Presentation is loading. Please wait.

Presentation is loading. Please wait.

Black Hat Briefings Las Vegas July 11th, 2001 Mobile security: SMS & WAP Job de Haas.

Published byGinger Ellis Modified over 9 years ago

Similar presentations

Presentation on theme: "Black Hat Briefings Las Vegas July 11th, 2001 Mobile security: SMS & WAP Job de Haas."— Presentation transcript:

1 Black Hat Briefings Las Vegas July 11th, 2001 Mobile security: SMS & WAP Job de Haas

2 Black Hat Briefings Las Vegas July 11th, 2001 Overview Mobile security What are GSM, SMS and WAP? SMS in detail Security and SMS? WAP in detail Security and WAP? What can we expect?

3 Black Hat Briefings Las Vegas July 11th, 2001 What is this talk not about Not about the underlying wireless technologies GSM, CDMA, TDMA Not from a GSM/SMS/WAP implementer point of view. Not about actual exploits and demonstrations of them.

4 Black Hat Briefings Las Vegas July 11th, 2001 What is this talk about? General perspective on security of mobile applications like SMS and WAP. From an external point of view, based on ~10 yrs experience in breaking systems and applications. Identifying potential problems now and in the near future.

5 Black Hat Briefings Las Vegas July 11th, 2001 Who is this talk for? People asked to evaluate security of SMS and WAP applications. People who want to do research into SMS and WAP security. People familiar with computer and Internet security but not with SMS and WAP.

6 Black Hat Briefings Las Vegas July 11th, 2001 Mobile Security General issues: –Good User Interface paramount for security but very poor. –Standards tend to omit security except for encryption. –Creating yet another general purpose platform with associated risks.

7 Black Hat Briefings Las Vegas July 11th, 2001 What are GSM, SMS and WAP Cell phone technologies: GSM, TDMA, CDMA, … Short Messaging Service: SMS –Paging style messages. Wireless Application Protocol: WAP –‘mobile’ Internet. A simplified HTTP/HTML protocol for small devices.

8 Black Hat Briefings Las Vegas July 11th, 2001 SMS SMS Description SMS Format SMSC Protocols SMS Features: Smart SMS, OTA, Flash SMS

9 Black Hat Briefings Las Vegas July 11th, 2001 What is SMS? Store and forward messaging (PP and CB) Delivered through SS7 signaling 140 bytes data (160 7 bit chars) From anything that interfaces to a SMSC: –Cell phone, GSM modem,PC dial-in,X.25 … Specifications at: http://www.etsi.org

10 Black Hat Briefings Las Vegas July 11th, 2001 SMS data format Abbrv: –SC: Service Centre –MS: Mobile Station Basic types: –SMS-DELIVER(SC  MS) –SMS-DELIVER-REPORT(SC  MS) –SMS-SUBMIT(MS  SC) –SMS-SUBMIT-REPORT(MS  SC) –SMS-COMMAND(MS  SC) –SMS-STATUS-REQUEST(MS  SC)

11 Black Hat Briefings Las Vegas July 11th, 2001 SMS-SUBMIT DescriptionSizeMandatory TP-MTIMessage Type Indicator2 bitY TP-RDReject Duplicates1 bitY TP-VPFValidity period format2 bitY TP-RPReply Path1 bitY TP-UDHIUser Data Header Ind.1 bitN TP-SRRStatus Report Request1 bitN TP-MRMessage ReferenceIntY TP-DADestination Address2-12 byteY TP-PIDProtocol Identifier1 byteY TP-DCSData Coding Scheme1 byteY TP-VPValidity period1/7 byteY TP-UDLUser Data Length2 byteY TP-UDUser Data?N

12 Black Hat Briefings Las Vegas July 11th, 2001 SMS-DELIVER DescriptionSizeMandatory TP-MTIMessage Type Indicator2 bitY TP-MMSMore Messages to Send1 bitY TP-RPReply Path1 bitY TP-UDHIUser Data Header Ind.1 bitN TP-SRIStatus Report Ind.1 bitN TP-OAOriginating Address2-12 byteY TP-PIDProtocol Identifier1 byteY TP-DCSData Coding Scheme1 byteY TP-SCTSSC Time Stamp7 byteY TP-UDLUser Data Length2 byteY TP-UDUser Data?N

13 Black Hat Briefings Las Vegas July 11th, 2001 User Data Header Septets can be octets for 8-bit SMS messages

14 Black Hat Briefings Las Vegas July 11th, 2001 User Data Header Elements IEIMeaning 0Concatenated 8-bit ref. 1SMS message indication 48-bit port 516-bit port 6SMSC control param 7UDH source indicator 8Concatenated 16-bit ref. 9WCMP 70-7FSIM Toolkit security 80-9FSME to SME specific use C0-DFSC specific use

15 Black Hat Briefings Las Vegas July 11th, 2001 Smart SMS/OTA Joined Ericsson/Nokia spec Allow sending of ‘smart’ information: –Ringtones –Logo’s –Vcard/Vcal (business cards) –Configuration information (WAP) Based on UDH with app specific port numbers.

16 Black Hat Briefings Las Vegas July 11th, 2001 Short Message Service Centre The SMSC plays a central role in the delivery and routing of the SMS. Every vendor has his own protocol to talk to the SMSC: –CMG – EMI/UCP –Nokia – CIMD –Sema – SMS2000 –Logica – SMPP –…

17 Black Hat Briefings Las Vegas July 11th, 2001 SIM Toolkit Subscriber Identity Module: SIM The Smartcard in the phone An API for communication between the phone and the SIM Partly an API for remote management of the SIM through SMS messages.

18 Black Hat Briefings Las Vegas July 11th, 2001 SIM Toolkit Risks Mistakes in the SIM can become remote risks. For example insufficient protection in the SIM might allow bogus menu uploads.

19 Black Hat Briefings Las Vegas July 11th, 2001 SMS Threats SMS Spam SMS Spoofing SMS Virus

20 Black Hat Briefings Las Vegas July 11th, 2001 SMS Spam Getting to be like UCE High charge call scams (“call me at xxx-VERYEXPENSIVE”) All public SMS gateways and websites become victims. Spammers buy bulk services from operators

21 Black Hat Briefings Las Vegas July 11th, 2001 SMS Spoofing Source of SMS messages is worth nothing. Roaming capabilities of users make it impossible to filter by operators. Only chance is for messages that stay within one SMSC/Operator. Intercepting replies to another address is difficult. Special case: Rogue SMSC using the Reply- Path indicator could intercept replies.

22 Black Hat Briefings Las Vegas July 11th, 2001 SMS Virus Scenario: SMS is interpreted by phone and resend it self to all phone numbers in the phonebook and … Likelihood: –Pro: some vendors have big market shares: monoculture. –Pro: phones will get more and more interpreting features. –Con: zillions of versions of phones and software.

23 Black Hat Briefings Las Vegas July 11th, 2001 SMS summary SMS is much more than just some text. Sophisticated features are bound to open up holes (virus). SMS very suited to bulk application (like e-mail) Trustworthiness as bad or worse as with standard e-mail.

24 Black Hat Briefings Las Vegas July 11th, 2001 WAP WAP Description WAP Protocol WAP Infrastructure issues WML and WMLScript

25 Black Hat Briefings Las Vegas July 11th, 2001 What is WAP? HTTP/HTML adjusted to small devices Consists of a network architecture, a protocol stack and a Wireless Markup Language (WML) Important difference from traditional Internet model is the WAP-gateway Specifications at http://www.wapforum.org

26 Black Hat Briefings Las Vegas July 11th, 2001 WAP network model

27 Black Hat Briefings Las Vegas July 11th, 2001 WAP Protocol Stack

28 Black Hat Briefings Las Vegas July 11th, 2001 WAP Transport Layer WDP An adaptation layer to the bearer protocol. Consists of –Source and destination address and port. –Optionally fragmentation Maps to UDP for IP bearer

29 Black Hat Briefings Las Vegas July 11th, 2001 WAP Security Layer WTLS TLS adapted to the UDP-type usage by WAP. Encryption and authentication. Several problems identified by Markku-Juhani Saarinen: –Weak MAC –RSA PKCS#1 –Unauthenticated alert messages –Plaintext leaks

30 Black Hat Briefings Las Vegas July 11th, 2001 WTLS Keys generally placed in normal phone storage. New standards emerging (WAP Identity Module [WIM]) for usage of tamper-resistent devices. Aside from crypto problems: –User interface attacks likely (remember SSL problems) –WTLS terminates at WAP gateway; MITM attacks possible.

31 Black Hat Briefings Las Vegas July 11th, 2001 WAP Transaction layer WTP Three classes of transactions: –Class 0: unreliable –Class 1: reliable without result –Class 2: reliable with result Does the minimum a protocol must do to create reliability. No security elements at this layer. Protocol not resistant to malicious attacks.

32 Black Hat Briefings Las Vegas July 11th, 2001 WTP PDUClass 0Class 1Class 2 Invoke PDUXXX Result PDUX Ack PDUXX Abort PDUXX

33 Black Hat Briefings Las Vegas July 11th, 2001 WAP Session Layer WSP Meant to mimic the HTTP protocol. No mention of security in spec except for WTLS. Distinguishes a connected and connectionless mode. Connected mode is based on a SessionID given by the server.

34 Black Hat Briefings Las Vegas July 11th, 2001 WAP Application Layer WAE

35 Black Hat Briefings Las Vegas July 11th, 2001 WML WML based on XML and HTML. Not pages of frames, but decks with cards. Images: WBMP, WAP specific Generally all compiled to binary by WAP gateway: Additional area of potential problems.

36 Black Hat Briefings Las Vegas July 11th, 2001 WMLScript The WAP Javascript equivalent. Located in separate files Also compiled by WAP gateway Allows automation of WML and phone functions. Javascript bugs all over again?

37 Black Hat Briefings Las Vegas July 11th, 2001 WAP Infrastructure issues Attacking a dialed in phone Spoofing another dialed in phone Attacking the gateway

38 Black Hat Briefings Las Vegas July 11th, 2001 WAP gateway infra webserver Router /Dialin Internet Attack on gateway

39 Black Hat Briefings Las Vegas July 11th, 2001 Collusion attack Rogue webserver Router /Dialin Internet Modified WML /WMLScript

40 Black Hat Briefings Las Vegas July 11th, 2001 Attack on phone webserver Router /Dialin Internet

41 Black Hat Briefings Las Vegas July 11th, 2001 WAP 1.2 Push –Model using a Push proxy gateway –Dangers of user confirmation. Wireless Telephony Application Interface (WTAI) –Access to phone functions –‘Automatic’ invocation of functions from WML/WMLScript

42 Black Hat Briefings Las Vegas July 11th, 2001 WAP summary WAP mixes too many levels. WAP gateway sensitive to multiple ways of attack. User interface interpretation very difficult on mobile devices.

43 Black Hat Briefings Las Vegas July 11th, 2001 Future Combining Smartcard and WTLS security; end-to-end SSL Increased number of features (interpretation + automation) Terrible UI Version explosion: phones, gateways, WAP/WML.

Download ppt "Black Hat Briefings Las Vegas July 11th, 2001 Mobile security: SMS & WAP Job de Haas."

Similar presentations

Wireless Markup Language

Wireless Markup Language
Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA www.in-arg.com MESH VOIP.

Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA MESH VOIP.
Mobile security: SMS and WAP

Mobile security: SMS and WAP
Mobile Communication MMS.

Mobile Communication MMS.
Wireless & Mobile Communications Chapter 8: Support for Mobility  File systems  Data bases  WWW and Mobility  WAP - Wireless Application Protocol.

Wireless & Mobile Communications Chapter 8: Support for Mobility  File systems  Data bases  WWW and Mobility  WAP - Wireless Application Protocol.
Mobile IP and Wireless Application Protocol

Mobile IP and Wireless Application Protocol
SESSION : Pltaforms for Mobile Applications

SESSION : Pltaforms for Mobile Applications
 WAP WAP  Foundation Of WAP Foundation Of WAP  Benefits… Benefits…  Architecture… Architecture…  Layers of WAP protocol stack Layers of WAP protocol.

 WAP WAP  Foundation Of WAP Foundation Of WAP  Benefits… Benefits…  Architecture… Architecture…  Layers of WAP protocol stack Layers of WAP protocol.
A Survey of WAP Security Architecture Neil Daswani

A Survey of WAP Security Architecture Neil Daswani
Mobile Security and Payment Nour El Kadri University Of Ottawa.

Mobile Security and Payment Nour El Kadri University Of Ottawa.
CSC8530 Distributed Systems, Summer 2002 1 WAP Overview Amarnath Chitti.

"CSC8530 Distributed Systems", Summer WAP Overview Amarnath Chitti.
Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.

Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.
Wireless Application Protocol John Bollen MBA 651.

Wireless Application Protocol John Bollen MBA 651.
Intro Wireless Application Protocol WebTP Meeting H. Wilson So 14 Feb, 2000.

Intro Wireless Application Protocol WebTP Meeting H. Wilson So 14 Feb, 2000.
Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.
CM2502 E-Business Mobile Services. Desktop restrictions Mobile technologies Bluetooth WAP Summary.

CM2502 E-Business Mobile Services. Desktop restrictions Mobile technologies Bluetooth WAP Summary.
WAP-Wireless application Protocol

WAP-Wireless application Protocol
Mobile IP and Wireless Application Protocol

Mobile IP and Wireless Application Protocol
WAP: Wireless Application Protocol Mike Mc Ardle ACSG April, 2005.

WAP: Wireless Application Protocol Mike Mc Ardle ACSG April, 2005.
WAP Wireless Application Protocol CSI 668 Professor Meihua, Chen Presented by Min, Wu April 04,2001.

WAP Wireless Application Protocol CSI 668 Professor Meihua, Chen Presented by Min, Wu April 04,2001.

Similar presentations

Ads by Google