Placeholder Image

Subtitles section Play video

  • So my name is Bogdan Alecu. And the topic for today will be "Business Logic Flaws in

  • Mobile Operators Services." For those that don't know me, everything is about me. I work

  • as a systems administrator as a day job. And during my free time, when I have it, I like

  • to break into a lot of mobile stuff. I started on this particular journey a couple

  • of years ago with GSM networks by using my old Nokia phone and continued with voice over

  • IP and got to GSM and mobile phones. If you want to keep in touch with me, you can find

  • me on Twitter or on my Web site. So the goals for today would be for you to

  • have a really high overview regarding the SIM toolkit. What it is. How we will exploit

  • it. Then a couple of business logic flaws I've identified on some carriers. And I think

  • you're going to find them really interesting. And also in the end if there is a way to protect

  • you from this that I'm going to show you. We're going to call these HTTP headers, data

  • traffic, extra digit and a summary at the end.

  • So who has heard about SIM toolkit? Okay. To keep it simple, think about it as a platform

  • for the carriers in order that they use it in order to install applications on your SIM

  • card. This is how SIM toolkit looks like on an Android device. On some other devices

  • you might find in them like an extra menu with the carriers namely like Orange, Vodafone

  • and so on. And from this SIM toolkit menu, you can find things like exchange rates, the

  • weather, how is the weather like or calling customer support. So different activities.

  • And if you think about it, it's a pretty good thing. Because you have these applications

  • on your SIM card. And no matter what phone you use and you put your SIM card in, you'll

  • still have this application. So you don't need to install anything else in order to

  • have them. Since this application sits on your SIM card,

  • the carrier has a way to update these applications or modify or delete them and so on.

  • So for example, if the customer support number changes, the carrier will send an over-the-air

  • update which is basically a text message to your SIM card saying that the SIM card should

  • update the phone number for the customer support. This message is kind of special message, a

  • comment message. And in order to have this comment message, they may use the SMS of the

  • user data header. The same user data header is used in cases like when you go over the

  • 160 characters limit and do concatenated messages. So you have two messages which are concatenated

  • into one message. And this makes use of the user data header and of course also in cases

  • for -- who remembers the old Nokia ringtones? They also used user data headers.

  • This is how the comment packet looks like for such a SIM toolkit SMS. So as I -- you

  • have the user data header, then other fields like comment packet, link comment, header

  • link, security parameter indicator and so on.

  • The most important one that I want you to keep in mind this security indicator. The

  • number you see below represents the number of bytes each element has.

  • So this -- all of these specifications can be found on GSM specs. In order to also have

  • this comment, you also add other two important fields.

  • Data coding scheme and protocol ID. By setting the protocol ID to 7F, it means

  • that you do a SIM data download and data coding scheme to F6 means that this type of text

  • message is directly addressed to your SIM card.

  • So according to the GSM specification, what will happen when you receive such a comment

  • message, the phone will transparently pass this SIM message this comment message through

  • your SIM card and will not alert you in any other way so basically when your carriers

  • sends this message saying okay I want to update the number for the customer support, you will

  • have no idea that you have just got a text message.

  • And I told you keep in mind security parameter indicator.

  • So you are setting this comment. But you need some kind of acknowledgement to know that

  • this comment message has been received. And this is called proof of receipt which can

  • be set in the first two bits. If you set it for example to 01 it means you

  • always want to get a proof of receipt. So no matter if there was an error or there wasn't

  • any error, you will always get a proof of receipt.

  • And how you get it, you set it in the bit number 6, and there are two ways of getting

  • this proof of receipt back. By SMS submit which means by a regular text

  • message which is sent by our SIM card or by SMS delivery report which is like a delivery

  • report when you send a text message and you want to know if the target person has received

  • your text message. So again, we have this structure. And we need

  • to fill in the elements. The user data header the protocol ID, the

  • data coding scheme I have presented you. And then the others. And as you would imagine

  • in order to make this update of the customer support number, you need to have some proper

  • security keys. But if you look at this example, you will

  • see that ciphering keys that are KIC are set to zero. Because I do not care about ciphering

  • keys at all. Why? Because of the security parameter indicator. If we drill down to this

  • security parameter indicator you will see the first two bits are set to 01 meaning that

  • I want to get a proof of receipt, always get a proof of receipt.

  • And I want to get it by text message. So basically when -- if I'm going to send

  • this text comment message to you, what will happen, it will get to your phone. The phone

  • will pass it to the SIM card. The SIM card will try to execute it. It will see that I

  • don't have any proper security keys. But in return, it will send me back a text message

  • without you controlling it, without you even knowing it.

  • And in order to make sure that how the things are like, here is the screen shot of a wire

  • shark capture. And as you see the comment is to send short message. It has been initiated

  • by the card application toolkit so it wasn't a human initiated action.

  • So SIM card automatically replies to the sending number. There's nothing in your inbox, nothing

  • in your outbox. Basically you will have no idea that your SIM card has just sent a text

  • message back to me. Only if you look at the -- on your bill, on

  • your call records you will see that sometimes your SIM card has just sent a text message

  • to someone. So let's see it in action.

  • so here I have the destination number. I have the user data header. The binary data, the

  • fields that I filled in. The protocol ID and the data coding scheme.

  • And I have the target's phone. On this phone, this is a prepaid phone. And

  • there is -- it's balance is zero so I have no credit on it.

  • So it will try to send a text message. But since it has no balance, I will get a text

  • message from the carrier saying: Hey, you don't have any credit. You need to refill.

  • Now, once I submit this, it says sending. And there is no way to stop this. I can't

  • push any button. The SIM card just sends -- tries to send a text message. You cannot control

  • it. It keeps trying to send if I had a look at it I would have -- if I hadn't looked at

  • it I would have no idea I just did this so if it's in your pocket you will have no idea

  • your SIM card is trying to send a text message. And I also got some text messages from my

  • carrier saying you do not have enough credit for sending SMS to this number. Please recharge

  • your account. But I didn't send any text message by myself. The SIM card tried to do so.

  • So maybe you will think that okay maybe this is not something -- I don't know -- important

  • let's say. I can make your SIM card send the text message back to me.

  • Well, maybe that's not a big deal. But let's think on some other way.

  • Let's say there are services that allows you to send a text message from any number. So

  • you can send someone a text message coming from whatever number you want. Now, let's

  • say you also have a premium rate number. International premium rate number and you send a comment

  • message coming from the premium rate number to some target phone number. What will happen,

  • the target phone number will send back a text message to the premium rate number you have.

  • So you're paying like a couple of cents for sending a text message. And in return you

  • get 20 times more. So it's a pretty good conversion rate, right?

  • And the target phone as I told you, some phones don't even though that there is a text message

  • sending in progress. Even if you keep your eyes on them.

  • So until you will get your monthly bill, you have no idea you have just sent text messages

  • to premium rate numbers. Now let's talk a little bit about HTTP headers. The easiest

  • way you can think about them is by identifying the browser you are using. So if you're browsing

  • from Firefox let's say, that browser will have HTTP headers if you're browsing from

  • Safari it will have other headers and so on. Now, with this in mind, there are some -- most

  • of the carriers have a mobile page where you can find your balance, you can change your

  • services, you can download ringtones, videos and whatever.

  • This page addresses using am.carrier.com so the carrier name.

  • If you try to access that page from your computer you will most probably get something like

  • this. So they will detect that you're not connected

  • to their network. And they will tell you: Okay, you have to connect to our network in

  • order for us to show you the page. But in some cases, if you pretend to be browsing

  • from a mobile device, they will display this page. So what I did was to use Firefox extension

  • called user agents feature. And I identify myself as a Nokia 871 phone once I did that

  • I got the display page the mobile page of the carrier.

  • But it was just a general page because I was not authenticated so I could not see any balance.

  • I could not download any ringtones. I couldn't do anything.

  • Well, this is how -- the things where they start to get interesting.

  • The operators, the carriers know how to charge based also on HTTP headers. So the idea was

  • to well sniff all the traffic my phone does and see if there are any HTTP headers specifically

  • in my phone number. But I failed that. Because there weren't any

  • HTTP headers. Then after some monitoring I found a research paper called privacy leaks

  • in mobile phone Internet access where he noticed that when someone from a mobile device was

  • accessing his Web site, that carrier was also sending the phone number.

  • So he did a list with all of the HTTP headers that the carrier was sending. And published

  • it. And the carriers no longer -- are no longer sending these HTTP headers.

  • Okay. So they are not sending the headers. But what if I will inject the headers in the

  • traffic? So I chose a couple of HTTP headers which

  • identified the phone number. And as their value, it is the phone number in international

  • format so with the country code. So now I can access that mobile page of the

  • carrier from my computer by identifying myself as a mobile device and I can also authenticate

  • myself by injecting these HTTP headers. And what happens now? I can see anyone else's

  • balance. I can change their subscription plan. I can reveal any other account. And stuff

  • like this. Whatever carrier allows me to do so. And some

  • carriers are even tieing up the phone number with the bank account so you can even see

  • the bank details of that specific customer. But I didn't stop here.

  • Remember when there was a time we had to call the Internet with our phones? Well, I was

  • surprised to see that there are still carriers who still have CSD. So think about it just

  • like a dialup connection from your phone. So the carrier has the dial-in number. You

  • set up a dialup connection from your phone to that number. And you're browsing the Internet

  • with 9.6 kilobits per second around 1 kilobyte per second pretty good speed right? But since

  • it's just a phone call it also has the vulnerabilities of a phone call, which is are caller ID spoofing.

  • Now, guess what was my reaction when I first set up that connection to a Voice over IP

  • provider which was spoofing my caller ID and then forwarding the call back to the dial-in

  • number and I was authenticated. So this is just the target phone. The screen

  • of the target phone. And also I have connected mobile phone via Bluetooth because I want

  • to have a GSM modem attached to my computer. So first I'm calling myself on my own number.

  • With my own number. So this is what it means own number.

  • So this works then I'm making up the connection as you see I'm using a pretty old Nokia phone

  • and I'm connected to the carrier's network. What is the goal of this? Is, well, if I do

  • the caller ID spoofing will I be authenticated like any other user and incur charges to that

  • target account? So once I'm registering to the network, I'm

  • going to check for my balance in order to see the initial balance and the after attack

  • balance. So the current balance is 6.05 euros.

  • Next I'm going to choose something to download. And I'm choosing some image.

  • It goes pretty slow because remember, I'm browsing with 1 kilobyte per second. So and

  • also the call goes internationally. Okay. I am choosing some image which cost 1.99 euros.

  • And once I click buy now, I will get a text message on the target phone. So the thing

  • worked apparently and it says thank you for your purchase and so on.

  • So now I'm going to check again for the balance so previously I had 6.05 and this one cost

  • 1.99. So now I should have 4.06 euros. And indeed I have 4.06 euros so I was successful

  • just by spoofing the caller ID I was authenticated just like any other customer.

  • Let's talk a little bit about data traffic. Let's say you have a prepaid account. And

  • you have some data included in your subscription. You have no more money on your account. And

  • you have finished all your data in your subscription, what will happen? Will you still be able to

  • have data connection? Well, you will still be able to have data

  • connection. But the only page you will be able to browse would be the carriers web page

  • because maybe you want to do a refill and browse again the Internet.

  • While I had no more money in my account, then I thought well what would happen if I performed

  • a DNS query. So I tried to find the IP address of Google.com and I got a reply from the DNS

  • that my carrier was using. Okay. That works. But what happens if I use

  • open DNS servers. And I also got a reply from open DNS servers although I could not browse

  • any web page but the DNS replies worked. So then I thought of this: What if I set up

  • a VPN server on my cable connection at home. And make that server run on port 53 UDP which

  • is the DNS port and then set up the VPN connection from my phone to my server.

  • So think about it just like a regular VPN connection. But this VPN server is listening

  • on port 53 UDP. Guess what happens? You have free Internet.

  • (Applause) >> BOGDAN ALECU: It and even though I had

  • the spend limit now with this, the spend limit is gone.

  • But I didn't stop here. Since I'm living near the border at home I

  • thought, okay, what happens if I force my phone to connect to our network across the

  • border and try the same. And it also works in roaming.

  • (Applause). >> BOGDAN ALECU: So right now instead of paying

  • $12 per megabyte I'll let you guess how much I'm paying.

  • (Chuckles). >> BOGDAN ALECU: Next the extra digit. I'm

  • pretty sure you have here a flat rate plan with unlimited minutes inside your operator's

  • network. So if you're from Verizon you'll have unlimited minutes in Verizon. But if

  • you call to AT & T, for example, you will not have unlimited minutes.

  • And you also have mobile number portability. So you can transfer your current number to

  • a different operator. Well, let's think of this scenario: You have

  • two mobile numbers, two phone numbers, a operator. And you decide to transfer the second number

  • to the B operator. If you're calling now from the first number to the second number, you

  • will be charged like calling across the network from A to B.

  • But in some cases, if you dial the same second number but add some extra digits at the end

  • of it, the carrier will have no idea that the number has been transferred. So you will

  • be billed like calling inside the same A operator. And also it also works the other way around.

  • So if you have two different numbers in two different networks and you decide to transfer

  • the second number to the A network, if you're going to call with the extra digit you will

  • pay more because it will not know it's in the same network as yours. So this on this

  • side, it's not so good. But if you have them on different networks, then it will be even

  • good. So let's see how that worked. So here I have 2077 minutes inside my whole

  • network and 58 minutes national minutes and international minutes.

  • So what I'm going to do, I'm going to call a regular ten-digit number, which has been

  • transferred in the same network as mine. So it's the second case scenario where I am

  • paying more than I should. Now I'm going to check again for my balance

  • now I have 2076 minutes so one minute has gone from the national minute plan. Now I'm

  • going to dial the same number again but add two extra digits at the end of it.

  • I'm going to add 1-5 at the end. I'm going to hang up. Check again for the

  • balance. And now I should have 2075 national minutes