Overview of attack vectors on mobile phones



    Below are reviews of possible attack vectors on mobile phones without a description of specific techniques and actions . The main task of the post is to make it clear what is dangerous and what is not, and how to protect your devices. As examples, we use well-known working attacks on old phone models, or options that are already closed on almost all firmware.

    Can I listen to conversations on my mobile phone?


    Yes you can. The signal is encrypted, but, in general, when intercepting the signal, listening is possible. Most often, we are talking about recording information and subsequent decryption, that is, work not in real time.

    Three main algorithms are used to protect the signal: A3 for authorization and protection against cloning, A8 for service functions (key generation), A5 for speech encryption. The most interesting thing is in A5: the algorithm has two versions: the first is used in countries where there is no restriction on encryption technology, the second, less stable and takes into account regional features, in other countries. In fact, this means that in us and in most of Europe the complexity of key search is greatly reduced.

    Another vulnerability is the use in some countries not of a full 64-bit key, but of its analogue, where the first 10 bits are replaced with zeros for compatibility with local requirements.

    In practice, a “suitcase” worth about $ 20,000 is used to listen on the phone, which is used to intercept and decrypt the signal of a particular subscriber. To carry out an attack, you need to be next to one of your interlocutors, so if a strange guy with a suitcase walks behind you, think hard.

    An easier way to listen


    Since we are talking about removing the key, a simpler attack is possible through physical access to the SIM card. The card is inserted into the reader, which makes about 140,000 calls to it, which allows you to get the key by differential cryptanalysis. The procedure takes about 8 hours and can often trigger a SIM card protection (having a limit on the number of calls). The protection principle is very simple: do not give your phone to strangers for more than a couple of minutes.

    Station replacement


    Another way to remotely attack is to set up a false base station that does the same job of searching for keys remotely. The process takes about 10 hours (this is a total of, for example, an hour a day - quite real). The most likely scenario is to work where there is no signal. An example of an attack is to ride in the same subway car with a subscriber for half an hour a day. The same guy with a suitcase, watch him.

    How to change SIM card correctly


    If you want to get away from spam or something else more interesting, you need to change not only the SIM-card, but also the phone itself. The fact is that every time you access the operator’s network, not only the card key is transmitted, but also the phone identifier. Using a new SIM card in an old phone or an old SIM card in a new one in theory immediately violates anonymity.

    Attack on the navigation module (WLAN)


    This attack is familiar to those involved in car safety. Mobile terminals often use the MAC addresses of nearby access points to determine the location of the device (these are Wi-Fi points and base stations). You can install equipment that will “guide” your terminal around the city, creating the necessary virtual stations - the ideal attack of this type is to leave the route and check in where the attacker needs, for example, when using a mobile phone as a navigator. The attack is similar in execution to creating a false GPS signal, but requires much less specific equipment.

    SMS


    A number of services allows you to replace the sender number with a certain set value. For example, it can be “Mom” (as if the number was determined from the phone’s contact book), someone’s number or the name of the organization. There are a lot of options for fraud and competent social engineering using this protocol feature. In the networks of the "Big Three" it is forbidden to substitute the number of the sender of the message, but due to compatibility problems with other networks, such messages cannot be cut off without question. It's about the features of the protocol and the fact that in some networks of mobile operators they are used as a useful feature.

    A rarer case is flash SMS, a message that appears on the screen and does not add up to the standard list of the SMS phone: sometimes, for example, network service messages arrive. It’s harder to fake, but still real. Protection, as well as from other social engineering methods, is quite simple - to think before doing what is requested in the message.

    Older Nokia, Siemens, Motorola and LG models are susceptible to attacks via SMS with special texts . Using certain combinations of Unicode characters, you can remotely disable or “suspend” many models of old phones and several relatively new ones. A variation of this attack is the insertion of control characters in SMS.

    Another feature - SMS protocol allowed to display pictures(somewhat reminiscent of ASCII graphics from squares), for which we used what we would now call microformat. A number of phones did not check the contents of that part of the SMS that encoded the image, and the firmware could “fall” in case of unexpected sequences. The erroneous processing of such messages is also due to the fact that often the phone does not allow you to delete the “beaten” SMS, and during an attack you can simply clog its memory with such messages.

    The phone can be blocked by a DoS attackby sending service SMS in a special "invisible" format. It is about using the service channel, in fact, on which the SMS service was built as such. An attacker can create an invisible SMS in two types: blocking the text with non-displayable characters (the device will not be able to decode the SMS and will not show it): for example, specifying the Russian encoding for the Chinese language is not a real example, but there are really “working” language pairs in this regard. The second option is to manipulate WAP-push. Unlike a regular SMS stream, the victim of the attack may not even know that the phone is blocked - for example, in negotiations, when the partner is trying to get through to transfer data. The only indication is that some phones turn on the backlight when they receive even broken SMS.

    Blue teeth


    Bluetooth in the standard mode constantly sends beacons , which allows you to find a device with the channel turned on almost immediately. Hidden bluetooth, in theory, has been scanned by consecutive requests for about 3 years, but in practice - in a matter of minutes, because manufacturers write their identifiers and device identifiers in the first and last octets of the address. A scanned phone can be attacked by a buffer overflow or an analogue of the control code injection, as is the case with SMS.

    The next type of attack is authentication as a headset via Bluetooth. Despite the fact that the headset is considered a read-only device, it is quite capable of initiating a call from the phone, which will lead to listening to a normal conversation in the room using the microphone of the phone.

    In some cases, it comes to the point that you can safely pick up the address book, SMS and other data stored on your phone through the “blue-tooth” channel. Or - even less often - to perform write operations, which should please the paranoid.

    With certain efforts, the telephone can be presented not only as a headset, but also as a computer with which synchronization takes place. An interesting feature - you can give vCalendar in a format where the date goes beyond the integer type - in older models, this usually led to overwriting part of the system memory area and crashes treated by flashing only.

    The headset itself may also be the target of an attack.: it has a microphone in it, which is often interesting for an attacker to use. With a certain set of software and hardware, you can easily introduce yourself to her as another phone and receive data from the microphone. True, you need to pick up a PIN-code, but the situation is easier if there is time to search. Most headset users, in addition, do not change the manufacturer’s PIN code, which also facilitates the attack.

    Nfc


    NFC encryption is very reliable, and the protocol has not yet found critical vulnerabilities. Therefore, so far the only known attack using NFC is duplicate tags. Roughly speaking, an attacker reads and duplicates a kiosk label with newspapers, and then puts it on a kiosk with chocolates. The user pays for the chocolate bar and thereby transmits the data to the device containing a double tag from the newspaper. The device sends data to the attacker, he receives a newspaper.

    Some of the firmwares of the first NFC devices incorrectly parse specially designed tags with NDEF containing obviously incorrect data, which also leads to analogues of code injection or buffer overflow. Social engineering attacks related to texts in such tags are also possible.

    The solution is to use the capabilities of NFC where the tags are exactly authorized - for example, in the subway. Scanning NFC tags in gateways is not recommended.

    Internet attacks


    Perhaps the simplest thing here. A standard set of “do not open files from strangers” and “do not use mail without SSL when sitting in a cafe on open Wi-Fi” and so on. Most of the attacks on high-level systems are associated with the installation of certain software “bugs” -troyans that can take data from a camera, microphone, and so on.

    Of the interesting features of working with the network - there is the possibility of sending a special MMS in OMA / OTA format for reconfiguring the phone (this is how access point settings from operators come) to replace the DNS server. Control over such a DNS allows you to get the entire history of site visits (but not traffic).

    Key vectors 2012


    If all of the above remains something close to paranoid nightmares (expensive and difficult to execute) and makes sense for the attacker only in quite exotic cases, there is an area that creates more and more anxiety. We are talking about mobile applications with additional features.

    In every ecosystem associated with the mobile OS, you can find examples of working "dishonest" applications. Of the most striking examples is a flashlight for Apple, which for some reason worked very confidently with data transfer.

    On these attack vectors, social engineering is very well combined with the implementation of various vulnerabilities in software, protocols, and hardware. Example - an exploit is wrapped in a well-known clone application and begins to be sold in the system’s application store.

    If downloading applications can lead to unpleasant emotions in the segment of private individuals, then in the corporate segment this is a real huge hole: an employee poses malware and an attacker gains access to all corporate resources using this smartphone. Given that smartphones are often very tightly integrated into the business environment, such attacks are causing more and more concern - and are becoming an increasing threat every month.

    As a solution, it is proposed to educate users (as we know it does not help 100%), conduct moderation of applications (but this is also not a 100% guarantee), limit sources, for example, only to the corporate Market or install antiviruses.

    Now the main trend is the development of mobile device management solutions for employees: these are general security policies, tight control of commercial information, proprietary application suites, operational patches, secure media exchangers and so on.

    Where can I learn more about phone security?


    There is a lot of information (in particular, in English) on the network. We sometimes write about Beeline B2B- group on Facebook about domestic features of protecting phones from listening, recommendations on secure network connections and other sensible, but useful things . We immediately warn you, unlike B2C, it is aimed at business owners, and contains few technical details with a maximum of useful tips for directors. Sign your chef - and at least he will know which is safer - Wi-Fi in a cafe or a 3G connection.

    Also popular now: