There are several architectural and implementation problems in mobile phone networks that can be used to force users to open malicious files, allow attackers to gain control of users’ phones and change phone settings to redirect mobile Internet traffic to a proxy controlled by the attackers.
In a presentation at the Black Hat conference in Las Vegas on Thursday, Luis Miras, and independent security researcher, and Zane Lackey of iSec Partners, demonstrated a number of techniques for taking advantage of the implementation and design problems. The pair also announced the release of a tool they called TAFT (There’s an Attack for That), which runs on jailbroken iPhones and can be used to execute several different attacks.
Several of the techniques involve sending MMS or SMS messages from spoofed addresses. In one of the scenarios, Miras and Lackey wrote a specially crafted SMS notification message that looked as if it had come from the user’s carrier. Once opened, the message then forces the user’s phone to connect the attacker’s server instead of the carrier’s server to retrieve whatever content the attackers choose.
The pair also demonstrated a technique for redirecting a victim’s mobile Internet traffic to a proxy server that they control. By sending new configuration settings over the air to a victim’s phone, Miras and Lackey are able to point the phone to a proxy that they control, creating a man-in-the-middle attack that lets them monitor all of the Internet traffic to and from the phone.
“There’s no context in mobile security. The only context you have in this case is, yes or no to the new settings,” Lackey said. “You don’t know what setting was changed.”
The problems that the pair talked about are all fundamental design problems on the carrier networks and phone platforms and not typical security vulnerabilities that can be fixed with a patch. They’ve had discussions with some carriers who run GSM networks, as well as with the GSM Alliance, about addressing the problems, and work is underway.
But, as Lackey pointed out, the larger issue is the fact that mobile phone users have very little information with which to make informed decisions when it comes to security. And an attacker can take advantage of that by spoofing the sending number of SMS messages, sending malicious files and URLs and creating messages that appear to come from the mobile phone carrier, such as voice mail notifications.
“These phones are built on the assumption that only the carrier can send things like voice mail notifications,” Lackey said.
In addition to the other SMS issues, Miras and Lackey also found a problem with a third-party MMS application for the iPhone, called SwirlyMMS, which enabled them to remotely kill an iPhone. By sending a corrupt MMS message to a jailbroken iPhone running SwirlyMMS, an attacker can kill the phone’s ability to make calls. Everything else will look normal on the phone, and even rebooting the device won’t restore the phone capability.
The issue has been fixed in a recent update to the application, they said.