CLICK HERE TO DOWNLOAD PPT ON MOBILE SECURITY
MOBILE SECURITY Presentation Transcript
1.MOBILE SECURITY: SMS AND WAP
2.OVERVIEW
Mobile security
What are GSM, SMS and WAP?
SMS in detail
Security and SMS?
Security and WAP?
What can we expect?
Mobile security
What are GSM, SMS and WAP?
SMS in detail
Security and SMS?
Security and WAP?
What can we expect?
3.WHAT IS THIS TALK NOT ABOUT?
Not about the underlying wireless technologies GSM, CDMA, TDMA
Not from a GSM/SMS/WAP implementer point of view.
Not about actual exploits and demonstrations of them.
Not about the underlying wireless technologies GSM, CDMA, TDMA
Not from a GSM/SMS/WAP implementer point of view.
Not about actual exploits and demonstrations of them.
4.WHAT IS THIS TALK ABOUT?
General perspective on security of mobile applications like SMS and WAP.
From an external point of view, based on ~10 yrs experience in breaking systems and applications.
Identifying potential problems now and in the near future.
General perspective on security of mobile applications like SMS and WAP.
From an external point of view, based on ~10 yrs experience in breaking systems and applications.
Identifying potential problems now and in the near future.
5.WHO IS THIS TALK FOR?
People asked to evaluate security of SMS and WAP applications.
People who want to do research into SMS and WAP security.
People familiar with computer and Internet security but not with SMS and WAP.
People asked to evaluate security of SMS and WAP applications.
People who want to do research into SMS and WAP security.
People familiar with computer and Internet security but not with SMS and WAP.
6.MOBILE SECURITY
General issues:
Good User Interface paramount for security but very poor.
Standards tend to omit security except for encryption (and some authentication).
Creating yet another general purpose platform with associated risks.
General issues:
Good User Interface paramount for security but very poor.
Standards tend to omit security except for encryption (and some authentication).
Creating yet another general purpose platform with associated risks.
7.WHAT ARE GSM, SMS AND WAP?
Cell phone technologies: GSM, TDMA, CDMA, …
Short Messaging Service: SMS
Paging style messages.
Wireless Application Protocol: WAP
‘mobile’ Internet. A simplified HTTP/HTML protocol for small devices.
8.STANDARDS
GSM specific standards GSM xx.xx
ETSI Special Mobile Group (SMG)
new numbering scheme.
3GPP (move towards UMTS)
new numbering scheme
WAP Forum. WAP related standards WAP 1.1 / WAP 1.2
Cell phone technologies: GSM, TDMA, CDMA, …
Short Messaging Service: SMS
Paging style messages.
Wireless Application Protocol: WAP
‘mobile’ Internet. A simplified HTTP/HTML protocol for small devices.
8.STANDARDS
GSM specific standards GSM xx.xx
ETSI Special Mobile Group (SMG)
new numbering scheme.
3GPP (move towards UMTS)
new numbering scheme
WAP Forum. WAP related standards WAP 1.1 / WAP 1.2
9.SMS- SHORT MESSAGING SERVICE
SMS Description
SMS Format
Short Messaging Service Centre (SMSC) Protocols
SMS Features: Smart SMS, OTA, Flash SMS
SMS Description
SMS Format
Short Messaging Service Centre (SMSC) Protocols
SMS Features: Smart SMS, OTA, Flash SMS
10.WHAT IS SMS?
Store and forward messaging (PP and CB)
Delivered through SS7 signaling
140 bytes data (160 7 bit chars)
From anything that interfaces to a SMSC:
Cell phone, GSM modem,PC dial-in,X.25 …
Specifications at: http://www.etsi.org
Store and forward messaging (PP and CB)
Delivered through SS7 signaling
140 bytes data (160 7 bit chars)
From anything that interfaces to a SMSC:
Cell phone, GSM modem,PC dial-in,X.25 …
Specifications at: http://www.etsi.org
11.SMS DATA FORMAT
Abbrv:
SC: Service Centre
MS: Mobile Station
Basic types:
SMS-DELIVER (SC ? MS)
SMS-DELIVER-REPORT (SC ? MS)
SMS-SUBMIT (MS ? SC)
SMS-SUBMIT-REPORT (MS ? SC)
SMS-COMMAND (MS ? SC)
SMS-STATUS-REQUEST (MS ? SC)
Abbrv:
SC: Service Centre
MS: Mobile Station
Basic types:
SMS-DELIVER (SC ? MS)
SMS-DELIVER-REPORT (SC ? MS)
SMS-SUBMIT (MS ? SC)
SMS-SUBMIT-REPORT (MS ? SC)
SMS-COMMAND (MS ? SC)
SMS-STATUS-REQUEST (MS ? SC)
12.SMS-SUBMIT
13.SMS-DELIVER
14.SMART SMS/OTA
Joined Ericsson/Nokia spec
Allow sending of ‘smart’ information:
Ringtones
Logo’s
Vcard/Vcal (business cards)
Configuration information (WAP)
Based on UDH with app specific port numbers.
Joined Ericsson/Nokia spec
Allow sending of ‘smart’ information:
Ringtones
Logo’s
Vcard/Vcal (business cards)
Configuration information (WAP)
Based on UDH with app specific port numbers.
15.SHORT MESSAGE SERVICE CENTRE
The SMSC plays a central role in the delivery and routing of the SMS.
Every vendor has his own protocol to talk to the SMSC:
CMG – EMI/UCP
Nokia – CIMD
Sema – SMS2000
Logica – SMPP
…
The SMSC plays a central role in the delivery and routing of the SMS.
Every vendor has his own protocol to talk to the SMSC:
CMG – EMI/UCP
Nokia – CIMD
Sema – SMS2000
Logica – SMPP
…
16.SIM TOOLKIT
Subscriber Identity Module: SIM The Smartcard in the phone
An API for communication between the phone and the SIM
Partly an API for remote management of the SIM through SMS messages.
17.SIM TOOLKIT RISKS
Mistakes in the SIM can become remote risks.
For example insufficient protection in the SIM might allow retrieval of personal information.
18.SMS THREATS
SMS Spam
SMS Spoofing
SMS Virus
Subscriber Identity Module: SIM The Smartcard in the phone
An API for communication between the phone and the SIM
Partly an API for remote management of the SIM through SMS messages.
17.SIM TOOLKIT RISKS
Mistakes in the SIM can become remote risks.
For example insufficient protection in the SIM might allow retrieval of personal information.
18.SMS THREATS
SMS Spam
SMS Spoofing
SMS Virus
19.SMS SPAM
Getting to be like UCE
High charge call scams (“call me at xxx-VERYEXPENSIVE”)
All public SMS gateways and websites become victims.
Spammers buy bulk services from operators
Getting to be like UCE
High charge call scams (“call me at xxx-VERYEXPENSIVE”)
All public SMS gateways and websites become victims.
Spammers buy bulk services from operators
20.SMS SPOOFING
Source of SMS messages is worth nothing.
Roaming capabilities of users make it impossible to filter by operators.
Only chance is for messages that stay within one SMSC/Operator.
Intercepting replies to another address is difficult.
Special case: Rogue SMSC using the Reply-Path indicator could intercept replies.
Source of SMS messages is worth nothing.
Roaming capabilities of users make it impossible to filter by operators.
Only chance is for messages that stay within one SMSC/Operator.
Intercepting replies to another address is difficult.
Special case: Rogue SMSC using the Reply-Path indicator could intercept replies.
21.SMS SPOOF DEMO
Modified sms_client
Uses EMI/UCP OT-51 message
Works on KPN, but also several foreign SMSCs
Difference with a real mobile SMS is visible with a PC.
Modified sms_client
Uses EMI/UCP OT-51 message
Works on KPN, but also several foreign SMSCs
Difference with a real mobile SMS is visible with a PC.
22.FUTURE
Combining Smartcard and WTLS security; end-to-end SSL
Increased number of features (interpretation + automation)
Terrible UI
Version explosion: phones, gateways, WAP/WML.
Combining Smartcard and WTLS security; end-to-end SSL
Increased number of features (interpretation + automation)
Terrible UI
Version explosion: phones, gateways, WAP/WML.
Posts
0 comments