Scribd
Upload
173 views20 pages

Defcon 17 - Brandon Dixon - Attacking Sms

It's the year 2009 and spam mail is still taking up a huge percentage of all email sent everyday over the Internet. Could you imagine that same messaging spam making a detour through your favorite cellular provider gateway and right to your SMS inbox? Mobile spam has not reached the same popularity as email spam, but what if it was as easy as submitting a form to spam thousands of people? Research was done on several messaging services and implementations to identify vulnerabilities to exploit. The end result to the research was that the idea of mobile spam was easily a reality using Jabber/XMPP and some techniques already put in place by multiple vendors. This talk will conclude with a proof-of-concept web application demo that demonstrates the techniques and issues mentioned as well as thoughts for solving the next generation of spam. Expect to walk away with a new look on mobile spam and the damage that could be done just by pressing submit.

Uploaded by

dasxax
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
173 views20 pages

Defcon 17 - Brandon Dixon - Attacking Sms

It's the year 2009 and spam mail is still taking up a huge percentage of all email sent everyday over the Internet. Could you imagine that same messaging spam making a detour through your favorite cellular provider gateway and right to your SMS inbox? Mobile spam has not reached the same popularity as email spam, but what if it was as easy as submitting a form to spam thousands of people? Research was done on several messaging services and implementations to identify vulnerabilities to exploit. The end result to the research was that the idea of mobile spam was easily a reality using Jabber/XMPP and some techniques already put in place by multiple vendors. This talk will conclude with a proof-of-concept web application demo that demonstrates the techniques and issues mentioned as well as thoughts for solving the next generation of spam. Expect to walk away with a new look on mobile spam and the damage that could be done just by pressing submit.

Uploaded by

dasxax
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

2

XMPP/Jabber
Transports
Short mail
Internet to mobile communications

www.g2-inc.com

Number + Carrier = Victim


Users get email message with subscription
(texting)
Received as a text message and not an email
Cost equivalent to standard text message

www.g2-inc.com

Conventional spamming techniques


Mass emailers
Spoofing the source address
Carrier can be identified by services online
Scriptable
Short mail is accepted by default

www.g2-inc.com

Anything past 160 characters may be dropped


Carrier must be properly identified for message
to go through
No delivery confirmation

www.g2-inc.com

Incoming text = charge to the user


Send short mail from any mail client
Turned on by default
Carrier offers limited methods to stopping the
attack

www.g2-inc.com

Sprint
50 max email/domain blocked
Cant block everything
Verizon
10 max email/domain blocked
Can block everything
AT & T
15 max email/domain blocked
Cant block everything
7

www.g2-inc.com

Short mail should not be directly tied into SMS


Possible flagged of message to identify origin
Feature should be easily adjusted by the user
Should be turned off by default
More power should be given to block unwanted
messages

www.g2-inc.com

Communications through XML


Setting up your own server is easy
Multiple options for different platforms
Allows for bonding to legacy chat
implementations
Control of message flow
No rate limiting

www.g2-inc.com

Google Talk, Yahoo, AIM, MSN (in some areas)


Input a users phone number and their now a
contact
Messages get sent in the form of an SMS
message

10

www.g2-inc.com

Google forces a user to respond after a chat is


initiated
No response after a few messages = no more
talk
Yahoo forces a user to respond after a chat is
initiated and performs throttling
AOL does NOT force a user to respond but does
throttle

11

www.g2-inc.com

Rate limiting is imposed when sending messages


too fast
Messages past 160 characters are split into
multiple messages and NOT dropped
1 message = 13 messages (2000 byte max)
Acceptance must be made the first time for
chatting (this was not always the case)
Abuse can be programmatically done

12

www.g2-inc.com

Transport is a bolt-on to a jabber server


Shows up in service directory for the hosted jabber
domain
Users can bond to legacy services
Jabber_Name -> AOL
Log in to jabber and see AOL contacts
User looks like: [email protected]
Jabber name can bond to multiple AOL names (each
must be on a different transport)
Public transports are available
13

www.g2-inc.com

Internal Jabber server with AIM transport service


Bond internal jabber accounts with AOL accounts
Send messages to phones using internal jabber
account
Connection, bonding and authorization can be done
programmatically

14

www.g2-inc.com

Generate phone list


Generate AOL account list (you must own these)
Read through list and send one giant message per
number (1000 messages per second)
Send multiple messages to one number (must add
delay to avoid rate limits)

15

www.g2-inc.com

AOL is the single point of failure


Rate limiting is a pain
Phone carriers queue messages
Limited bandwidth
Some messages could be dropped
AOL provides support to combat against spam and
allows users to block messages

16

www.g2-inc.com

Send messages at a high rate of speed


Some transports have support for SOCKS proxies
(tor)
Public transports are often found in other countries
with a large user base (good for hiding)
All attacks can be done programmatically without
interaction

17

www.g2-inc.com

AOL needs to follow Yahoo and Googles


implementation design
Protection has gotten better since testing first
began a year ago
ToC servers appear to no longer support Internet
to mobile communications

18

www.g2-inc.com

Eliminates dependencies with libraries


Could easily be made into a framework with
modules
Can be accessed anywhere by many people
Proof-of-Concept allows
Bonding of names
Sending messages through a choice of transports
Sending spoofed short mail messages
Identifying public transports
More could be added
19

www.g2-inc.com

20

www.g2-inc.com

You might also like