Review of mobile phone attack vectors

Below are the reviews of possible attack vectors on mobile phones without a description of specific methods and actions . The main task of the post is to make it clear what is dangerous and what is not, and how you can protect your devices. As examples, well-known working attacks on old phone models are used, or alternatives that are already closed on almost all firmware.

Can I listen to conversations on a mobile phone?

Yes you can. The signal is encrypted, but, in general, when intercepting the signal, listening is possible. Most often we are talking about recording information and the subsequent decoding, that is, the work is not in real time.
')
To protect the signal, three basic algorithms are used: A3 for authorization and protection against cloning, A8 for service functions (key generation), A5 for voice encryption. The most interesting is in A5: the algorithm has two versions: the first is used in countries where there is no restriction on encryption technology, the second, less robust and taking into account regional peculiarities in other countries. In fact, this means that in our country and in most parts of Europe, the difficulty of sorting a key falls greatly.

Another vulnerability is the use of an incomplete 64-bit key in some countries, but its counterpart, where the first 10 bits are replaced with zeros for compatibility with local requirements.

In practice, for listening to the phone, a “suitcase” worth about $ 20,000 is used, which is used to intercept and decrypt the signal of a certain subscriber. To execute an attack, you need to be close to one of the interlocutors, so if a strange guy with a suitcase is walking behind you - think hard.

An easier way to listen

Since we are talking about removing the key, a simpler attack is possible through physical access to the SIM card. The card is inserted into the reader, which makes about 140.000 calls to it, which allows you to get the key by the method of differential cryptanalysis. The procedure takes about 8 hours and can often trigger the protection of the SIM card (which has a limit on the number of calls). The principle of protection is very simple: do not give your phone to strangers for more than a couple of minutes.

Station replacement

Another method of remote attack is to install a false base station that performs the same job of enumerating keys remotely. The process takes about 10 hours (this is in total, for example, an hour a day - quite real). The most likely scenario is to work where there is no signal. An example of an attack is to drive in a subway car with a subscriber for half an hour a day. The same guy with the suitcase, watch him.

How to change the SIM card

If you want to get away from spam or something else more interesting, you need to change not only the SIM card, but also the phone itself. The fact is that with each call to the operator’s network, not only the card key is transmitted, but also the telephone identifier. Using a new sim card in an old phone or an old sim card in a new one in theory immediately violates anonymity.

Attack on the navigation module (WLAN)

This attack is familiar to those involved in car safety. Mobile terminals often use the MAC addresses of nearby access points to determine the location of the device (these are Wi-Fi points and base stations). You can install hardware that will “drive” your terminal around the city, creating the necessary virtual stations - an ideal attack of this type is leaving the route and driving to where the attacker needs, for example, using a mobile phone as a navigator. The attack is similar in execution to creating a false GPS signal, but it requires much less specific equipment.

SMS

A number of services allows you to replace the number of the sender to some specified value. For example, it could be “Mom” (as if the number was determined from the phone’s contact book), someone’s number or the name of the organization. There are quite a few options for fraud and competent sotsinzhiniring using this protocol feature. In the Big Three networks, the substitution of the sender's number is prohibited, but due to compatibility issues with other networks, such messages cannot be cut off without question. Speech is about the protocol features and the fact that in some networks of mobile operators they are used as a useful feature.

A rarer case is flash SMS , a message that appears on the screen and does not add up to the standard SMS list of the phone: sometimes, for example, network service messages come. To fake it is more difficult, but still real. Protection, as well as from other social engineering methods, is quite simple - think before you do what is asked in the message.

Older Nokia, Siemens, Motorola and LG models are subject to SMS attacks with special texts . Using certain combinations of Unicode characters, you can remotely disable or “hang” many models of old phones and a few relatively new ones. A variation of this attack is the insertion of control characters in SMS.

Another feature - the SMS protocol allowed to show pictures (something resembling ASCII graphics from small squares), for which we used what we would call microformat. A number of phones did not check the contents of the SMS part that encoded the image, and the firmware could “fall” in case of unexpected sequences. Erroneous processing of such messages is also related to the fact that often the phone does not allow to delete the “beaten” SMS, and during an attack, you can simply clog his memory with such messages.

You can block the phone with a DoS attack by sending service SMS in a special “invisible” format. We are talking about using the service channel, in fact, on which the SMS service itself was built. An attacker can create an invisible SMS in two types: scoring text with non-displayable characters (the device will not be able to decode the SMS and will not show it): for example, specifying the Russian encoding for Chinese is not a real example, but there are actually “working” language pairs in this regard. The second option is the WAP-push manipulation. In contrast to the usual SMS stream, the victim of an attack may not even know that the phone is blocked — for example, during negotiations, when the partner tries to call to transfer data. The only indication is that some phones, when receiving even broken SMS, turn on the backlight.

Blue teeth

Bluetooth in standard mode constantly sends beacons , which allows you to find a device with the channel turned on almost immediately. Hidden bluetooth, in theory, is scanned by successive requests for about 3 years, but in practice - in a matter of minutes, because manufacturers record their identifiers and device identifiers in the first and last octets of the address. The scanned phone can be subjected to an attack by a buffer overflow or an analogue of the injection of the control code, as is the case with SMS.

The next type of attack is headset authentication via a Bluetooth channel. Despite the fact that the headset is considered a read-only device, it is quite capable of initiating a call from the phone, which will lead to listening to the usual conversation in the room using the phone’s microphone.

In some cases, it comes to the fact that through the "blue-tooth" channel, you can safely retrieve the address book, stored in the phone SMS and other data. Or - even less often - to perform write operations, which should please paranoids.

With certain efforts, it is possible to introduce the phone not only with a headset, but also with a computer with which synchronization takes place. An interesting feature - you can give the vCalendar in a format where the date goes beyond the integer type - in older models this usually led to the mashing of part of the system memory area and failures that are treated only by flashing.

The headset itself can also be the target of an attack : it has a microphone, which is often interesting for an attacker to use. With a certain set of software and hardware, you can safely introduce yourself to her with another phone and receive data from a microphone. True, it is necessary to pick up the PIN-code, but the situation is easier if there is time to go through. Most users of headsets in addition do not change the PIN code of the manufacturer, which also facilitates the attack.

NFC

NFC encryption is very reliable, and the protocol has not yet found any critical vulnerabilities. Therefore, the only studied attack using NFC so far is duplication of the label. Roughly speaking, the attacker reads and duplicates the label of the kiosk with newspapers, and then puts it on the kiosk with chocolates. The user pays a chocolate bar and thereby transfers the data to the device containing the double tags from the newspaper. The device gives the data to the attacker, he gets a newspaper.

Some of the firmwares of the first NFC devices incorrectly parse specially designed tags with NDEF, which contain obviously incorrect data, which also leads to code injection analogues or buffer overflow. There are also social-engineering attacks associated with the texts in such tags.

The solution is to use NFC features where labels are precisely authorized - for example, in the metro. Scanning NFC tags in doorways is not recommended.

Internet attacks

Perhaps the simplest here. The standard set of the type “do not open files from strangers” and “do not use mail without SSL when you are sitting in a cafe with open Wi-Fi” and so on. Most of the attacks on high-level systems are associated with the installation of various software "bugs" -Troyans who can capture data from the camera, microphone, and so on.

Of the interesting features of working with the network, it is possible to send a special MMS in OMA / OTA format to reconfigure the phone (this is how the access point settings from operators come in) for replacing the DNS server. Control over such a DNS allows you to get the entire history of visits to sites (but not traffic).

The main vectors of 2012

If all of the above remains something close to the paranoid nightmares (expensive and difficult to perform) and makes sense for the attacker only in quite exotic cases, there is an area that creates more and more anxiety. It's about mobile apps with additional features.

In each ecosystem associated with a mobile OS, you can find examples of running "dishonest" applications. From the most striking examples - a flashlight for Apple, which for some reason very confidently worked with data transfer.

On these attack vectors, social engineering is very well combined with the implementation of various software vulnerabilities, protocols, and hardware. An example is that an exploit is wrapped in a known clone application and starts to be sold in the system’s application store.

If in the private segment, downloading an application can lead to a maximum of unpleasant emotions, then in the corporate segment this is a real huge hole: the employee sets himself a malware, and the attacker gets access to all corporate resources using this smartphone. Given that smartphones are often very tightly integrated into the business environment, such attacks cause more and more anxiety - and they become more and more dangerous with each passing month.

As a solution, it is proposed to train users (as we know, it does not help by 100%), to conduct application moderation (but this is also not a 100% guarantee), to limit sources, for example, only to the corporate Market, or to install antivirus programs.

Now the main trend is that employees' mobile device management solutions are being developed and implemented: these are general security policies, strict control of commercial information, own sets of applications, operational patches, protected media content exchangers, and so on.

Where can I find out more about phone security?

There is a lot of information (in particular, in English) on the net. About domestic features of protecting phones from eavesdropping, recommendations for secure connections to the network and other non-existent, but useful things we sometimes write in the B2B group Beeline on Facebook. Immediately warned, unlike B2C, it is focused on business owners, and contains little technical details with a maximum of useful tips for directors. Sign your boss - and at least he will know which is safer - Wi-Fi in a cafe or a 3G connection.