Интересное обсуждение, в котором высказываются различные точки зрения на
возможность такого вида атак...
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 27 Nov 2006 08:21:31 -0500
> From: "Dude VanWinkle" <dudevanwinkle@xxxxxxxxx>
> Subject: [Dailydave] Seeking more info on: Devastating mobile attack
> under spotlight
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID:
> <e024ccca0611270521x17f8e978o5b0e909c2418752b@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi Guys,
>
> I am looking for some opinions or more info on this SMS reprogramming
> attack. If anyone has any more info I would appreciate it.
>
>
> from:
>
> Mobility & Wireless News
>
> 24 November 2006
> Devastating mobile attack under spotlight
>
> By Peter Judge, Techworld
>
> All mobile phones may be open to a simple but devastating attack that
> enables a third-party to eavesdrop on any phone conversation, receive
> any and all SMS messages, and download the phone's address book.
>
> The attack, outlined by a German security expert, would amount to the
> largest ever breach of privacy for billions of mobile phone users
> across the world. But it remains uncertain exactly how easy and how
> widespread the problem could be thanks to a concerted effort by mobile
> operators to muddy the issue while they assess its extent.
>
> The official response of the mobile phone operators when asked about
> the threat is that the attack is phoney. But despite three days of
> inquiries by Techworld, none have provided any evidence that there is
> an adequate defence to it. One operator told us all its security
> experts were at a meeting in Denmark, although, oddly for mobile
> company employees, they were also incommunicado.
>
> Wilfried Hafner of SecurStar claims he can reprogram a phone using a
> "service SMS" or "binary SMS" message, similar to those used by the
> phone operators to update software on the phone. He demonstrated a
> Trojan which appears to use this method at the Systems show in Munich
> last month - a performance which can be seen in a German-language
> video.
> 8
> Phone operators use SMS messages to make changes to their customers'
> phone without user intervention. These changes can vary from small
> tweaks to an overhaul of the phone's internal systems. Hafner claims
> however that phones do not check the source of such messages and
> verify whether they are legitimate, so by sending a bogus message he
> is able to pose as a mobile operator and re-program people's mobiles
> to do what he wants.
>
> "I found this on a very old Siemens C45 phone, and then tried it on a
> Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of
> them authenticated the sender of the service SMS. We could not believe
> no one had found this possibility before us."
>
> On all these phones, Hafner was able to launch an example Trojan
> called "Rexspy", which he says ran undetected. Rexspy copies all SMS
> messages to the attacker, and allows the attacker to eavesdrop on any
> phone conversation by instructing the phone to silently conference the
> attacker into every call.
>
> However, Hafner's demonstration does not constitute proof - it was
> done with his own phones, which could have been prepared. Known
> software such as Flexispy does the same job as Rexspy, but has to be
> installed manually on a phone. Hafner has also refused to provide
> Techworld with a demonstration, claiming that he does not want the
> code put into the wild. Hafner has also put out a press release about
> his alleged discovery which heavily pushes his company's products.
>
>
> -snip-
>
>
>
> -JP<who has been wanting to check in on his ex for a while ;-)>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 27 Nov 2006 16:44:07 +0100 (CET)
> From: Paul Wouters <paul@xxxxxxxxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
> attack under spotlight
> To: Dude VanWinkle <dudevanwinkle@xxxxxxxxx>
> Cc: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <Pine.LNX.4.64.0611271616580.27487@xxxxxxxxxxxxxxxxx>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> On Mon, 27 Nov 2006, Dude VanWinkle wrote:
>
> > All mobile phones may be open to a simple but devastating
> attack that
> > enables a third-party to eavesdrop on any phone
> conversation, receive
> > any and all SMS messages, and download the phone's address book.
>
> > Wilfried Hafner of SecurStar claims he can reprogram a phone using a
> > "service SMS" or "binary SMS" message, similar to those used by the
> > phone operators to update software on the phone. He demonstrated a
> > Trojan which appears to use this method at the Systems show
> in Munich
> > last month - a performance which can be seen in a German-language
> > video.
>
> These must be referencing two things. Writing a Trojan in under 160
> characters would be more impressive then Slammer's 1 UDP packet hack
> (which only fit in 1 UDP packet because it called a bunch of window's
> DLL functions)
>
> > Phone operators use SMS messages to make changes to their customers'
> > phone without user intervention. These changes can vary from small
> > tweaks to an overhaul of the phone's internal systems.
>
> I thought those messages only set some phone numbers, such as the
> SMS center, preference of roaming providers, etc. That's not an
> "overhaul".
>
> > however that phones do not check the source of such messages and
> > verify whether they are legitimate, so by sending a bogus message he
> > is able to pose as a mobile operator and re-program people's mobiles
> > to do what he wants.
>
> This part I can believe.
>
> > "I found this on a very old Siemens C45 phone, and then
> tried it on a
> > Nokia E90 and a Qtek Windows Mobile 2005 phone," said
> Hafner. "None of
> > them authenticated the sender of the service SMS. We could
> not believe
> > no one had found this possibility before us."
>
> This is becoming harder to believe. The C45 in an ancient phone, and
> has no real OS environment like moderm
> smartphones/winphones/pdaphones.
> The qtek (I think is based on the HTC/XDA hardware) runs
> windows ce, so
> sure. And the Nokia E90 is still in the rumor phase and not
> even listed
> on the nokia website. But most nokia's run Symbian as OS. So
> I doubt all
> these OS'es would have the same exploit. Which means the
> exploit would
> have to be in the Baseband Processor code (BP) and not the Application
> Processor code (AP). Usually phones have a dual chip design, one is
> completely sealed off (and FCC approved) and controls the
> radio and runs
> a realtime OS. It exports the radio functionality via some
> kind of serial
> connection to the other processor, which actually runs your phone OS.
>
> Now if the exploit is in he BP, per definition it is hidden
> from the user.
> And I can see how multiple phones could use the same realtime OS setup
> and be vulnerable. And how the OS on the AP can not prevent this.
>
> > On all these phones, Hafner was able to launch an example Trojan
> > called "Rexspy", which he says ran undetected. Rexspy copies all SMS
> > messages to the attacker, and allows the attacker to
> eavesdrop on any
> > phone conversation by instructing the phone to silently
> conference the
> > attacker into every call.
>
> This would have to be the BP's realtime OS then. Running some
> rogue program
> on the BP by sending one or more SMSes that then talk to the AP to get
> access to things like the phone book and message store seems unlikely.
> One other option is that he only gained access to the SIM
> card memory on
> the AP (still an amazing feat), but no one uses it these days to store
> messages or phone numbers on it. There is just not enough
> storage in there.
>
> Doing an unnoticable call would also be a very interesting hack.
>
> > However, Hafner's demonstration does not constitute proof - it was
> > done with his own phones, which could have been prepared. Known
> > software such as Flexispy does the same job as Rexspy, but has to be
> > installed manually on a phone. Hafner has also refused to provide
> > Techworld with a demonstration, claiming that he does not want the
> > code put into the wild. Hafner has also put out a press
> release about
> > his alleged discovery which heavily pushes his company's products.
>
> Yeah. I'm sceptical until I see more.
>
> Paul
>
> ------------------------------
>
> Message: 5
> Date: Mon, 27 Nov 2006 18:31:51 +0100
> From: Robert Clark <Robert.Clark@xxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
> attack under spotlight
> To: Paul Wouters <paul@xxxxxxxxxxxxx>
> Cc: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <456B2107.2010409@xxxxxxx>
> Keywords: CERN SpamKiller Note: -52 Charset: west-latin
> Content-Type: text/plain; charset=ISO-8859-1
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paul Wouters wrote:
>
> >> Phone operators use SMS messages to make changes to their
> customers'
> >> phone without user intervention. These changes can vary from small
> >> tweaks to an overhaul of the phone's internal systems.
> >
> > I thought those messages only set some phone numbers, such as the
> > SMS center, preference of roaming providers, etc. That's not an
> > "overhaul".
>
> Whilst not an "overhaul" is it not feasible that a changing these
> settings could be extremely useful to a would be attacker?
>
> A MiTM on SMS using a change to the message centre number for
> example...
>
> - --
> /**
> * Robert Clark
> * Technical Student ALICE/DAQ
> * Software Engineer CERN PH/AID
> * Phone: (+41) (0)22 767 8338
> */
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFFayEHEZx+NSIX0WgRAogVAKDFBwGoXYG+oI3D/vuuA2xMY3dkggCfSpSd
> YwMVRFir4Xng+0cDYfVDTss=
> =PyDy
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
> ------------------------------
>
> Message: 8
> Date: Mon, 27 Nov 2006 19:05:39 +0100
> From: Nicolas RUFF <nruff@xxxxxxxxxxxxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
> attack under spotlight
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <456B28F3.1020609@xxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=windows-1252
>
> > I am looking for some opinions or more info on this SMS
> reprogramming
> > attack. If anyone has any more info I would appreciate it.
>
> Unfortunately, I feel this could be true. I am no SIM card expert, but
> for what I've read in various books[*]:
>
> - Modern SIM cards are JavaCards, meaning that they embed
> Java applets.
> This is totally unrelated with the phone capabilities (i.e. your phone
> does not have to be able to run Java applets).
>
> And the upcoming MegaSIMs do have AES-encryption and 1 GB of Flash
> memory ? they are full-fledge computer systems.
>
>
> - "Over The Air" (OTA) update of Java applets is possible. There is a
> "secret" password which for some manufacturers is the same across the
> whole product line.
>
>
> - The message does not have to fit a single SMS - if it is over 160
> bytes it will be split in multiple messages.
>
> - The SIM card has some sort of "boot" capability, meaning that it can
> dynamically modify the phone configuration at boot time (e.g. add some
> service icons).
>
> At the end, I would take this very seriously...
>
> [*] Some readings on SIM cards for French eyes only:
> ;
> auteur=5187
>
> Regards,
> - Nicolas RUFF
>
>
> ------------------------------
>
> Message: 9
> Date: Mon, 27 Nov 2006 18:43:21 -0000
> From: "Dave Korn" <dave.korn@xxxxxxxxxx>
> Subject: Re: [Dailydave] Seeking more info on: Devastating mobile
> attack under spotlight
> To: "'Paul Wouters'" <paul@xxxxxxxxxxxxx>, "'Dude VanWinkle'"
> <dudevanwinkle@xxxxxxxxx>
> Cc: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <00d301c71253$e9863220$a501a8c0@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="US-ASCII"
>
> On 27 November 2006 15:44, Paul Wouters wrote:
>
> > On Mon, 27 Nov 2006, Dude VanWinkle wrote:
> >
> >> All mobile phones may be open to a simple but devastating
> attack that
> >> enables a third-party to eavesdrop on any phone
> conversation, receive
> >> any and all SMS messages, and download the phone's address book.
> >
> >> Wilfried Hafner of SecurStar claims he can reprogram a
> phone using a
> >> "service SMS" or "binary SMS" message, similar to those used by the
> >> phone operators to update software on the phone. He demonstrated a
> >> Trojan which appears to use this method at the Systems
> show in Munich
> >> last month - a performance which can be seen in a German-language
> >> video.
> >
> > These must be referencing two things. Writing a Trojan in under 160
> > characters would be more impressive then Slammer's 1 UDP packet hack
> > (which only fit in 1 UDP packet because it called a bunch
> of window's
> > DLL functions)
>
> I suppose you also think that ringtones, logos, screensavers and
> downloadable java games have to fit in 160 chars, yes?
>
> Look up WAP PUSH sms. I suspect the only thing missing
> from the description
> is some kind of user-interaction, but see also
> immediate-vs-deferred delivery;
> perhaps that can be leveraged somehow.
>
>
>
> > I thought those messages only set some phone numbers, such as the
> > SMS center, preference of roaming providers, etc. That's not an
> > "overhaul".
>
> Did you think this based on reading documentation and
> looking up standards,
> or are you guessing?
>
> > on the nokia website. But most nokia's run Symbian as OS.
> So I doubt all
> > these OS'es would have the same exploit.
>
> It is the incorrect assumption you have made here ...
>
> > Which means the exploit would
> > have to be in the Baseband Processor code (BP) and not the
> Application
> > Processor code (AP).
>
> ... which leads you to the false inference here ...
>
> > This would have to be the BP's realtime OS then. Running
> some rogue program
> > on the BP by sending one or more SMSes that then talk to
> the AP to get
> > access to things like the phone book and message store
> seems unlikely.
> > One other option is that he only gained access to the SIM
> card memory on
> > the AP (still an amazing feat), but no one uses it these
> days to store
> > messages or phone numbers on it. There is just not enough
> storage in there.
>
> ... which leads you to misidentify a non-problem here ...
>
> > Yeah. I'm sceptical until I see more.
>
> ... which leads to your expression of scepticism here.
> You're thinking in too
> limited terms: not every "exploit" is a buffer overflow. In
> this case, I
> reckon the exploit consists in leveraging the SMS/MMS
> functionality defined by
> the relevant specs in order to get some java program to
> download and run
> without it being obvious what is happening, and perhaps without any
> user-interaction at all. If the vulnerability is in the
> specification, any
> compliant phone would be bulnerable
>
> The actual trojan itself is nothing new: I watched the
> video, and although I
> don't speak german I caught numerous references to
> "FlexiSPY". Look it up;
> all that you need is a way of tricking a phone to
> auto-install it. The video
> itself doesn't (as far as I could tell) show the actual
> infection process.
>
> Those who would like to do some research, as opposed to
> speculating, could
> start by googling "binary sms" (with the quotes, for an exact
> phrase match);
> you get lots of interesting-looking documentation for sms
> gateway/servers.
> >From the list of hits,
>
>
>
> shows a list of (some?all?) different sms types.
>
> cheers,
> DaveK
> --
> Can't think of a witty .sigline today....
>
>
>
> ------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
>
>
>
> End of Dailydave Digest, Vol 16, Issue 16
> *****************************************
>
