MMS messaging spoof hack could have global ramifications

By Michael S. Mimoso, Editor, Information Security magazine 30 Jul 2009 | SearchSecurity.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Playing against a backdrop of splashy iPhone SMS hacks demonstrated this week at Black Hat USA 2009, young researchers Zane Lackey and Luis Miras Thursday demonstrated attacks at the annual hacker conference in which they spoofed sender numbers and exploited flaws in GSM carriers' networks to bypass them in a MMS message loop.

The attack potentially makes any mobile device on a GSM network anywhere in the world capable of sending media files vulnerable to spoofing, phishing attacks and other scams.

Live from Black Hat Watch Zane Lackey and Luis Miras present their demo of the MMS messaging spoof hack.

The researchers presented a video of the hack in action. Their demo hacking tool, running on an iPhone, sends a message to a victim purporting to be from the number 611, which is generally reserved for communication with the respective carrier's customer service department. Playing on the user's likelihood to follow messages from their carriers or other trusted sources, a text message is sent. In this case, the message informs the victim that he or she has earned an account credit and is asked to follow a link. From there, the victim is tricked into giving up sensitive information, such as his/her username, password and more.

"People really trust phones a lot more than they trust email or anything like that," Lackey said. "If I get a text that's supposed to be from a carrier number, chances are, I'm going to believe it."

Using Lackey and Miras' application, an attacker would control the "from" field in a message, as well as the timestamp, which, for example, would enable them to backdate messages.

The key to the hack is the attacker's ability to bypass the carrier in a message. Normally, MMS messages are sent by a user to their carrier's server. The carrier would process the content, resizing it if necessary or checking it for spam. The carrier would then notify the recipient's device that content is waiting. That device would then contact the carrier server and download the content; some phones pull content automatically, others present the user with a message and the user must click through to get the content.

In the attack, the application sends an MMS message that runs on top of SMS, Miras said, telling the target phone to pull content from the attacker's server rather than the carrier. By tricking the user's phone, the carrier protections in the cloud are bypassed.

"Notification messages are only supposed to be generated and sent by a carrier," Lackey said. "We sent our own."

Carriers AT&T and T-Mobile Inc. run GSM networks, the most popular standard for mobile networks worldwide. However, the implications aren't as widespread in the U.S., as AT&T does not currently support MMS messaging, and competitors Verizon Wireless and Sprint have networks based on the CDMA standard. The issue is likely of greater concern internationally, where GSM is the de facto standard for global wireless networks.

Lackey and Miras said they have shared their findings with a carrier, which they refused to name. They said the carrier has reached out to the GSM Alliance, which is notifying its members of the issue.

No proof-of-concept code has been released, and the two say they'll wait for carriers to patch their architectures before releasing one. They said mobile phones will not receive patches for this flaw, as the flaw resides in the carriers' networks, not on the devices. They added that carriers, meanwhile, are monitoring for attacks of this nature.

Tags: Wireless Network Protocols and Standards,  Handheld and Mobile Device Security Best Practices,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 3: How to implement secure access Wireless Security Lunchtime Learning Entrance Exam Handheld and Mobile Device Security Best Practices Screencast: Find rogue wireless acess points with Vistumbler Secure your remote users in 2010 Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Handheld and Mobile Device Security Best Practices Research Smartphone and PDA Viruses and Threats iPhone worm Rickrolls jailbroken phones US-CERT warns of BlackBerry snooping software Mini guide: How to remove and prevent Trojans, malware and spyware SMS attacks against BlackBerry certificate flaw possible Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws Latest Apple iPhone features prompt security concerns SMS mobile worm attacks Symbian smartphones Smartphone security lacking at many businesses RIM warns of serious vulnerability in BlackBerry Web loader

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary