Mobile devices can present a serious threat to your network security because it can be surprisingly easy to hijack their data connections. With the ability to browse through a user’s mobile data traffic a hacker may easily find confidential information such as usernames and passwords that they can then use to attack your corporate network successfully.
Hijacking an iPhone, for example, is a relatively simple process, according to Roberto Gassira and Roberto Piccirillo, researchers at Mobile Security Lab. The two were talking at the Hack In The Box Security Conference 2010 in Amsterdam earlier this month. All that’s needed is the victim’s phone number, the iPhone Configuration Utility available free from Apple for OS X or Windows, and a proxy server running the open source Apache server software, with a couple of extra open source modules.
The hijack is carried out by getting the user to unwittingly reconfigure their device to send its mobile data through an “evil proxy,” controlled by the hacker. Normal http traffic can then be monitored easily – https traffic too, using an https stripping attack. (If the https stripping is unsuccessful, the https traffic will pass through the proxy and get to its destination without the user being aware that it has been hijacked, Gassira says.)
Most mobile devices, with the notable exception of Apple’s iPhones and Android devices, use standard Open Mobile Alliance (OMA) client provisioning, so a phone can receive a configuration change over the air by SMS. IPhones work in a different way: they use configuration profiles which can include Wi-Fi, VPN, email, data APN and other settings. IPhone configuration profiles have a .mobileconfig extension and can be generated using the iPhone Configuration Utility.
Hijacking the data connection of a given iPhone then takes a few simple steps, Gassira and Piccirillo demonstrated:
- Identify the victim’s mobile carrier from their phone number
- Create an apparently verified .mobileconfig configuration profile which looks like it comes from their carrier or employer, which diverts http (and https) traffic through the evil proxy
- Send the victim an SMS to trick them into downloading the new configuration profile .
1. Identifying the Victim’s Carrier.
It’s necessary to know the victim’s carrier, because certain carrier specific parameters are needed in the attack. If the victim is based in the US then the carrier is likely to be AT&T, but if the device has been unlocked or originates in another country then this will not necessarily be the case.
It turns out that it is easy to identify a carrier from a user’s cell phone number using one of the many International Mobile Subscriber Identity (IMSI) lookup services on the Internet at a very low cost. The 14 or 15 digit IMSI includes the Mobile Country Code (MCC) in the first three digits, followed the Mobile Network Code (MNC) which identifies the carrier in the next two or three digits.
2. Creating a Convincing .Mobileconfig File
Creating a suitable .mobileconfig file with the necessary proxy information is straightforward using Apple’s iPhone Configuration Utility, and it is possible to lock the profile so that it can’t be removed by the user if they change their mind after installing it. But unless the file is signed and verified as coming from someone trustworthy (such as the victim’s carrier) the victim will be warned by the phone that the authenticity of the configuration file that they are about to install is unverified. The phone will also display a red “Not Verified” flag as an additional warning, and at this point the user might well cancel the installation.
But Gassira and Piccirillo pointed out that there is a way around this thanks to security flaws affecting the signature checking mechanism in the iPhone that were revealed back in January 2010 on Cryptopath:
“We observed that iPhones will trust mobileconfig files they receive over the air or through wire if they are signed by a trusted entity. However:
- The keystore used to lookup trusted CAs includes the default Safari keystore.
- A signature-only certificate is enough to sign mobileconfig files.
There are 224 trusted root Certificates in the iPhone keystore (v3.1). See: http://support.apple.com/kb/HT3580 for a complete list published by Apple. It is relatively easy to obtain a signature certificate from many of them without any sort of verification. A demo (test) signature certificate can be obtained from Verisign without need for anything other than a valid e-mail address (throwaway addresses work, too) for sixty days at no price and without providing any credit card details.”
This means that a hacker can get a free test signature certificate in the name of the victim’s carrier, or anyone else, and use it to sign the evil .mobilecofig file. Once this has been done, the file will be flagged as “Verified” in green, and no warning about its authenticity will be displayed by the phone. To all intents and purposes, the profile will appear genuine.
3. Sending the Victim a Spoofed SMS to Trick Them in to Downloading the Evil Profile
The likely success of this part of the attack depends on the social engineering skills of the hacker, but Gassira and Piccirillo suggested that a hacker send an SMS purportedly from the victim’s carrier. Alternatively it could purport to come from someone at the victim’s employer’s IT support or mobile support desk. In any case, the SMS needs to say something to the effect that a configuration change is necessary, perhaps to correct a newly discovered security vulnerability, and to avoid any loss of connectivity the user should update their configuration by clicking on a link in the SMS. The link should look plausible to an unsophisticated user – something like www.t-mobile-configupdate.com. If the user clicks the link the iPhone’s browser automatically downloads and installs the evil profile.
Once the evil .mobileconfig file is installed and operational, all the user’s http traffic will go through the proxy which is controlled by the hacker. Gassira and Piccirillo demonstrated a proxy based on Apache with mod-proxy, Moxy Marlinspike’s sslstrip < http://www.thoughtcrime.org/software/sslstrip/> and mod_security to watch the traffic passing through in cleartext. From there the hacker can monitor the victim’s web traffic, sniff usernames and passwords, and even inspect traffic from other iPhone apps like Maps, FaceBook and AppStore.
It’s unlikely that many users would discover that their iPhone had been hijacked in this way, and undoing the hijack is hard if the .mobileconfig file was locked when it was created by the hacker, preventing its removal. If this is the case then the only way to undo the hijack is to reset the phone to its factory condition.
The good news is that for devices running iOS 4 – the latest version of the iPhone operating system – if the device already has a profile installed then it is not possible to install a new profile without first uninstalling the existing one. If the existing profile is locked then this is obviously not possible. So a way to protect users against this type of hijacking is to ensure that all iPhones are upgraded to iOS 4, and then to configure them with a locked profile which cannot be replaced by an evil one.