GET 4G Security: Capturing USB Modem and SIM Card Using SMS / Positive Technologies Blog / Sudo Null IT News FREE

Telecom operators are actively promoting fast and cheap 4G communications. Just sole a few know how protected it is. Positive Technologies experts in the process of researching the security measur of 4G communications managed to find vulnerabilities in USB modems that allow taking see of the computer to which the modem is connected, likewise as the subscriber's news report on the mobile operator's portal. In addition, attacks on the SIM card using binary SMS allow you to bug and decrypt the subscriber's traffic, or simply barricade the specified SIM card.

Reports on the results of the study were presented in November at the ZeroNights conference in Moscow (Kirill Nesterov, Alexey Osipov, Tamburlaine Yunusov) and the PacSec conferencein Tokyo (Sergey Gordeychik, Alexander Zaitsev). In this publication, we summarize the main ideas of the branch of knowledg, which also involved Dmitry Sklyarov, Gleb Gritsay, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov.

A couple of words about the objectives of this work. It's not good about the certificate of fashionable smartphones, through which we read our friends along social networks. GSM whole number motile communications are now used in many critical infrastructures, including highly-developed control systems (SCADA). Another good example from everyday lifespan that no unrivalled would like to meet with is the theft of money from bank accounts. Meanwhile, some probably saw such wee antennas at ATMs - here, too, GSM:

A modern modem for wireless communicating is a computer on which a long-familiar operating system (usually Linux or Android) is installed and a number of extraordinary applications with sufficiently wide capabilities. There are vulnerabilities in this software and data transferee protocols that have already been exploited in Recent years - e.g., to unlock the modem and untie it from the operator. One of the protection against much hacking was the transfer of many services to the Web - however, this provided only new opportunities for attacks.

For our study, we took six different lines of USB modems with 30 contrastive firmware. Looking ahead - only three firmware failed to be cracked.

What did you manage to do with the rest? First, we identify the "piece of iron." The documentation and search engines help U.S. with this. In some cases, Google helps symmetric more - you can immediately notic the password for telnet access:

However, for external communications we do not need telnet, but http. We connect the modem to the computer and study it American Samoa a separate network node with web applications. We find the possibility of an onrush through the web browser (CSRF, XSS, RCE). In this way, we make the modem recite us about itself various useful information:

In gain to revealing information, on the attacked modem you can:

• Change DNS settings (which allows you to wiretap traffic);
• Convert the settings of the SMS center (SMS interception or manipulation);
• Switch the watchword on the service portal via SMS (which allows you to withdraw money from your account by subscribing to a third-political party service);
• Blockage the modem by typewriting the wrong PIN and PUK codes;
• Remotely "update" the modem microcode.

You can buoy develop an attack and further - get to the data processor to which the USB modem is connected. One of the options for such an attack: a USB keyboard driver is installed on the captured modem, after which the computer perceives the modem arsenic an input device. From this "imaginary keyboard" a reboot command is sent to the computing machine from an external tug, the part of which is played by the same modem. Thus, a bootkit can be installed on the "mother" computing machine, allowing you to remotely control the computer. How it works, you can spotter the video:

The best thing a exploiter can act to protect against such attacks is non to stuff anything into their USB ports. Understanding at the corresponding time that even USB-modems, which from the outside seem to be just a small and harmless communicating twist, belong to the expression "what's horrible".

The second contribution of our study concerned SIM card game. The fact that Simka itself is also a computer with its own OS, file system and multifunctional applications has been demonstrated by many other researchers. And so, in May this year, at the Positive Hack Years league, encryption medical specialist Karsten Noel showed that SIM cards (TARS) are bastioned in different ways. Some can cost hacked aside selecting DES-keys, and some respond to external commands without some protection in the least - and Tell a lot about themselves.

To select the keys in our study, we utilized a set of programmable gate arrays (FPGAs), which came into fashion a brace of years ago for mining the digital currentness Bitcoin, and after the fall in popularity of this amusement, they became much cheaper. Our board of eight modules * ZTEX 1.15y for 2 G euros counts at a speed of 245.760 Mcrypt / sec, which allows you to pick up a DES key in 3 days.

Later that, we behind send commands to famous TARs and manage them. Particularly, the card director Card manager allows us to upload our java application to SIM poster.

Another interesting TAR is the Filing system, where TMSI (mobile phone identifier along the mobile network) and Kc (traffic encoding key) are stored. Access to them allows America exploitation binary SMS:

• Decrypt subscriber traffic without keystone excerption;
• Change subscriber (receive his calls and SMS);
• Track reader movements;
• If there is a PIN code protecting the filing cabinet system, you can block the contributor (three incorrect PIN codes and 10 incorrect PUK codes, after which the card is blocked).

In conclusion - a spearhead-shaped statistic. In this study, more a 100 SIM card game of versatile operators were ill-used. The described vulnerabilities are affected by 20% of them, that is, every fifth SIM card.

At the same time, information technology is scarce possible to give any protection tips for destruction users: attacks occur at a rather Low commercial steady, so manufacturers of SIM cards and operators should solve security issues here. The Western IT press, by the way, already describes this field of study in the news American Samoa "the opening of breaking into millions of SIM cards and USB modems ."

PS This was not the only study of Positive Technologies experts presented at ZeroNights'14. At the same league, Artem Shishkin and Mark Ermolov talked about mechanisms for bypassing the Windows PatchGuard protection system in Windows 8: some details of the study can be found here , details will cost presented in one of our next posts.

DOWNLOAD HERE

GET 4G Security: Capturing USB Modem and SIM Card Using SMS / Positive Technologies Blog / Sudo Null IT News FREE

Posted by: brownagen1949.blogspot.com

Share this post