Learning GSM: USSD fuzzing and attacking the network

Prerequisites of attacks

Some points why USSD is a good choice:
- USSD and USSD replies are free compared to SMS (except special, VAS, etc. numbers)

- USSD and USSD replies interact with 3rd party USSD Gateways software which most probably can be attacked more easy compared to SMSC

- USSD Gateways (if not crashed by a border-case/not-tested/unusual/malformed USSD message or USSD reply), forward the messages to Applications. Most probably “Third party content and application providers” suffer from buffer overflow, script injection, SQL injection, etc.

According to http://www.truteq.com/tips/ussd/:
“The menus are served by applications. This may not be at the GSM network operator, but at a content provider connected to the USSD infrastructure. Applications or content can therefore be served from :
1. Standard supplementary services
2. GSM Network Operators value-added services
3. Third party content and application providers
“

- USSD sessions implementation mechanisms can be exploited in USSD Gateways (grow huge sessions, open huge number of sessions, etc.)

Means to practically implement attacks

Fuzzing requires a lot of messages/replies back and forth through TELCO’s equipment. Many may say that such activity may not go unnoticed, and this is true.

Read more! »

Learning GSM: Mobile/Cell Phone Power-Off vs Mobile Not-reachable/Battery-discharged

Power-Off vs Not-reachable/battery-discharged

It was interesting for me to find out and read an old paper called “Forensics and the GSM mobile telephone system” (original article file 03_spring_art1.pdf).

The point I want to discuss here is also somehow related to trust or mis-trust whether a given called subscriber really went out of GSM network reach/had the battery discharged during idle OR the subscriber actually shut-off his phone and pretends he is out of network reach/battery discharched.

This trust/mis-trust often comes as a facade dialogue template:
John: “I tried to called you regarding XYZ”
Bob: “Umm, I am really sorry - I really wanted to talk to you, but I lost network/I had phone battery discharged” (when actually Bob did switch off his phone on purpose not to be reachable specifically by John and/or other calling parties)

Now there is really a way, without having any technical device or very specific knowledge to find out whether a subscriber has shut down his phone or went out of network-reach or had his battery discharched.

Read more! »

26C3 - “Look ma’ , I am on TV”

26C3 is over… It was a fun experience however !

Some key points:

Lightning talks

Together with Pavol Luptak (from Nethemba team in Slovakia), had a lightning talk about the MFCUK

Online video / Downloadable video (our talk starts around 00:09:50)

Slides 26C3 Lightning Talk Day2 MFCUK Mifare Classic Toolkit

Open digital radio

Also, I have attended a very nice and neat workshop put up by Mathias Coinchon from OpenDigitalRadio.org

The workshop link is here.

Mathias also have kindly provided the GNU Radio Companion files used in “26C3 Radio Broadcasting Workshop”.

DYI Book scanner

Ever wondered how the thousand pages books are scanned and put online? I was wondering that too.

A nice lecture and slides are here:

How to build your own Book Scanner [in 4 min]

RATB/Metrorex Card Activ Hacked
…and “Mifare Classic Dark-Side Key Recovery Tool” released under GPL!

Well… It was about the time for RATB/Metrorex Card Activ in Bucharest to fall… And it is not even news. OV Chipkaart in Netherlands, Oyster Card in London were broken in the near and not so near past…

RATT Contactless Ticketing in Timisoara and EasyCard in Taipei are the next samples of cards to be “hacked", i.e. the keys are recovered, need only to analyze the data.

Mifare Classic is both theoretically and practically broken in both active (sniffing) and passive (card-only) attack scenarios.

Thanks to ignorance, lots of money/interest (14 Millions of Euros) and UTI/PMB (Primaria Municipiului Bucuresti/Bucharest City Hall) involvement, RATB/Metrorex still uses Mifare Classic.

Hell ya, where are they gonna go? It’s a logistic nightmare to upgrade the readers in the entire RATB fleet and all Metrorex entrances, manage the exchange of already 800.000 sold cards, not telling about additional several Millions of Euros for upgrade equipment and software upgrades…

Even though researches were blowing the whistle from last year, no system integrator or vendor seems to care . Well it seems that few smart guys (and not pointing to me, I just implemented what other had know and researched for a long time) can fcuk up dozen of systems, each costing Millions of Euros.

Nice equation: (a dozen of smart guys * their brain IQs of Millions) >>>OUT-WEIGHTS>>> (the dozens of projects * XX Millions of Euros)

Long story short, here we go - food for the brain (yes - food for the brain, not spoon-feeding - note the difference):

RATB/Metrorex Mifare Card Security Assessment Document (PDF)

RATB/Metrorex Mifare Card Security Assessment Document (MS Word 2007)

MFCUK (MiFare Classic Universal toolKit) http://code.google.com/p/mfcuk/

Enjoy!

PS: (14 Nov 2009)
Ironically, on the night of publishing this paper/post and the open-source/binary for key recovery, UTI has posted these news “Cardurile de călătorie RATB se pot reîncărca online sau la bancomat (13 noiembrie 2009)” (i.e. “RATB cards can now be topped-up online or at some BCR ATMs”).

DISCLAIMER: The information and reference implementation source/binary contained herein is provided:

• for informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
• as-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
• NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to - such as ticketing systems, building access systems or whatsoever systems using Mifare Classic as core technology)

Tags: mifare, classic, key recovery, mifare classic key recovery tool, mifare classic key hack tool, mifare key recovery source binary executable, key crack, ratb metrorex hack, ratb.ro metrorex.ro hack, ratb metrorex crack, ratb.ro metrorex.ro crack, crypto1, crapto1, lsfr_common_prefix, dark side attack, dark side paper, dark side implementation, darkside libnfc, darkside crapto1, darkside attack implementation, ratb metrorex card activ sat spart hackuit crackuit, uti ratb metrorex card activ hack hacked, ratt hack, ratt card hack, ratt.ro hack, ratt.ro card hack, ratt card crack, ratt crack, ratt card spart hackuit crackuit, easycard mifare classic taipei card hack crack, crypto1 crack, crypto1 hack, crapto1, libnfc key recovery, proxmark3 key recovery

About AskAmit

At my previous work and here also, I and coworkers had an internal subject [AskAmit] for sharing shitty code (which we find around or even discover in inherited projects) among us.

This continued in the current company - like for example this one (not exact reproduction, but still) in Java (trully existing code at my present company ) – test if a boolean variable is true or false:

Code:

The [AskAmit] name was coming from Sun’s JMF (Java Media Foundation) incredible naive line at those times (2002) that made the framework buggy enough (though it was a good concept):

jmf-2_1_1e-scsl-src/src/share/com/sun/media/util/Registry.java
if (file.length() == 0) { // TODO: Ask AMITH if you need this

Seems like [AskAmit] kind-of groups grow everywhere, so it reached to a critical level called GovnoKod (ShittyCode) – highly recommended reading not to step on the shitty paths of programming

Excerpts: - Enjoy!

———————————————————————

Си / Говнокод #1829

Code:

Классика жанра.

———————————————————————

Си / Говнокод #1317

Code:

Способ комментирования… O_o

———————————————————————

Си / Говнокод #405

Code:

Операция “подергивание”

———————————————————————

Assembler / Говнокод #453

Code:

Такое борландовский кодогенератор иногда выдаёт

———————————————————————

Assembler / Говнокод #414

Code:

На всякий случай, наверное если первый не сработает

———————————————————————