DeepSec 2009
We’re glad to announce that we’ve been selected as speakers at DeepSec 2009 in Vienna, on November 17-20. We will present several intriguing enhancements of our “Hijacking Mobile Data Connections” attack. We are now working on the talk; its title will be “Hijacking Mobile Data Connections 2.0: Automated and Improved”, and it will include live demos of how the attack looks like from both user’s and attacker’s perspective, together with the latest findings of our research. Hereafter follows the abstract, also been published on DeepSec’s site.
So, see you in Vienna…
The talk will go further into the topic of hijacking mobile data connections via remote handset reconfiguration, as presented at Black Hat Europe 2009. New enhancements and vectors will be introduced and analyzed in order to automate the attack and improve its effectiveness while reducing chances for it to be spotted. The first part will explain how to create a working provisioning message, employing a network pin security mechanism for message integrity and authentication. An interesting feature of this type of provisioning message, as opposed to a user pin, is that no user input is required; a confirmation is sufficient in order to install the carried configuration as the default one. This mechanism requires the knowledge of International Mobile Subscriber Identity (IMSI), supposedly known by the mobile operator network and the user’s SIM card. The talk will show how to programmatically retrieve IMSI using one of the several on-line sites providing IMSI lookup service, and how to extract from it other information that could be used in order to build a completely automated massive attack tool. Then, a live session will demonstrate the forging of a malicious provisioning message by putting together all techniques just described; by means of source spoofing, the received configuration message from user’s perspective will be virtually indistinguishable from a legitimate one. In the second part of the talk, new enhancements related to web traffic hijacking will be covered in details. We will explain the advantages of injecting an HTTP proxy configuration, as opposed to subverting DNS queries, which we have previously shown. This will provide a better handling of HTTPS connections, and will enable us to use readily available and more advanced tools. Most mobile sites use HTTP protocol to exchange data and switch on HTTPS only for logging in; sidejacking and forced sidejacking can be applied in these cases. By integrating Moxie Marlinspike SSLStrip tool, it’s now possible to perform HTTPS stripping attack and to eavesdrop on the data usually sent in an encrypted session. Even with sites on which the tool is ineffective, HTTPS connections are transparently proxied so the user won’t notice he’s been hijacked. The mix of these enhancements, apart from extending the reach of the attack to a larger number of mobile platforms, makes the hijacking very effective and hard to detect. A live step-by-step attack demo will conclude the talk.