Archive for September, 2009

Tricks for Defeating SSL: effectiveness test on mobile phones

Monday, September 28th, 2009

SSL is the de-facto standard for securing communications between a user and a server against third parties. If someone is able to intercept, hijack, or have access in any other way to our network traffic, SSL provides an effective line of defense against eavesdropping.

Basically, all the devices have to do is check that the certificate protecting the connection to site “foo” carries a label (the CommonName Field) stating it belongs to site “foo”, and warn the user if it does not, something that is actually more complicated than it seems. At Black Hat USA 09, during the talk “More Tricks for Defeating SSL” given by Moxie Marlinspike, the “Null Prefix” attack was presented; the security researcher leveraged the fact that the string containing the domain name is represented using ASN.1 encoding as:

[domain_name length] domain_name

while many programs (browers, mail clients, and those used internally by CA’s) use the ‘C’ standard (null terminated-string) instead:

domain_name[\0]

So he generated Certificate Requests for domain names containing a null character (\0 or \x00), for example “paypal.com\0.thoughtcrime.org”, and managed to get them signed by an official Certification Authority; several CAs verified that the request came from “thoughtcrime.org”, while the applications thought the certificate belonged to paypal.com.

The researcher discovered that the applications built with Mozilla NSS Library ( Network Security Services that support SSL/TLS standards) are vulnerable to wildcard certificates generated in the same way. From a certificate request for *\0.thoughtcrime.org, it is possible to obtain a certificate valid for every domain!

Another attack variation consists of generating a certificate for “sitekey.ba\0nkofamerica.com”: the sitekey.ba domain is used for requesting validation but the resulting certificate is valid for the domain “sitekey.bankofamerica.com” for SSL implementations that simply strip the “\0” character.

The attack was fundamentally meant for desktop environments; we immediately wondered how it applies to mobile environments; so we’ve spent some time to test the attacks against some mobile devices. We’ve reported the results of our tests in the following table:

Test Results

Test Results

(more…)

DeepSec 2009

Wednesday, September 23rd, 2009

We’re glad to announce that we’ve been selected as speakers at DeepSec 2009 in Vienna, on November 17-20. We will present several intriguing enhancements of our “Hijacking Mobile Data Connections” attack. We are now working on the talk; its title will be “Hijacking Mobile Data Connections 2.0: Automated and Improved”, and it will include live demos of how the attack looks like from both user’s and attacker’s perspective, together with the latest findings of our research. Hereafter follows the abstract, also been published on DeepSec’s site.

So, see you in Vienna…

Logo DeepSec

(more…)

Service Loading primer (with related attacks)

Wednesday, September 16th, 2009

During the same days of our Hijacking attack presentation at BH EU ’09, we read of “a-sort-of” SMS hijacking attack performed on Windows Mobile phones. On the demonstrating video here a binary SMS is sent to a Windows mobile phone, and the browser suddenly pops up, opening an attacker specified URL. That’s the typical behaviour of an handset receiving a Service Load (SL) message, and actually this type of attack had already been discussed (here and here). We feel that this might still be a somewhat underestimated risk in the mobile environment, as Service Loading is supported by many platforms apart from Windows Mobile; but before going deeper into that, let’s explain what Service Loading messages are and what are they for.

Service Loading is a part of the WAP Push protocol suite for OTA (Over The Air) provisioning of mobile handset. It is often cited together with Service Indication: like Service Loading, Service Indication is used to carry URL addresses to the handset in a binary SMS message; but it is rather meant to notify the user of a certain URL in order to be, for instance, added to the bookmarks, and not necessarily to open it at once.

Let’s see the basic structure of a SL message:

Service Loading DTD

As any other WAP protocol element, it uses an XML representation; the actual SL element have only two attributes: an URI (commonly said to be URL) and an action; the latter can be “execute-high”, meaning the content is executed in an user-obtrusive (visible) manner, “execute-low”, meaning the content is executed in a non user-obtrusive (invisible) manner, and “cache”, meaning that the content should simply be put in browser’s cache, not executed neither displayed. The default is execute-low. In order to be sent, this document must be converted to WBXML format (a compressed binary representation), then stuffed in an SMS message according to WSP protocol.

Upon receiving such a message, if the URI is an HTML page, the phone will load and show it with the default web browser; if it is an executable program, it will download and execute it, possibly in a silent way. The risk associated with this feature, especially without user’s awareness, should be obvious also for non tech savvy readers; that’s why most handsets come with some sort of security policy associated with WAP Push messages.

We have conducted a test on two largely used devices, a Nokia N95 and a Sony Ericsson C905, to check how they deal with Service Loading messages.

(more…)