Playing against a backdrop of splashy iPhone SMS hacks demonstrated this week at Black Hat USA 2009, young researchers Zane Lackey and Luis Miras Thursday demonstrated attacks at the annual hacker conference in which they spoofed sender numbers and exploited flaws in GSM carriers' networks to bypass them in a MMS message loop.
The attack potentially makes any mobile device on a GSM network anywhere in the world capable of sending media files vulnerable to spoofing, phishing attacks and other scams.
The researchers presented a video of the hack in action. Their demo hacking tool, running on an iPhone, sends a message to a victim purporting to be from the number 611, which is generally reserved for communication with the respective carrier's customer service department. Playing on the user's likelihood to follow messages from their carriers or other trusted sources, a text message is sent. In this case, the message informs the victim that he or she has earned an account credit and is asked to follow a link. From there, the victim is tricked into giving up sensitive information, such as his/her username, password and more.
"People really trust phones a lot more than they trust email or anything like that," Lackey said. "If I get a text that's supposed to be from a carrier number, chances are, I'm going to believe it."
Using Lackey and Miras' application, an attacker would control the "from" field in a message, as well as the timestamp, which, for example, would enable them to backdate messages.
The key to the hack is the attacker's ability to bypass the carrier in a message. Normally, MMS messages are sent by a user to their carrier's server. The carrier would process the content, resizing it if necessary or checking it for spam. The carrier would then notify the recipient's device that content is waiting. That device would then contact the carrier server and download the content; some phones pull content automatically, others present the user with a message and the user must click through to get the content.
In the attack, the application sends an MMS message that runs on top of SMS, Miras said, telling the target phone to pull content from the attacker's server rather than the carrier. By tricking the user's phone, the carrier protections in the cloud are bypassed.
"Notification messages are only supposed to be generated and sent by a carrier," Lackey said. "We sent our own."
GSM is the de facto standard for global wireless networks, meaning the attack potentially puts dozens of carriers and many millions of end users at risk.
Lackey and Miras said they have shared their findings with a carrier, which they refused to name. They said the carrier has reached out to the GSM Alliance, which is notifying its members of the issue.
No proof-of-concept code has been released, and the two say they'll wait for carriers to patch their architectures before releasing one. They said mobile phones will not receive patches for this flaw, as the flaw resides in the carriers' networks, not on the devices. They added that carriers, meanwhile, are monitoring for attacks of this nature.