Name: DEF CON 21 - Bogdan Alecu - 移動運營商服務的商業邏輯缺陷 (DEF CON 21 - Bogdan Alecu - Business logic flaws in mobile operators services)
Uploaded: 2021-01-14T05:52:57.000Z
Duration: 33 min 27 s
Description: 【看影片學英語】數萬部 YouTube 影片，搭配英漢字典即點即查，輕鬆掌握單字發音與用法，長久累積看電影不必再看字幕。

So my name is Bogdan Alecu. And the topic for today will be "Business Logic Flaws in

Mobile Operators Services." For those that don't know me, everything is about me. I work

as a systems administrator as a day job. And during my free time, when I have it, I like

to break into a lot of mobile stuff. I started on this particular journey a couple

of years ago with GSM networks by using my old Nokia phone and continued with voice over

IP and got to GSM and mobile phones. If you want to keep in touch with me, you can find

me on Twitter or on my Web site. So the goals for today would be for you to

have a really high overview regarding the SIM toolkit. What it is. How we will exploit

it. Then a couple of business logic flaws I've identified on some carriers. And I think

you're going to find them really interesting. And also in the end if there is a way to protect

you from this that I'm going to show you. We're going to call these HTTP headers, data

traffic, extra digit and a summary at the end.

So who has heard about SIM toolkit? Okay. To keep it simple, think about it as a platform

for the carriers in order that they use it in order to install applications on your SIM

card. This is how SIM toolkit looks like on an Android device. On some other devices

you might find in them like an extra menu with the carriers namely like Orange, Vodafone

and so on. And from this SIM toolkit menu, you can find things like exchange rates, the

weather, how is the weather like or calling customer support. So different activities.

And if you think about it, it's a pretty good thing. Because you have these applications

on your SIM card. And no matter what phone you use and you put your SIM card in, you'll

still have this application. So you don't need to install anything else in order to

have them. Since this application sits on your SIM card,

the carrier has a way to update these applications or modify or delete them and so on.

So for example, if the customer support number changes, the carrier will send an over-the-air

update which is basically a text message to your SIM card saying that the SIM card should

update the phone number for the customer support. This message is kind of special message, a

comment message. And in order to have this comment message, they may use the SMS of the

user data header. The same user data header is used in cases like when you go over the

160 characters limit and do concatenated messages. So you have two messages which are concatenated

into one message. And this makes use of the user data header and of course also in cases

for -- who remembers the old Nokia ringtones? They also used user data headers.

This is how the comment packet looks like for such a SIM toolkit SMS. So as I -- you

have the user data header, then other fields like comment packet, link comment, header

link, security parameter indicator and so on.

The most important one that I want you to keep in mind this security indicator. The

number you see below represents the number of bytes each element has.

So this -- all of these specifications can be found on GSM specs. In order to also have

this comment, you also add other two important fields.

Data coding scheme and protocol ID. By setting the protocol ID to 7F, it means

that you do a SIM data download and data coding scheme to F6 means that this type of text

message is directly addressed to your SIM card.

So according to the GSM specification, what will happen when you receive such a comment

message, the phone will transparently pass this SIM message this comment message through

your SIM card and will not alert you in any other way so basically when your carriers

sends this message saying okay I want to update the number for the customer support, you will

have no idea that you have just got a text message.

And I told you keep in mind security parameter indicator.

So you are setting this comment. But you need some kind of acknowledgement to know that

this comment message has been received. And this is called proof of receipt which can

be set in the first two bits. If you set it for example to 01 it means you

always want to get a proof of receipt. So no matter if there was an error or there wasn't

any error, you will always get a proof of receipt.

And how you get it, you set it in the bit number 6, and there are two ways of getting

this proof of receipt back. By SMS submit which means by a regular text

message which is sent by our SIM card or by SMS delivery report which is like a delivery

report when you send a text message and you want to know if the target person has received

your text message. So again, we have this structure. And we need

to fill in the elements. The user data header the protocol ID, the

data coding scheme I have presented you. And then the others. And as you would imagine

in order to make this update of the customer support number, you need to have some proper

security keys. But if you look at this example, you will

see that ciphering keys that are KIC are set to zero. Because I do not care about ciphering

keys at all. Why? Because of the security parameter indicator. If we drill down to this

security parameter indicator you will see the first two bits are set to 01 meaning that

I want to get a proof of receipt, always get a proof of receipt.

And I want to get it by text message. So basically when -- if I'm going to send

this text comment message to you, what will happen, it will get to your phone. The phone

will pass it to the SIM card. The SIM card will try to execute it. It will see that I

don't have any proper security keys. But in return, it will send me back a text message

without you controlling it, without you even knowing it.

And in order to make sure that how the things are like, here is the screen shot of a wire

shark capture. And as you see the comment is to send short message. It has been initiated

by the card application toolkit so it wasn't a human initiated action.

So SIM card automatically replies to the sending number. There's nothing in your inbox, nothing

in your outbox. Basically you will have no idea that your SIM card has just sent a text

message back to me. Only if you look at the -- on your bill, on

your call records you will see that sometimes your SIM card has just sent a text message

so here I have the destination number. I have the user data header. The binary data, the

fields that I filled in. The protocol ID and the data coding scheme.

And I have the target's phone. On this phone, this is a prepaid phone. And

there is -- it's balance is zero so I have no credit on it.

So it will try to send a text message. But since it has no balance, I will get a text

message from the carrier saying: Hey, you don't have any credit. You need to refill.

Now, once I submit this, it says sending. And there is no way to stop this. I can't

push any button. The SIM card just sends -- tries to send a text message. You cannot control

it. It keeps trying to send if I had a look at it I would have -- if I hadn't looked at

it I would have no idea I just did this so if it's in your pocket you will have no idea

your SIM card is trying to send a text message. And I also got some text messages from my

carrier saying you do not have enough credit for sending SMS to this number. Please recharge

your account. But I didn't send any text message by myself. The SIM card tried to do so.

So maybe you will think that okay maybe this is not something -- I don't know -- important

let's say. I can make your SIM card send the text message back to me.

Well, maybe that's not a big deal. But let's think on some other way.

Let's say there are services that allows you to send a text message from any number. So

you can send someone a text message coming from whatever number you want. Now, let's

say you also have a premium rate number. International premium rate number and you send a comment

message coming from the premium rate number to some target phone number. What will happen,

the target phone number will send back a text message to the premium rate number you have.

So you're paying like a couple of cents for sending a text message. And in return you