Monday, April 20, 2009

Hijacking Mobile Data Connections, BlackHat

Italian Security researchers presented a nice demo on how they managed to hijack mobile data connection, simply by sending a fake binary configuration message to a mobile phone pretending to be sent from the carrier, if the recipient accepted the message (which is normally accepted by anyone) a new access point will be created on the mobile with a malicious DNS server IP and maybe also an http proxy IP. This will allow the attackers to monitor all data connections from this mobile.

The attack does not reply on a single vulnerability in a single element, but exploit several elements:
- User trust, when he receives spoofed sms appears to be from the carrier
- Many devices will not provide to the user sufficient information about the configuration to be changed
- Usage of external DNS service from withing the mobile network, if enabled.
- Also http proxy parameter pointing to external address.

Counter Measures:
- Proper filtering of OMA provisioning messages.

Blocking access to external DNS servers from mobile devices, however this could lead to DOS attack, if the attacker managed to change the DNS settings of a mobile phone, that mobile will have no access to the internet.

No comments: