Documents

sfsdfsdf

Categories
Published
of 26
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Description
sdfsfdssfdsdf
Transcript
  1 SMS Fuzzing –SIM ToolkitAttack Bogdan Alecu bogdalecu@gmail.comwww.m-sec.net Abstract In this paper I will show how to make a phone send an SMS message without the user’sconsent and how to make the phone not to receive any message. The method used works on any phone, no matter if it’s a smartphone or notand also on any GSM/UMTS network. I will present how you can take advantage of sending a special crafted SIM Toolkitcommand messagein order to achieve all that. Finally, I will present the results and their impact on the user and mobile networks security. 1 Introduction SMS stands for Short Message Service and represents a way of communication via text betweenmobile phones and/or fixed lines, using a standardized protocol. It is an effective way of communication as the user just writes some text and it’s almost instantly delivered to the destination. SMS as used on modern handsets was srcinated from radio telegraphy in radio memo  pagers using standardized phone protocols and later defined as part of the Global System for Mobile Communications (GSM) series of standards in 1985 as a means of sending messages of up to 160 characters, to and from GSM mobile handsets. 1 Since then a lot of things have changed regarding this service and now it can be used for multiple purposes: MMS – Multimedia Messaging Service, OTA –Over The Air –phone configuration, notification for 1 http://en.wikipedia.org/wiki/SMS  2 voice mail, email, fax, micropayments –paying a very small sum of money for different services.All these ways of using SMS can lead to security issues as their implementation isn’t fully testedand more important because SMS is like an opened firewall: every phone has it implemented and the phone always receives the message.There have beendiscovereddifferent errors, security issues related to the SMS: remote DoS for Nokia S60 phones 2 ,  phone crashing, rebooting, remote executing EXE files, hijacking mobile data connections 3 , etc. Until now most of the SMS related security issues have been found byaccident.This is also the case for the current security issue presented in the paper. I was experimenting with the binary message sending –multipart messages: sending the second part but the message had only one part, sending the 10000’s part message, etc. and trying to configure the SMSC number storedby sending SIM Application Toolkit messages–when suddenly I’ve noticed that my phone started to send a message by itself. Later on, after playing more with the message that caused this behavior, my phone was not receiving any other messages. I tried  putting the SIM on another phone, resetting the SMSC number but nothing helped. In this paper I will show how you can achieve the above behavior, why it happens, what are the security implications and how you can protect.But first, a little bit of theory… 2 SMS The Point-to-Point Short Message Service (SMS) provides a means of sending messages of limited size to and fromGSM mobiles. The provision of SMS makes use of a Service Centre, which acts as a store and forward centre for shortmessages.Two different point-to-point services have been defined: mobile srcinated and mobileterminated. Mobile srcinated messages will be transported from an MS to a Service Centre(SC).These may be destined for other mobile users, or for subscribers on a fixed network. Mobile terminated messages will be transported from a Service Centre to an MS. These may  be input to the Service Centre by other mobile users (via a mobile srcinated short message) or by a variety of other sources, e.g. speech, telex, or facsimile.The text messages to be transferred contain up to 140 octets.“An active MS shall be able to receive a short message TPDU -Transfer protocol data unit -(SMS-DELIVER) at any time, independently of whether or not there is a speech or data call in progress. A report will always be returned to the SC; either confirming that the MS has 2 http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt 3 http://www.mseclab.com  3 received the short message, or informing the SC that it was impossible to deliver the short message TPDU tothe MS, including the reason why.” 4 “An active MS shall be able to submit a short message TPDU (SMS-SUBMIT) at any time, independently of whether or not there is a speech or data call in progress. A report will always be returned to the MS; either confirming that the SC has received the short message TPDU, or informing the MS that it was impossible to deliver the short message TPDU to the SC, including the reason why.” 5 2.1 SMS-SUBMIT details Here are the basic elements for SMS-SUBMIT type:   4 ETSI TS 100 901 V7.5.0 (2001-12), page 13 5 ETSI TS 100 901 V7.5.0 (2001-12), page 13  4 Table 1-Basic elements of the SMS-SUBMIT type 6 1) Provision; Mandatory (M) or Optional (O).2) Representation; Integer (I), bit (b), 2 bits (2b), Octet (o), 7 octets (7o), 2-12 octets (2-12o)3) Dependent on the TP-DCS 2.1.1 Example of SMS-SUBMIT Octet(s)Description 00 Info about SMSC –here the length is 0, which means that the SMSC stored in the phone should be used.   6 ETSI TS 100 901 V7.5.0 (2001-12), page 42

sdfsdfsfdfsd

Jul 23, 2017
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks