Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Internet Services

Mobile networks: exploiting HTTP

headers and data trafficBogdan ALECU

About me

• Independent security researcher

• Sysadmin

• Passionate about security, specially when it’s related to

mobile devices, CISSP, CEH, CISA,CCSP

• Started with NetMonitor (thanks Cosconor), continued

with VoIP and finally GSM networks / mobile phones

• @msecnet / www.m-sec.net

Bogdan Alecu December 2012

THANK YOU!

The End!

Questions?


This talk is NOT about

• SQL Injection, Cross-Site Scripting (XSS), Cross-Site

Request Forgery (CSRF) or anything alike

� ANY DEMO THAT WILL BE SHOWN HAS TO BE TREATED

JUST LIKE AN EXAMPLE AND NOTHING MORE

� HAVE NO INTENT TO DISCREDIT ANY OF THE

OPERATORS

� JUST A HEADS UP – RAISE SECURITY AWARENESS

AMONG USERS, PROGRAMMERS, MOBILE OPERATORS


Mobile operators have their own WAP / WEB page for

customers:

• Balance check

• Money transfer

• Download music, videos, wallpapers, etc

• Subscribe to services (eg. custom ringback tones)

Usually the page is available only on the mobile phone



Bogdan Alecu September 2012Bogdan Alecu December 2012


HOWEVER@



User Agent Switcher - https://addons.mozilla.org/en-

US/firefox/addon/user-agent-switcher/


User Agent Switcher – impersonate the browser to pretend

that you’re actually browsing from a phone

Description: NokiaE71

User Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71-

1/110.07.127; Profile/MIDP-2.0 Configuration/CLDC-1.1 )

AppleWebKit/413 (KHTML, like Gecko) Safari/413

App Code Name: Series 60

App Name: Browser

App Version: Series60/3.1

Platform: E71

Vendor: Nokia


User Agent Switcher

� not much to do: just browse the mobile version of the site

� could be used to overpass the mobile-only data traffic plan

� no access to your subscriptions

Some sites provide with application/vnd.wap.xhtml+xml

content

� XHTML Mobile Profile

� https://addons.mozilla.org/en-US/firefox/addon/xhtml-

mobile-profile/


How the mobile operators know who should be

charged?

• Once you connect to the Internet, the operator knows your mobile

number

� no attack here; can’t spoof the number

� physical access necessary to another SIM

• They use specific HTTP headers to send the number

� used specially for 3rd party websites

� hard to find those headers

� can be easily attacked / changed



charged? - HTTP headers

Where are the headers coming from?

1. Your phone’s browser

2. Operator’s proxy


� Tested around 20 operators from Romania, Germany,

Austria, Italy, France, Poland, United Kingdom, Brazil,

Netherlands

� No user has been affected as for most of the tests I had

my own SIM card

� Some tests could not be fully performed


� Discovered in January 2012

� First report in March to an affected mobile operator

� Reported to GSMA in April (later got confirmation

from different operators that GSMA issued a warning)

� Most of the operators responded quickly and also

fixed the vulnerability

� Informed operators and GSMA about this public

disclosure




How to find the headers?

1st idea: - connect your phone to computer and sniff the traffic

- find the headers names where phone # is stored

- headers might be specific to each carrier

- find a way to modify the value of the headers

- ATTACK!




1st idea: - Result

FAIL!





2nd idea: - search the web for headers

- headers might be specific to each carrier


- ATTACK!






That’s good, but there must be something more!






Found a paper called “Privacy Leaks in Mobile Phone Internet

Access” by Collin Mulliner -

http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf





Chosen HTTP headers:

o X-UP-CALLING-LINE-ID

o X_FH_MSISDN

o MSISDN

o X-MSISDN

o X-NOKIA-MSISDN

o M

o X_NETWORK_INFO





Modify Headers – Firefox Extension

https://addons.mozilla.org/en-US/firefox/addon/modify-headers/


Action: Modify Value: mobile number in E.164 format


� We have the headers

� We know how to change them

� We know how to impersonate the browser

The attack:

1. From inside of the mobile operator network

2. From outside of the mobile operator network (2 types)



Steps:

a) Use a GSM modem and SIM card

b) Configure the profile settings to match those of your

operator

c) Connect to the Internet and change the User Agent to

match a mobile phone browser

d) Inject HTTP headers with the MSISDN of the target



DEMO



• “It just works!”

• No need to know any complicated password



2a) Use your own Internet connection

� Connect to the Internet and change the User Agent to

match a mobile phone browser

� Inject HTTP headers with the MSISDN of the target


Things I noticed after these 2 types of attack:

� Attack works either on the operator's website, either

on the 3rd party site or both

� Some operators let you access their mobile site only

if you are connected to their network, while others do

not have such restriction

� Sometimes you need to also set the proxy in order to

set a different MSISDN in the HTTP headers


Things I noticed after these 2 types of attack:

� Few have implemented a unique session ID for each

connection instead of the phone number

� Just one operator from the ones I tested was ignoring

any additional headers sent, but there might be others

that do that



2b) The old fashioned way ☺☺☺☺



2b) The old fashioned way ☺☺☺☺ aka CSD (Circuit Switched Data)



2b) CSD

o Think about it like dial-up

o Since it involves actually placing a phonecall, it is

exposed to the same vulnerabilities like a regular call



2b) CSD

o 1st idea: - search for CSD settings

- see what it can be changed

- test



2b) CSD

o 1st idea:



2b) CSD

o 1st idea:

OOPS! I need to have Data Call enabled

Changing the username to match another number did

not help



2b) CSD

o 2nd idea: - spoof the caller ID

- connect to the Internet

- test



2b) CSD

o 2nd idea: - spoof the caller ID

DEMO


To be noted:

� On some operators you still have to send the HTTP

headers

� Sometimes there was a poor way to detect if the call

was coming from their network. Easy to pass it: call

first a number from the network which has call

forwarding setup to the CSD number

� Not all operators have a full CSD number available (eg

*231)


How to profit B. and get caught

� Create a LLC (Limited Liability Company)

� Sign a partnership with the operators to provide 3rd

party web content on their portal

� Attack different users or just subscribe them to your

services (yes, you can do that without asking for any

permissions)

� Profit


Few recommendations:

� Check if the web page is accessed from your network

(IP)

� Do not rely solely on the Caller ID

� Implement username/password access for sensitive

zones (like modifying active services)

� Send SMS to the customer informing that a purchase

has been made, a service has been modified, etc

� Be careful with the 3rd party content providers


Conclusion:

� Sometimes there might be issues in the mobile operator’s system

“Our technology does not allow unauthorized access.

Occurrence of errors in billing regarding data traffic is

excluded.” (Customer Support)


Conclusion:

� Depending on the destination, the cost of the attack

might be higher than the revenue

� Mobile operators reacted promptly

� Unfortunately there are still issues – mostly on 3rd

party services

� Check if your operator allows you to disable access

to premium rate content

� Test yourself and report the issue to your operator


Data traffic vulnerability (2 types)

o You should be able to access the operator’s webpage

in order to top-up or view account details

B. But we can exploit this



1. Setup a VPN server on port 53, UDP (DNS port)

B and connect to your server

B pass the traffic to the Internet

UNLIMITED & UNCOUNTED

MOBILE DATA TRAFFIC!



2. DNS tunneling

What if:

- You had your own DNS server

- Delegate all DNS requests to your server

- Encapsulate in the reply the traffic

WAIT! THERE IS A WAY!



2. DNS tunneling

a.sub.domain.com. IN NS sub.domain.com.

sub.domain.com. IN A 79.122.100.20 (your IP)

Request: www.google.com.up.a.sub.domain.com

Answer: www.google.com.down.a.sub.domain.com IN

AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6

EsAavqHgBzH2khqsQHQjEf355jS7cT

G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7Gdn

gGm9jpvReXX7S/2oqAIUFCn0M8=



2. DNS tunneling

- Already built solution: Iodine

http://code.kryo.se/iodine/ (for Linux, Windows, Android)


THANK YOU!

Special thanks to:

Tobias Engel

Collin Mulliner

all security guys from mobile operators


Mobile networks: exploiting HTTP headers and data traffic - DefCamp 2012

Documents

headers headers

headers alecu

headers attack

headers names

specific http headers

mobile number

mobilepro alecu

mobile version