dirty use of ussd codes in cellular networks
TRANSCRIPT
.
......
Dirty use of USSD codes in cellularnetworks
Ravishankar Borgaonkar
Security in Telecommunications, Technische Universität Berlin
TelcoSecDay, Heidelberg, 12th March 2013
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Agenda
USSD codes and services in mobile telephony
Attacks in USSD network infrastructure
Attacks on smartphones (end-users)
SecT / TU-Berlin 2 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksUSSD Basics
technology - features - applications
What is USSD in mobile telephony?a messaging service between mobile phones andan application server in the networkbut data is transferred in real time as a session (noSMSC-store and forward)faster than SMS and interactive servicesupported by all mobiles - feature phones tosmartphoneswhy USSD? to increase ARPU (Average Revenue PerUser)
SecT / TU-Berlin 3 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksUSSD Applications
Services
Services based on USSD protocol:interactive data services (News, Sports etc)pre-paid phone top-up and balance queriesmobile banking and money servicesaccess to social services such as Twitter, Facebook
SecT / TU-Berlin 4 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksUSSD Applications
Toilet thinking
Motivation storiesAirtel Money in India, really?An interesting documentplaying with NFC protocol on Android with Collin
SecT / TU-Berlin 5 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
GSM cellular architecture
SecT / TU-Berlin 6 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
USSD Architecture
Architectural components:MSC (Mobile Switching Center),VLR (Visitor LocationRegister)USSD GatewayUSSD application/serverSimple Messaging Peer-Peer interface
SecT / TU-Berlin 7 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
Application Flow Example
SecT / TU-Berlin 8 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
Service Example
Mobile Banking:Register your number to the BankGet user id and MPIN (mobile pin)dial ussd code to access your account
Twitter:Register for the service by sending SMS (optional)dial USSD codestype username and password to access
SecT / TU-Berlin 9 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod AttacksGSM architecture
Security in USSD services
Completely relies on security provided bycellular network
The biggest bank in India claims:
However in reality.. ☺ ☺
SecT / TU-Berlin 10 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
2. Attacks in USSD network infrastructure
SecT / TU-Berlin 11 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Information needed for an attacker
USSD codesUser ID to access the servicepassword or MPINtools to access the service on behalf of victimweaknesses of the cellular network
SecT / TU-Berlin 12 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Issues in Cellular Networks (GSM)
No mutual authentication between mobile and basestationfake base station attacks ☺Base station decides when to turn on encryptionSome networks do not use encryption ☺IMSI sent when requested by base station ☺
SecT / TU-Berlin 13 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Phishing attack
Goal: Recover user id, password, MPINset up a fake base station with OpenBSCopenBSC have basic USSD supportpossible to build bank applicationbase station can initiate USSD communicationcollect user ID, password, MPINdrawback: attack works in 200m range
SecT / TU-Berlin 14 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Tools to exploit -1
Using a compromised femtocell:femtocell: a small access point, connects themobile phone to the 3G/UMTS networkblackhat 2012 talk by Nico, Kevin and mecompromised femtocell can be used for MiTMset-up allows to intercept/inject messagesdrawback: attacking range is 50m
→ It is difficult for the victim user to recognizethis attack
SecT / TU-Berlin 15 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Tools to exploit -2
Using OsmocomBB phone:using a phone supported by OsmocomBBthe attack depends on the weaknesses in thecellular networkNullcon 2011 talk "Your Phone is Your Phone ButYour Calls are My Calls" by Akib Sayyed et al.→ authentication bypass→ by using victim's IMSI/TMSIthe same method can be used for replaying USSDmessages
SecT / TU-Berlin 16 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Issues with cellular networks
When mobile sends SMS/USSD message:
SecT / TU-Berlin 17 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Issues with cellular networks"Operators turn off encryption/authentication to reduceload on the base station."
SecT / TU-Berlin 18 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
3. Attacks on smartphones (Andriod)
SecT / TU-Berlin 19 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
USSD on smartphones
USSD (Unstructured Service Supplementary Data):all smartphones including feature phones supportsUSSD as per 3GPP standards.technically referred as MMI (Man-Machine Interface)on the mobile deviceMMI commands and format:→ activation: *SC*SI# ,deactivation: #SC*SI#→ for more details read TS 122.030→ Example: * 31 # <called number> SENDCodes are executed via "Call Settings" menu optionusually
SecT / TU-Berlin 20 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
USSD on smartphones
USSD (Unstructured Service Supplementary Data):all smartphones including feature phones supportsUSSD as per 3GPP standard.technically referred as MMI (Man-Machine Interface)on the mobile deviceMMI commands and format:→ activation: *SC*SI# ,deactivation: #SC*SI# (TS122.030)→ Example: * 31 # <called number> SENDCodes are executed via Call "Menu option" usually
SecT / TU-Berlin 21 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
USSD on Android
Vulnerability in Android :
Dialer in Androidinvoking TEL:123 intent via any Android app putnumber 123 on the dialer to callhowever, Android dialer fails to differentiatebetween phone number and USSD codes→ this failure allows to execute USSD codesaffects versions: ICS, Jelly Bean and older versionstoo
Let's try some dirty USSD codes ☺ ☺
SecT / TU-Berlin 22 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Affected Devices
Almost every Android device (JellyBean, ICS and olderversions too)
Google Nexsus seriesHTC One series, HTC SensationSamsung Galaxy SI, SII, SIIIMotorola Driod seriesSony Ericssonother vendors might be (not tested)
SecT / TU-Berlin 23 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
SIM attacks
Locking SIM card:
Every SIM card has PIN codehowever there are only 3 valid attempts SIM3 wrong pins → card gets locked and ask PUK codePUK code is on smart card
Solution: SIM card works after entering PUK code..dammm..less impact :(
SecT / TU-Berlin 24 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
SIM attacks
Killing SIM card:
Instead of changing PIN code, change PUK code10 wrong PUK code → SIM is unusablefor this attack, it does not matter you set up PIN onSIM card or not
Solution: Go to shop and buy new SIM card. ☺
SecT / TU-Berlin 25 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Dirty codes and methods
USSD Codes:**05*1234545*1234*1234# - Change PIN code*#06# - Show IMEI number*#7780# - factory reset, different for every handset
Method: everybody loves iframes (Reasons?)
SecT / TU-Berlin 26 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
1. From a malicious websitevisiting a link kills your SIM permanentlycan be invoked via any Android app havingpermission to call phoneattack works in all Android devices
SecT / TU-Berlin 27 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
From QR codeQR Droid (popular barcode scanner app)→ 10,000,000+ downloads in Google Playit opens website directly by defaultNot all barcode apps testedattack works in all Android devices
Solution: Remove QR Droid from your phone
SecT / TU-Berlin 28 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
By sending a WAP Push SMSWAP Push SMS (need a special application to sendsuch SMS)discovered by c0rnholio @http://www.silentservices.de/thanks Nico (@imnion) for informingI extended the above attack with USSD exploit codehowever, this attacks works on Samsung devicesonly so far
Solution: Turn off "Service Loading" feature
SecT / TU-Berlin 29 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Attacking method
From NFC tagfew NFC tag readers open URL directly by defaultit was showed earlier but still developers fail toimplement basics of securityworks in NFC based Android devices
SecT / TU-Berlin 30 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Wiping out Samsung phones
Samsung tragedythere is a USSD code for factory reset settings onSamsung devicessend a SMS or a link and wipe out the devicevictim can only see the show, cant stop it ;)on Galaxy SIII, vulnerability can be exploited viaNFC
Attack can be combined: Kill SIM card and Wipethe phone in 3 sec
SecT / TU-Berlin 31 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Vulnerability Impact
Mobile users:Loss of valuable data (if there is no backup)disconnects from the cellular network services untilgetting new SIMFinancial loss- buy a new SIM card
Network operators and vendors:loss in service -> money loss for operatorsissue new SIM cards if affectedcost of updating
SecT / TU-Berlin 32 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
Fixing the vulnerability
informed to the involved partiesit has been patched but Android fails always inupdating the devicesissues with Android devices on operator's contractupdate your device
Test your Android device at :www.isk.kth.se/rb̃bo/testussd.html
SecT / TU-Berlin 33 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
thanks (in no particular order)
Jean-Pierre SeifertCollin MullinerNico Golde
SecT / TU-Berlin 34 / 35
✆ USSD in mobile communication ☠ USSD network attacks ☠ Andriod Attacks
the end
thank you for your attention
questions?
on tweet : @raviborgaonkar
SecT / TU-Berlin 35 / 35