UPDATE (26-10-2008): a newer post related to this

I am for a short period in USA. So I was looking at some prepaid GSM SIM cards and the most attractive for me was T-Mobile’s prepaid service. From those, I’ve chosen for some reasons Prepaid SideKick plan, which (not surprisingly, as it is states in the presentation of the plan) is working ONLY on SideKick device for the data traffic, voice is fine.

I was basically looking for a way to use this plan on my iPhone. For the SideKick plans, the APN to be used is for sure hiptop.t-mobile.com - only this APN seems to communicate/process something with the network, any other APN will NOT work and will give you on iPhone “Could not activate EDGE".

However, this APN implementation has some kind of software check that is allowing only SideKick devices to route data thru it.

I was able to get IP address and DNS IP address for the EDGE interface of iPhone, but no pinging/routing was availabe, not even to the proxies mentioned in other blogs nor pinging/routing of DNS IP addresses it have gotten from the network.

Since the EDGE interface is not having a MAC associated (someone, correct me if I am wrong. I have checked it also with ifconfig from iPhone terminal). Having no MAC, what are the other information the APN software/hardware could use to identify and permit only SideKick devices. Could it be IMEI? If it is IMEI, then IMEI change utility for iPhone would do the job - but we need IMEI patterns for SideKick devices. If it is anything else, what is it?

Here are some logs which I got from iPhone’s BB dump (baseband, GSM processor, whatever you call it):

_________

173789393 recv[pdp_ctl]: +XDNS: 1, “216.220.208.209″, “216.220.212.29″
173789393 recv[pdp_ctl]: OK
173789393 send[pdp_ctl]: at+cgpaddr=1
173789405 recv[pdp_ctl]: +CGPADDR: 1,"10.116.158.163″
_________

174312526 send[pdp_ctl]: at+cgdcont=1,"IP","”
174312535 recv[pdp_ctl]: OK
174312535 send[pdp_ctl]: at+xgauth=1,1,"","”
174312542 recv[pdp_ctl]: OK
174312542 send[pdp_ctl]: at+xdns=1,1
174312549 recv[pdp_ctl]: OK
174312556 send[pdp_ctl]: at+cgact=1,1
174313489 recv[pdp_ctl]: OK
174313490 send[pdp_ctl]: at+xdns?
174313500 recv[pdp_ctl]: +XDNS: 1, “216.220.208.209″, “216.220.212.29″
174313502 recv[pdp_ctl]: OK
174313502 send[pdp_ctl]: at+cgpaddr=1
174313514 recv[pdp_ctl]: +CGPADDR: 1,"10.119.157.172″
174313515 recv[pdp_ctl]: OK
174313516 send[pdp_0]: at+cgdata="M-RAW_IP",1
_________

173789374 send[pdp_ctl]: at+xdns?
173789393 recv[pdp_ctl]: +XDNS: 1, “216.220.208.209″, “216.220.212.29″
173789393 recv[pdp_ctl]: OK
173789393 send[pdp_ctl]: at+cgpaddr=1
173789405 recv[pdp_ctl]: +CGPADDR: 1,"10.116.158.163″
173789408 recv[pdp_ctl]: OK
173789409 send[pdp_0]: at+cgdata="M-RAW_IP",1
_________

173830458 send[pdp_ctl]: at+xdns?
173830469 recv[pdp_ctl]: +XDNS: 1, “0.0.0.0″, “0.0.0.0″
173830471 recv[pdp_ctl]: OK
173830472 send[pdp_ctl]: at+cgpaddr=1
173830482 recv[pdp_ctl]: +CGPADDR: 1,"10.203.202.171″
173830484 recv[pdp_ctl]: OK
173830484 send[pdp_0]: at+cgdata="M-RAW_IP",1
_________

DISCLAIMER: this post is intended purely for research and educative purposes. Any use of this information is sole responsibility of the reader/user and the author is not to be held liable for any miss-use of the above informative technical details.

TAGS: iPhone, IMEI, change iPhone IMEI, iPhone EDGE T-Mobile, TMobile, T-Mobile, EDGE, iPhone Sidekick, iPhone T-Mobile, Sidekick prepaid, Sidekick data iPhone

mail.md hack

It was back in 2004 when I was still at UPB and waiting to get final interviews with Ubisoft Romania. Had some spare time and also got interest in mail.md security research after having previously attempted to find security holes in it without too much luck.

At the same time, I saw the below post from k0t about his research on this topic:
Xakep Online > Читаем чужие письма на Mail.md

Few days intensive testing and got the script working. Since then, just beautified and commented it properly. The attack would have involved:

• social engineering - sending the victim a fake email with FROM: as let’s say admin@mail.md and asking with very convincing reasons to click-open the attached HTML. Anyway almost any mail sent from HTML-like web-mail (yahoo, etc) got into mail.md with a file attachment like part2.html (possibly because it didn’t have proper HTML processing in place)
• gathering sufficient mail addresses to make it a mass attack - got with various mail collecting (crawling the HTML pages and parsing all *@mail.md text) and probing (SMTP probing with bruteforce or dictionary based generators) tools (MailOMatic and alike) nearly 3000 mail addresses for mail.md
• automating the fake mailing with tools like Mail Bomber - never got to that point, even though I had everything in place (mail addresses, working script, Mail Bomber and alike tools)

Recently, some script kiddie revived the dead here:
mail.md или читаем письма молдован

Here is an archive with files: Mail.md hack script (working back in 2004-2005)

Now, this attack is not working because:

• it moved from CGI-BIN to some kind of PHP engine
• they fixed the design so that changing the secret question/answer or password requires the old password, which we actually don’t know and don’t want to know/bruteforce

However, they have kept most of the URL encoding of actions, sessions and folders, so they didn’t get rid of the old engine totally likely. Also, they had some stack problems with the old CGI-BIN, but I cannot recall or find any notes on how to reproduce them…

That’s for now. And as a final note - Security - is an ongoing process, not a final goal.

DISCLAIMER: this post is intended purely for security research and educative purposes as well as intended to urge the vendor to fix the problems posing threats to its customers. Any use of this information is sole responsibility of the reader/user and the author is not to be held liable for any miss-use of the above informative technical details.

PROLOG

Destul de recent am fost implicat intr-un proiect in Romania la un mare client mare care, din cate am observat dupa sigla si postere prin sedii, este “Mare donator de picatura de sange” (get my point?).

Proiectul implica Portarea Numerelor sau Portabilitatea Numerelor care, posibil stiti deja, intra in vigoare prin lege in Romania din 21 Octombrie 2008 (desi nici un operator nu prea e pregatit 100% pentru a suporta aceasta portabilitate, deci cam din 2009 va fi suportat 100% conform cerintelor ANRCTI).

Portabilitatea numerelor telefonice este un serviciu destinat utilizatorilor de telefonie care permite acestora sa isi pastreze acelasi numar de telefon atunci cand devin abonati ai altor furnizori.

Portabilitatea la Vodafone
Portabilitatea la Orange

IDEEA IN SINE

In timpul liber pe langa proiect in acea perioada, ma gandeam “Oare cum ar face publicitate operatorii?". Asa m-am gandit la un concept publicitar/de marketing pentru PORTAbilitatea numerelor TELEfonice - telePORTAREA sau TELEportarea (sau orice alta reprezentare grafica mai sugestiva la adresa celor doi termeni principali).

O publicitate tipica/caracteristica pentru operatorii din Romania ar suna/arata cam asa:
“
Esti gata de telePORTARE?
telePORTEAZA-te acum in reteaua PRICHINDEL prin noul serviciu de portabilitate a numerelor si:

• beneficiezi de 1 luna convorbiri la 1 euro_cent/minut in orice retea [SAU insert bullshit marketing attractor]
• esti mai aproape de toti prietenii tai PRICHINDEI, care iti stiu vechiul numar si pe care acum poti sa-l pastrezi oricand si oriunde
• un discount la loc de veci la Belu - asta pentru ca iti poti pastra numarul pe vecie

“

Eventual concepte de servicii prin SMS/VOCE la numere scurte gen *PORT (adica *7678) de genul:

• interogare daca un numar este portat
• etc.

EPILOG

Cineva mi-a zis ca ideea e fainuta, dar neavand access la canalele respective catre operatori sau catre agentiile de publicitate, e foarte putin probabil sa o pot realiza/vinde/etc. Asa ca o public aici - poate ma baga si pe mine cineva in seama (sau poate in origini).

Disclaimer: Conceptul de publicitate/marketing “telePORTAREA ©” legat de portabilitatea numerelor telefonice imi apartine. Orice utilizare fara permisiunea sau acordul meu expres in scopuri publicitare legate de portabilitatea numerelor telefonice se considera o incalcare a legii.

TAGS: Romania, Vodafone, Orange, ZAPP, Cosmote, Romtelecom, RDS, Portare, Portabilitate, Portarea Numerelor, Portabilitatea Numerelor, ANRCTI, Number Portability