Proxy Fun
In the previous post Hijacking Mobile Data Connections , we pointed out how an attacker could gain full control on mobile data connections originated by mobile phone.
This could be achieved by reconfiguring the DNS address on victim’s mobile phone with one controlled by the attacker, by means of OMA provisioning SMS. However, during our tests some mobile phones resisted to this attack, due to the fact that, despite supporting OMA provisioning, they don’t honour configuration requests of DNS address, neither locally nor remotely.
But, as we said, OMA provisioning allows for setting other parameters than DNS; among them there are the proxy settings.
In mobile world, a proxy isn’t different from any other environment: it is a software component that is located between a client, in this case a mobile phone, and a server on Internet; any standard HTTP proxy can be used for an HTTP mobile client.
In our experiences we have noticed that the proxy settings are widely used by several operator services, mainly for delivering MMS messages.
On the other side, an attacker could use proxy configuration to hijack the victim traffic, HTTP and HTTPS, and redirect it towards an IP address under his control. Still the victim, after having installed the rogue configuration, will be unaware that a third party, the attacker, is eavesdropping the data traffic.
Hijacking by means of a proxy configuration has some differences with respect to DNS configuration, apart from being supported by a few more phones:
- Proxy component is enough to redirect user’s data traffic.
- The proxy port could be set to a different value, other than the standard TCP/80. This could be useful for the attacker to overcome some firewall restriction.
- While the operator could block DNS traffic to outside of its network, in order to mitigate attacks to DNS settings, it may be difficult to restrict access to HTTP proxies over Internet;
The limitation, of course, is that only HTTP-based services could be hijacked; this excludes email and most dedicated clients.
To be more technical, let’s shows a simple proxy configuration:
The complete proxy XML configuration file can be downloaded here.
A generic explanation of an XML configuration file has been provided in our paper downloadable from here.
In order to provide new proxy configuration it is necessary to use the two characteristic, PXPHYSICAL and PXLOGICAL as described in provided in Provisioning Content Specification.
PXLOGICAL characteristic is used to introduce a new proxy configuration inside the current XML configuration.
PXPHISICAL characteristic, defined inside PXLOGICAL characteristic, specifies the proxy server information needed to use it: proxy address, port number and other proxy related parameters, if needed.
The following two pictures show the proxy configuration on LGKM900 where it is not possible to configure a DNS address.
A suitable program must now be used to compile this configuration in a binary SMS message; then, the message can be delivered to the victim by sending AT commands to a mobile phone attached to the PC.