Protocol Gateway WAP WEB Server Content Browser HTTP IPWAP Deck WML.
Wireless Application Protocol “Wireless application protocol (WAP) is an application environment and set of communication protocols for wireless devices.
Presented By: Dixit Wadhwani B.TECH 3 rd YEAR, CSE 07CS Sir Padampat Singnania University Technical Seminar on Wireless Markup Language Guided By:
Heidelberg, 25 February 1999 MTM’99 Workshop Terminal and Application Aspects of the Evolution of Broadband Mobile Services EURESCOM P809 Mobility in.
IT 284 Unit 4 Seminar.
T Research Seminar on Telecommuncations Business II - Unified Interfaces for Messaging Services 1 T Research Seminar on Telecommuncations.
Components of the WAP Standard Layers of WAP divided into 3 groups Bearer Adaptation Hides the differences in the signaling and channel protocols used.
Security Standards. IEEE IEEE 802 committee for LAN standards IEEE formed in 1990’s – charter to develop a protocol & transmission specifications.
WAP – Wireless Application Protocol RAJEEV GOPALAKRISHNA CS590F Fall 2000.
WAP Architecture Presented by, Nithya Inbamani. WAP Background Wireless Application Protocol – secure specification. Wireless Application Protocol – secure.
WWW Programming Model. WWW Model The Internet WWW architecture provides a flexible and powerful programming model. Applications and content are presented.
Wireless Application Protocol (WAP) William Thau CSC 8560 Dr. L. Cassel.
Network Infrastructure Services Supporting WAP Clients
Mobile IP and Wireless Application Protocol
Mobile IP and Wireless Application Protocol
WAP.
Mobile security: SMS & WAP
Chapter 7 Network Applications
Presentation transcript:

Mobile security: SMS and WAP Job de Haas <job@itsx.com> November 20th, 2001

Overview Mobile security What are GSM, SMS and WAP? SMS in detail Security and SMS? Security and WAP? What can we expect? November 20th, 2001

What is this talk not about Not about the underlying wireless technologies GSM, CDMA, TDMA Not from a GSM/SMS/WAP implementer point of view. Not about actual exploits and demonstrations of them. November 20th, 2001

What is this talk about? General perspective on security of mobile applications like SMS and WAP. From an external point of view, based on ~10 yrs experience in breaking systems and applications. Identifying potential problems now and in the near future. November 20th, 2001

Who is this talk for? People asked to evaluate security of SMS and WAP applications. People who want to do research into SMS and WAP security. People familiar with computer and Internet security but not with SMS and WAP. November 20th, 2001

Mobile Security General issues: Good User Interface paramount for security but very poor. Standards tend to omit security except for encryption (and some authentication). Creating yet another general purpose platform with associated risks. November 20th, 2001

What are GSM, SMS and WAP Cell phone technologies: GSM, TDMA, CDMA, … Short Messaging Service: SMS Paging style messages. Wireless Application Protocol: WAP ‘mobile’ Internet. A simplified HTTP/HTML protocol for small devices. November 20th, 2001

Standards GSM specific standards GSM xx.xx ETSI Special Mobile Group (SMG) new numbering scheme. 3GPP (move towards UMTS) new numbering scheme WAP Forum. WAP related standards WAP 1.1 / WAP 1.2 European Telecommunications Standards Institute (ETSI) http://www.etsi.org 3rd Generation Partner Program http://www.3gpp.org www.wapforum.org November 20th, 2001

SMS SMS Description SMS Format Short Messaging Service Centre (SMSC) Protocols SMS Features: Smart SMS, OTA, Flash SMS November 20th, 2001

What is SMS? Store and forward messaging (PP and CB) Delivered through SS7 signaling 140 bytes data (160 7 bit chars) From anything that interfaces to a SMSC: Cell phone, GSM modem,PC dial-in,X.25 … Specifications at: http://www.etsi.org “Technical realization of the Short Message Service (SMS).” GSM 03.40 (now: ETSI TS 100 901) See also: GSM 03.38 (ETSI TS 100 900), GSM 03.42 (ETSI TS 101 032) November 20th, 2001

SMS network elements E E E E November 20th, 2001

SMS data format Abbrv: Basic types: SC: Service Centre MS: Mobile Station Basic types: SMS-DELIVER (SC  MS) SMS-DELIVER-REPORT (SC  MS) SMS-SUBMIT (MS  SC) SMS-SUBMIT-REPORT (MS  SC) SMS-COMMAND (MS  SC) SMS-STATUS-REQUEST (MS  SC) http://www.dreamfabric.com/sms/ November 20th, 2001

SMS-SUBMIT Description Size Mandatory TP-MTI Message Type Indicator 2 bit Y TP-RD Reject Duplicates 1 bit TP-VPF Validity period format TP-RP Reply Path TP-UDHI User Data Header Ind. N TP-SRR Status Report Request TP-MR Message Reference Int TP-DA Destination Address 2-12 byte TP-PID Protocol Identifier 1 byte TP-DCS Data Coding Scheme TP-VP Validity period 1/7 byte TP-UDL User Data Length 2 byte TP-UD User Data ? November 20th, 2001

SMS-DELIVER Description Size Mandatory TP-MTI Message Type Indicator 2 bit Y TP-MMS More Messages to Send 1 bit TP-RP Reply Path TP-UDHI User Data Header Ind. N TP-SRI Status Report Ind. TP-OA Originating Address 2-12 byte TP-PID Protocol Identifier 1 byte TP-DCS Data Coding Scheme TP-SCTS SC Time Stamp 7 byte TP-UDL User Data Length 2 byte TP-UD User Data ? November 20th, 2001

Septets can be octets for 8-bit SMS messages User Data Header Septets can be octets for 8-bit SMS messages November 20th, 2001

User Data Header Elements IEI Meaning Concatenated 8-bit ref. 1 SMS message indication 4 8-bit port 5 16-bit port 6 SMSC control param 7 UDH source indicator 8 Concatenated 16-bit ref. 9 WCMP 70-7F SIM Toolkit security 80-9F SME to SME specific use C0-DF SC specific use November 20th, 2001

Smart SMS/OTA Joined Ericsson/Nokia spec Allow sending of ‘smart’ information: Ringtones Logo’s Vcard/Vcal (business cards) Configuration information (WAP) Based on UDH with app specific port numbers. “Smart Messaging Specification”, Nokia, version 2.0.0 November 20th, 2001

Short Message Service Centre The SMSC plays a central role in the delivery and routing of the SMS. Every vendor has his own protocol to talk to the SMSC: CMG – EMI/UCP Nokia – CIMD Sema – SMS2000 Logica – SMPP … “Interface protocols for the connection of Short Message Service Centres (SMSCs) to Short Message Entitities (SMEs).” GSM 03.39 (now ETSI TS 101 632) November 20th, 2001

SIM Toolkit Subscriber Identity Module: SIM The Smartcard in the phone An API for communication between the phone and the SIM Partly an API for remote management of the SIM through SMS messages. GSM/ETSI standard. “Security mechanisms for the SIM Application Toolkit” GSM 02.48 (Now: ETSE TS 101 180) “Specification of the SIM application toolkit for the Subscriber Identity Module – Mobile Equipment (SIM – ME) interface.” GSM 11.14 (TS 101 267) November 20th, 2001

SIM Toolkit Risks Mistakes in the SIM can become remote risks. For example insufficient protection in the SIM might allow retrieval of personal information. November 20th, 2001

SMS Threats SMS Spam SMS Spoofing SMS Virus November 20th, 2001

SMS Spam Getting to be like UCE High charge call scams (“call me at xxx-VERYEXPENSIVE”) All public SMS gateways and websites become victims. Spammers buy bulk services from operators November 20th, 2001

SMS Spoofing Source of SMS messages is worth nothing. Roaming capabilities of users make it impossible to filter by operators. Only chance is for messages that stay within one SMSC/Operator. Intercepting replies to another address is difficult. Special case: Rogue SMSC using the Reply-Path indicator could intercept replies. November 20th, 2001

SMS spoof demo Modified sms_client Uses EMI/UCP OT-51 message Works on KPN, but also several foreign SMSCs Difference with a real mobile SMS is visible with a PC. November 20th, 2001

SMS Virus Scenario: SMS is interpreted by phone and resend it self to all phone numbers in the phonebook and … Likelihood: Pro: some vendors have big market shares: monoculture. Pro: phones will get more and more interpreting features. Con: zillions of versions of phones and software. November 20th, 2001

SMS Phone crash demo Modified sms_client: break the User Data Header. Has been tested on both UCP and OIS, but should work on anything that allows specification of UDH. Cause: broken sw in phone Seen on 6210, 3310, 3330 November 20th, 2001

SMS summary SMS is much more than just some text. Sophisticated features are bound to open up holes (virus). SMS very suited to bulk application (like e-mail) Trustworthiness as bad or worse as with standard e-mail. November 20th, 2001

WAP WAP Description WAP Protocol WAP Infrastructure issues WML and WMLScript November 20th, 2001

What is WAP? HTTP/HTML adjusted to small devices Consists of a network architecture, a protocol stack and a Wireless Markup Language (WML) Important difference from traditional Internet model is the WAP-gateway Specifications at http://www.wapforum.org W* Effect Considered Harmful Rohit Khare, 4K Associates, April 9, 1999 http://www.4k-associates.com/4K-Associates/IEEE-L7-WAP-BIG.html The Harm of the Wireless Application Protocol (WAP) http://www.freeprotocols.org/harmOfWap/main.html Specifically: The WAP Trap, Mohsen Banan, Neda Communications, Inc., January 29, 2000 http://www.freeprotocols.org/wapTrap/main.pdf The Wireless FAQ http://www.allnetdevices.com/faq Wireless Security Meta-FAQ http://wap.z-y-g-o.com/wsec.html November 20th, 2001

WAP network model November 20th, 2001

WAP Protocol Stack November 20th, 2001

WAP Protocol Stack  November 20th, 2001

WAP Transport Layer WDP An adaptation layer to the bearer protocol. Consists of Source and destination address and port. Optionally fragmentation WCMP Maps to UDP for IP bearer WAP specification WAP-200-WDP WAP Specification WAP-202-WCMP WAP Specification WAP-159-WDPWCMPAdapt November 20th, 2001

WAP Protocol Stack  November 20th, 2001

WAP Security Layer WTLS TLS adapted to the UDP-type usage by WAP. Encryption and authentication. Several problems identified by Markku-Juhani Saarinen: Weak MAC RSA PKCS#1 1.5 Unauthenticated alert messages Plaintext leaks WAP Specification WAP-199-WTLS Saarinen, Markku-Juhani. "Attacks against the WAP WTLS Protocol." University of Jyväskylä, 1999 http://www.cc.jyu.fi/~mjos/wtls.pdf Security in the WTLS http://www.tml.hut.fi/Opinnot/Tik-110.501/1999/papers/wtls/ Vulnerabilities within the Wireless Application Protocol Stephen Gillian August 31, 2000 http://www.sans.org/infosecFAQ/wireless/WAP.htm November 20th, 2001

WTLS Keys generally placed in normal phone storage. New standards emerging (WAP Identity Module [WIM]) for usage of tamper-resistent devices. Aside from crypto problems: User interface attacks likely (remember SSL problems) WTLS terminates at WAP gateway; MITM attacks possible. Certificate checking problem: http://wap.z-y-g-o.com/wsec.html November 20th, 2001

WAP Protocol Stack  November 20th, 2001

WAP Transaction layer WTP Three classes of transactions: Class 0: unreliable Class 1: reliable without result Class 2: reliable with result Does the minimum a protocol must do to create reliability. No security elements at this layer. Protocol not resistant to malicious attacks. WAP Specification WAP-201-WTP November 20th, 2001

WTP PDU Class 0 Class 1 Class 2 Invoke PDU X Result PDU Ack PDU Abort PDU November 20th, 2001

WAP Protocol Stack  November 20th, 2001

WAP Session Layer WSP Meant to mimic the HTTP protocol. No mention of security in spec except for WTLS. Distinguishes a connected and connectionless mode. Connected mode is based on a SessionID given by the server. WAP Specification WAP-203-WSP November 20th, 2001

WAP Session layer WSP Message types Connect, ConnectReply, Redirect, Disconnect Methods: Get, Post, Reply Suspend, Resume, Reply Push, ConfirmedPush, November 20th, 2001

WAP Session layer WSP Nothing is specified on the sessionid except that it is not reused within the lifetime of a message. Research done in Protos (Oulu, finland) shows first implementations pretty instable. Kannel still can’t handle large amount of connections (max threads). Protos WSP testing General: http://www.ee.oulu.fi/research/ouspg/protos/ WSP specific http://www.ee.oulu.fi/research/ouspg/protos/testing/c04/wap-wsp-request Kannel Open Source WAP Gateway www.kannel.3glab.org November 20th, 2001

WAP Protocol Stack  November 20th, 2001

WAP Application Layer WAE WAP Specification WAP-195WAEOverview WAP Specification WAP-190WAESpec November 20th, 2001

WML WML based on XML and HTML. Not pages of frames, but decks with cards. Images: WBMP, WAP specific Generally all compiled to binary by WAP gateway: Additional area of potential problems. Wap spec. WAP-191-WML November 20th, 2001

WMLScript The WAP Javascript equivalent. Located in separate files Also compiled by WAP gateway Allows automation of WML and phone functions. Javascript bugs all over again? November 20th, 2001

General WAP problems seen Poor session support: no or limited cookie support.  encode session info in URL (not always safe.) User identification based on WAP Gateway hack with caller ID. November 20th, 2001

WAP Infrastructure issues Attacking a dialed in phone Spoofing another dialed in phone Attacking the gateway November 20th, 2001

WAP gateway infra Attack on gateway Internet Router/Dialin webserver November 20th, 2001

Modified WML/WMLScript Collusion attack Internet Rogue webserver Router/Dialin Modified WML/WMLScript November 20th, 2001

Attack on phone Internet webserver Router/Dialin November 20th, 2001

WAP 1.2 Push Wireless Telephony Application Interface (WTA & WTAI) Model using a Push proxy gateway Dangers of user confirmation. Wireless Telephony Application Interface (WTA & WTAI) Access to phone functions ‘Automatic’ invocation of functions from WML/WMLScript WAP Identity Module (WIM) November 20th, 2001

WAP Push WAP Specification WAP-165-PushArchOverview WAP Specification WAP-145-PushMessage WAP Specification WAP-151-PPGService WAP Specification WAP-164-PAP WAP Specification WAP-167-ServiceInd WAP Specification WAP-168-ServiceLoad WAP Specification WAP-189-PushOTA November 20th, 2001

WAP summary WAP mixes too many levels. Specs unclear in many areas concerning security sensitive issues. WAP gateway sensitive to multiple ways of attack. User interface interpretation very difficult on mobile devices. November 20th, 2001

Future Combining Smartcard and WTLS security; end-to-end SSL Increased number of features (interpretation + automation) Terrible UI Version explosion: phones, gateways, WAP/WML. November 20th, 2001

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.