Top Banner
Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research,Vienna, Austria TelcoSecDay @ Troopers 3/20/12 Heidelberg, Germany
38

Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Jul 04, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Guess Who’s Texting You?Evaluating the Security of Smartphone Messaging Applications

Sebastian Schrittwieser

SBA Research, Vienna, Austria

TelcoSecDay @ Troopers 𐄁 3/20/12 𐄁 Heidelberg, Germany

Page 2: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Source: path.com

Page 3: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 4: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

address book-gate

Page 5: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

android.permission.READ_CONTACTS android.permission.READ_CALENDAR

android.permission.INTERNET

Page 6: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Analyzing network traffic of smartphones

• Data flow analysis

• Security evaluation

• Example: Smartphone Messengers

Page 7: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Smartphone Messaging

• Aim at replacing traditional text messaging (SMS) and GSM/CDMA/3G calls

• Free phone calls and text messages over the Internet

• Novel authentication concept

• Phone number used as single authenticating identifier

Page 8: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Internet

Telecom infrastructure

Page 9: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Motivation

Traditional SMS/talk Messenger/VoIP Apps

Protocol proprietary HTTP(S), XMPP

Securitycryptographically sound

authentication(SIM card)

application depended, much weaker authentication

(phone number, IMSI, UDID)

Users’ perception

SMS/talkSMS/talk

Page 10: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Evaluation

Authentication Mechanism and Account Hijacking

Sender ID Spoofing / Message Manipulation

Unrequested SMS / phone calls

User Enumeration

Modifying Status Messages

Page 11: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Experimental Setup

• Samsung Nexus S running Android 2.3.3 and Apple iPhone 4 running iOS 4.3.3

• SSL proxy to read encrypted HTTPS traffic

• Used to understand the protocol, not for the actual attack (i.e., MITM between victim and server)!

ServerPhone SSL-Interception

Page 12: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Certificates?

Page 13: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 14: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

WhatsApp WowTalk

Viber Forfone

Tango EasyTalkVoypi

eBuddy XMS

HeyTell

Page 15: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

WhatsApp

Paper:Guess who’s texting you? Evaluating the Security of Smartphone Messaging ApplicationsSchrittwieser, S., Frühwirt, P., Kieseberg, P., Leithner, M., Mulazzani, M., Huber, M., Weippl, E., NDSS 2012

Page 16: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

WhatsApp• Instant Messaging

• Status messages

• 23+ million users worldwide (estimation)

• > 1 billion messages per day

• Clients available for Android, iOS, Symbian and Blackberry

Page 17: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 18: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 19: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 20: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Authentication in WhatsApp

Phone

1. (HTTPS): Phone number

2. (SMS): Code SMS Proxy

Server

3. (HTTPS): Code

Page 21: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 22: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Attack against authentication

Target Phone

1. (HTTPS): Code + Number

2. (SMS): Code

SMS Proxy

Attacker Phone

Server

Proxy

Code

Page 23: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Attack againstauthentication

• Intercepting the connection between the server and the attacker’s phone

• The victim’s phone isn’t involved in the attack at all

• Similar attacks successful in 6 out of 9 tested applications

Page 24: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

WowTalk

ServerAttackerPhone

1. (HTTPS): Request

2b. (HTTPS): PIN

TargetPhone

2a. (SMS): PIN

SMS Proxy

Page 25: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Free SMS (WhatsApp)

• Authentication code in HTTPS request can be replaced with arbitrary text

• No server-side validation (command injection?)

• Forwarded to SMS proxy and sent via SMS

• Can be misused for sending free SMS

Page 26: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Status Messages

Page 27: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 29: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Sender ID spoofing

• Example: Forfone

• Messages are authenticated by IMSI (Android) or UDID (iOS)

• Both numbers can be accessed by 3rd party applications

• Voypi: no authentication at all

Page 30: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

User Enumeration

• Applications upload the user’s address book to the server

• Server compares the contained phone numbers to already registered phone numbers

• Server returns a subset list containing only phone numbers that are registered

• Entire user base enumeration?

Page 31: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

User Enumeration

• US area code 619 (Southern San Diego)

• Number range: +1 (619) XXXXXXX

• 10 million possible phone numbers

• WhatsApp returned a subset containing 21.095 (active) phone numbers

Page 32: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

On vacation

Sleeping

9420-5794-3731-1793-7083

Nicaragua in 4 days!!

Heartbroken

Missing my love!

At work ... Bleh.

On my way to Ireland!

I’m never drinking again

Page 33: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay
Page 34: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

User Enumeration

• Entire Austria (population: 8.3 million)

• 4 carriers, 12.3 million SIM cards

• Uploaded entire number range in chunks of 5000 numbers each

• Server returned 182.793 WhatsApp users (phone number + status message) in less than 5 hours

Page 35: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

ResultsAccount Hijacking

Spoofing/Manipulation

Unrequested SMS

EnumerationOther

Vulnerabilities

WhatsApp

Viber

eBuddy XMS

Tango

Voypi

Forfone

HeyTell

EasyTalk

Wowtalk

yes no yes yes yesno no yes yes nono no yes yes noyes no yes yes noyes yes yes yes yesno yes yes yes noyes no no limited noyes no yes yes noyes no yes yes yes

Page 36: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Responsible Disclosure

• Research between spring and fall 2011

• Vendors notified in November 2011

• Vulnerabilities weren’t made public until NDSS

• WhatsApp fixed some vulnerabilities:

• Account hijacking & free SMS

• (Modifying status messages)

Page 37: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Conclusions

• 6 out of 9 tested applications have broken authentication mechanisms

• Many other vulnerabilities

• All identified flaws stem from well-known software design and implementation errors

• Trusting the client

• No input validation

• No/weak authentication mechanisms

Page 38: Guess Who’s Texting You? · Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser SBA Research, Vienna, Austria TelcoSecDay

Conclusions

• SSL interception is an easy way for doing data flow analysis in smartphone applications

• Cannot detect well-hidden data leakage

• Steganography

• Additional encryption layer on top of SSL

• ... but can help to understand and evaluate software