Spoofed Cell Phone Texts Post Malware Threat
LAS VEGAS — Researchers at Black Hat showed how to send spoofed messages to mobile phones that appear to be messages delivered by the user’s mobile carrier.
The hack allows an attacker to send the messages directly from the attacker’s phone to the recipient, bypassing the carrier’s server and therefore any protections the carriers have in place to block spoofed or otherwise suspicious messages.
The attack targets Multimedia Messaging Service (MMS) on GSM networks and could trick users into installing malicious code masquerading as a software update from the carrier or clicking on a malicious link.
Zane Lackey from ISEC Partners and independent researcher Luis Miras discussed how they set up a system to capture the header information in text messages, then used modified headers to send their own specially designed messages to phones on GSM networks.
They were able to spoof messages from any sender, including trusted administrative messages that theoretically only a carrier would send. In the latter case, the messages appear to come from 611, the number carriers use to send out alerts, update notifications and other messages.
Lackey said the GSM networks are built to assume “that only the carrier would be able to send certain messages. Those assumptions are invalid.”
In their demonstration, they sent a spoofed 611 message from an attacker phone to the recipient, informing the customer that he’d been granted a $20 credit and telling him to log into his account at http://evil.com. Once a victim’s phone connects to the attacker’s server, the attacker can see the phone’s user agent, which identifies the phone’s model, operating system and other information. This would allow the attacker to conduct a more targeted attack.
A second message designed to trick a user into installing an over-the-air software update read, “New settings received. Install? Yes. No.”
A third message sent from “Steve Jobs” told users to “Upgrade your iPhone!” and sent them to redsn0w.com — where users can actually download jailbreak software for their iPhone.
Various models of phones react to the rogue messages differently. In the case of the software update message sent to a Sony Ericcson phone, the message arrived with no context to help the user determine where it originated. Nonetheless, the researchers said, most users would likely install the update.
The researchers are also able to spoof the date and time stamp of messages or send messages that have no source number.
They researched the attacks on only a handful of GSM networks and have disclosed the issue to vendors, who are working on a fix, as well as to the GSM Alliance.
Also on Wired.com
Sunday, December 19, 2010
Spoofed Cell Phone Texts Post Malware Threat | Threat Level | Wired.com