Diploma Thesis SMS Vulnerability Analysis on Feature Phones Nico Golde January 17, 2011 Technische Universität Berlin Fakultät IV Institut für Softwaretechnik und Theoretische Informatik Security in Telecommunications Supervisors : Prof. Dr. Jean-Pierre Seifert Prof. Dr. Anja Feldmann Advisor: MSc Collin Mulliner Abstract Mobile phone communication has become part of our daily lives. One of the most widely deployed and used services is the Short Message Service (SMS). Therefore it has to be reliable as well as secure. The security of so-called smartphones has been well researched in the past and, with the rise of new phone applications, is still an ongoing research topic. Though the majority of people do not use these high-end phones, but instead rely on simple, so-called feature phones. When compared to smartphones, these phones typically do not allow operating system modifications and thus have not been the target of security analysis in the past. However, due to the recent development in implementing Open Source GSM stacks the formerly closed part of the GSM communication - the GSM network - allows analysis of these devices to some extent. In this thesis we present a “framework” based on a Base Transceiver Station that is on the market, a modified version of a piece of Open Source software to run a GSM network and several scripts to monitor phone behaviour and create large amounts of SMS payloads. This allows us to conduct a large scale security study of SMS imple- mentations on a wide variety of feature phones. Due to the existence of numerous ways to test smartphones we concentrated on the analysis of feature phones even though this approach is not necessarily limited to these devices. Through our analysis we discovered security bugs in the feature phone platforms of all major manufacturers. We show what impact these issues have as well as discussing a small set of non-feature phone dependent issues that we noticed during our tests. III Declaration Hereby I declare that I have produced my work independently and have named all sources and additives which I have used. Berlin, January 17, 2011 Nico Golde Acknowledgements I would like to thank Professor Jean-Pierre Seiffert for letting me write this thesis at his research group as well as Collin Mulliner for his support and feedback during the work. Without this none of the presented work would have been possible. Furthermore, I would like to thank Kevin Redon, Sebastian Tiesler, Andreas Krennmair and Martin Zuber for their input and reviews of this thesis. Contents 1 Introduction & Motivation 1 1.1 ContributionofthisThesis . 1 1.2 Structure ................................... 2 2 Related Work 3 2.1 MobilePhoneSecurity............................ 3 2.1.1 MobileMalware ........................... 3 2.1.2 Application Security . 3 2.1.3 BasebandSecurity .......................... 4 2.2 SMSSecurity ................................. 5 2.2.1 SMSSecurityNetworkSide . 5 2.2.2 SMSDesignWeaknesses. .. .. .. .. .. .. 5 2.2.3 Implementation Weaknesses . 6 2.2.3.1 MMS ............................ 6 2.2.3.2 SMS............................. 6 3 GSM infrastructure/procedures and SMS 9 3.1 HistoricBackground ............................. 9 3.1.1 GSM.................................. 9 3.1.2 SMS.................................. 9 3.1.2.1 Applications of SMS . 10 3.2 BaseStationSubsystem ........................... 11 3.2.1 Base Transceiver Station . 12 3.2.2 Base Station Controller . 12 3.3 NetworkSwitchingSubsystem. 12 3.3.1 Mobile Switching Center . 13 3.3.2 Home Location Register . 13 3.3.3 Visitor Location Register . 14 3.3.4 ShortMessageServiceCenter . 14 3.3.4.1 SMS-GMSC ........................ 15 3.3.4.2 SMS-IWMSC........................ 15 3.3.4.3 MessageSubmission . 15 3.3.4.4 Message Delivery . 15 3.4 Considerations Regarding Vulnerability Analysis . ......... 16 3.4.1 FeaturePhones............................ 16 3.4.2 Used Hardware/Software . 17 3.4.2.1 nanoBTS .......................... 18 IX Contents 3.4.2.2 OpenBSC.......................... 18 4 Vulnerability Analysis 21 4.1 Introduction&Requirements . 21 4.2 TargetSelection................................ 22 4.3 SMSEncoding ................................ 22 4.3.1 SMSPDUmode/SMS_SUBMIT . 23 4.3.2 SMSUDH............................... 25 4.4 OpenBSC Modifications and Additions . 27 4.4.1 SendingSMSMessages .. .. .. .. .. .. .. 27 4.4.1.1 Injection of Pre-encoded SMS . 27 4.4.1.2 Other Small/Useful Additions . 28 4.4.2 Monitoring for Phone Behaviour . 28 4.4.2.1 Feedback From the Phone . 29 4.4.2.2 Network Events . 30 4.4.2.3 Monitoring via J2ME . 31 4.4.3 LogEvaluation ............................ 32 4.4.4 OtherPossibilities .. .. .. .. .. .. .. .. 34 4.4.5 CrashAnalysis/Decoder . 34 4.5 FuzzingTest-cases .............................. 35 4.5.1 TP-Data-Coding-Scheme/TP-Protocol-Identifier . ...... 35 4.5.2 User-Data-Header . 36 4.5.3 Multipart ............................... 36 4.5.4 SimpleTextMessages . .. .. .. .. .. .. .. 37 4.5.5 FlashSMS .............................. 38 4.5.6 VCard................................. 38 4.5.7 EnhancedMessagingService . 39 4.5.8 MMS Notification . 40 4.5.9 WAP-pushServiceIndication . 41 4.5.10 (U)SIM Data Download . 41 5 Evaluation 45 5.1 FeaturePhoneIssues............................. 46 5.1.1 Nokia ................................. 46 5.1.2 SonyEricsson............................. 47 5.1.3 LGElectronics ............................ 47 5.1.4 Motorola ............................... 48 5.1.5 Samsung ............................... 48 5.1.6 Micromax............................... 49 5.2 OtherNotes.................................. 50 5.2.1 Operator Differences in SMS Delivery . 50 5.2.2 SpoofingAttacks ........................... 51 5.2.3 SMSDDoS .............................. 51 5.3 CounterMeasures .............................. 52 5.3.1 Network Side SMS Filtering . 52 X Contents 5.3.2 FirmwareUpdates .......................... 53 6 Conclusions 55 Glossary 57 Bibliography 59 7 Appendix 65 7.1 DeutscheZusammenfassung . 65 XI List of Figures 3.1 GSM network infrastructure components . 11 3.2 FuzzingSetupusingnanoBTS. 18 4.1 Simple SMS message encoding “hello world” . 25 4.2 SMS User-Data-Header structure (picture taken from 3GPP TS 23.040) 26 4.3 MobileterminatedSMS ........................... 29 4.4 Logicalviewofoursetup. 32 4.5 Concatenated Message consisting of 2 messages . ...... 37 4.6 FlashSMSencoding“HelloWorld” . 38 4.7 EMS encoding “Hello” in bright yellow font on dark red background . 39 4.8 MMS Indication - sender: barbaz, subject: foobar, http://google.com . 40 5.1 Timing of SMS message delivery attempts. 50 XIII List of Tables 4.1 Mobile phone Manufacturer Market share . 43 4.2 FormatoftheSMS_SUBMITPDU. 44 XV 1 Introduction & Motivation Mobile phones have become a crucial part of our daily lives and people rely on them functioning in many situations. Especially in emergency situations they have become a dire necessity. With the rising usage of mobile phones, security concerns affecting them emerge as well. In the recent years a lot of research has been put into vulnerability analysis on smartphones (See Section 2), totally neglecting structured research on so- called feature phones. Yet feature phones, mobile phones that have additional capabilities besides voice calls and text messaging (e.g. the possibility to install Java applications), make up the largest percentage of mobile phones deployed in mobile networks. The lack of structured research is partly due to the fact that smartphone operating systems often provide open programming interfaces and debugging capabilities. The hardware and especially the operating systems are closer to desktop computers. Smartphones are also an attractive target as they are mostly used by business people. However, in comparison smartphones only account for about 16% of all mobile phones [Aho10b]. As a result of this, billions of feature phone users (there are more than 4 billion mobile phone subscribers worldwide1) are left with devices that may be vulnerable to all kinds of attacks. Nevertheless, due to the popularity of those phones they are an attractive target for large scale attacks against a mobile phone network and its users. The goal of the research presented in this thesis is to fill this gap between popularity and security research in the area of mobile phones. A complete security study of a wide variety of phones of various manufacturers and their features is not possible in the scope of this thesis. Still the security of these devices is important so our interest is to pick one feature that is widely deployed and do an in-depth test on a wide variety of phones. As a result of this, the focus of this thesis is the Short Message Service (SMS) as an attack vector. It provides a feature that is available on every feature phone. From an attackers perspective SMS is the most interesting feature besides voice calls, since it requires no or very little user interaction to exploit. 1.1 Contribution of this Thesis The work presented in this thesis provides a study of the security of feature phones and especially the security of SMS implementations. While this novel approach presented in this thesis is intended for the analysis of feature phones it is not necessarily limited to them and can also be used to analyze smartphones. 1 http://www.bitkom.org/de/presse/62013_60608.aspx 1 1 Introduction & Motivation The main contribution of this thesis is to show how to utilize a GSM network to analyze feature phones for SMS vulnerabilities despite the lack