Phone Hacking: A lucrative, but largely hidden history

Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.

Mobile Phone Hacking: A lucrative, but largely hidden history

DC4420David Rogers

27th May 2014

http://www.mobilephonesecurity.org

Car Radio Hacking – 1990s / 2000s

PIN locks to deter and remove value of theft Hacking tools reset / calculate / remove security codes


Some Phone Terms: SIMlock & IMEI

SIMlock:– used to secure the device to a particular network during the period of the

subsidy, can be unlocked with CK codes by calling operator– Different variants of locks– Recent court case in the US over legality (and lots of other previous fights)

IMEI :– the International Mobile Equipment Identity number– unique to each device– can be blocked if device is stolen

Other interesting information on device that would be hacked– E.g. to change language packs, phone lock removal, text etc.

Big battle between mobile industry and hacking groups between c.1999 and now – has evolved to jailbreak / root community


‘Unlocking’ and IMEI changing

What is ‘unlocking?– SIMlocks– Most hacking used to be aimed at the SIMlock area

The security area in the handset would protect all sensitive data – including IMEI and SIMlock

What is a dirty hack?– Hacks targeted against the security area would often cause corruption

to data – including the IMEI.– Data such as RF calibration settings would often be wiped out

Hacking tools usually dual-use (SIMlock and IMEI)– Causes problems in countries where IMEI changing is illegal – difficult

and costly to get direct proofMobile Phone Security - David Rogers


INTERNET

Historic CriminalStructure

EMBEDDEDHACKER

HACKINGGROUP

INTERNETSHOP

SHOP ORSTALL

REPAIRCENTRE

APPLICATIONHACKER

ORGANISEDCRIME

RE-SELLER

END-USERTHIEFDRUGDEALER

MASS THEFT

SUBSCRIPTIONFRAUD

STREET CRIME

BLACK MARKETEXPORTER

(UNLOCKING / IMEI CHANGING)

EBAY

COUNTERFEITING

IP THEFT

‘USER’ CRIMESMURDER ETC.

Mobile Phone Security - David Rogers Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.

INTERNET

EMBEDDEDHACKER

HACKINGGROUP

INTERNETSHOP

SHOP ORSTALL

REPAIRCENTRE

APPLICATIONHACKER

ORGANISEDCRIME

RE-SELLER

FREE SOFTWARE

END-USERTHIEFDRUGDEALER

VALUE METHOD

£10 - £30 CASHDEBIT / CREDIT CARD

£50 - £500 WESTERN UNIONPAYPALPOSTAL ORDER

£500 - £5000 WESTERN UNION

£5000+ WESTERN UNION

Mobile Phone Security - David Rogers

Historic FinancialStructure


Examples of Hacking Hardware

Standard service repair equipment– Fraudulent purchasing of manufacturer’s equipment

Mass produced hardware by hacking groups– Griffin Box– UFS-3 (Twister)– Blazer– Clips

Evolution– New equipment was constantly developed as new models were

released– New technologies and hardware security to ensure revenue


Mass Manufacture of Hacking Hardware


Examples of Hacking Hardware (2)• Most hacks steal their solutions from already existing

hacks— May seem to be 22 hacks available – just old hacks re-packaged.

— Different front-end to software— Different hardware

— the ‘golden’ part of the source code is from 1 hack

• Lots of ‘ghost’ hacks that are aimed at defrauding people— same in 2012 with jailbreaking on iOS6


http://westerna.org/preview.phtml?b7e6326fc208f7978ecac53e0925040a:6

http://westerna.org/preview.phtml?b0f011c0c3061169d9db2992e3914d92:6

http://westerna.org/preview.phtml?6f3d1964f9cc3a3f86a3341e992376e8:3

http://westerna.org/preview.phtml?16c5b8845d61d8bd323f19ec9f4753f6:3

http://westerna.org/preview.phtml?ec60db4e414b2c8c16f9fb6ef062efc4:3

Hardware Hacking Methods

EEPROM cloning or ‘Chipping’– Old method– Copied EEPROM with basic equipment– Main aim to put EEPROM with no SIMlock on– Result: IMEI number was cloned

PIC’s (Programmable Integrated Circuits)– Execute small sequences of commands– Placed in-line to ‘snatch’ or modify data

Flash device hot-swapping (almost impossible now) Exploitation of boundary scan ports External clips and dongles Note: less economical than software hacks


In-line PIC Between SIM and Device


Software Hacking Methods

Direct change– Breaking a programming algorithm– Finding the correct test interface protocol command

• Still used(!) serial communications / USB monitoring equipment Modifying binary files (software download files)

– Inserting jump code– Hijacking other functions in the code to subvert security– Taking advantage of software design flaws

Abuse of boundary scan to monitor phone processes ‘Dumping’ to logs of data from secure areas Brute force cracking of algorithms Theft of information from Design Centres / Factories / Service

Centres “Voodoo Galaxy SIII SIM unlock” tool required device to be rooted…


Typical (Old) Software Hack Methodology

MARKETINGLAUNCH AT

TRADE SHOW

PHONERELEASED

TO MARKET

RESEARCH

THEFT OFEARLY MODEL

NETWORKOPERATORSAMPLES

MANUFACTURER HACKER

OPEN SOURCE INFOAND HACKING TOOLS

TIMESCALE

0 MONTHS

6 - 12 MONTHS

HACKINGSOLUTION

DISTRIBUTEAPPLICATION

PROTECTAPPLICATION

APPLICATIONPROTECTION

TOOLS

PRODUCTSECURITY

DETECTION


Use of Hardware Clips – 5 Second Unlocking!

Simple to use, takes it’s power from the handset Contains a Programmable Integrated Circuit Bombards the handset with commands in a repetitive sequence The handset eventually gives up and resets itself – unfortunately

resetting the SIMlock!

This type of attack was used on many different makes of handsets Clips have now evolved and the term is usually used in reference

to dongles


“Logs” Used as a method of continually generating revenue for the

real hackers and re-sellers at the top of the food chain – a historical issues for hackers

Original concept by 3 Nokia hackers and dealers from Serbia:– George, Boban (Slobodan Andrics) and Dejan (Dejan Kaljevic)

How do logs work?– Encrypted by hackers to avoid cracking by other hackers– An example:

• Crack the master security locks -> generate an encrypted log of security area information -> close the security lock on the handset again!

‘Logs’ will be available only if the hacking solution is two part– ‘Dumb’ client application to communicate with handset– Data is sent to hacker / re-seller– Corresponding data to unlock / change IMEI received from hacker / re-

seller


Some manufacturers and ODMs used symmetric algorithms based on the IMEI number to generate CK codes – Broken and every possible iteration for each IMEI available

Later versions cracked the factory / service tools because they were leaked rather than cracking the handset

Down to poor manufacturer security and breaking principle of no stored, shared secrets!

CK Algorithm Breaches


De-capping and Focused Ion Beam Equipment


Newer Hardware and System Level Attacks

George Hotz – original iPhone jailbreak– Used hardware flaw to XOR data address and insert jump code to empty

memory where he could execute his own bootloader– Allegedly assisted by European Infineon hacking teams

Rooting– Various methods, exploiting vulnerabilities– Usually used as a staging area for other attacks (e.g. malware)– Examples:

• RageAgainstTheCage, uboot, zergRush, gingerbreak• Other private exploits

– Some manufacturers providing it as a service in order to prevent people hacking

Legal battles around this area (e.g. US copyright office 2010, 2012)– OK to remove SIMlocks and root devices


Newer Motivations

Main targets / motivations recently have been:

Rooting / jailbreak device – for piracy / other apps / custom OS / spyware

SIM unlocking – break out of subsidy (cheap device) / fraud / export of stolen devices

IMEI changing – re-enable stolen handsets in same country Launchpad attacks – spyware / malware / anti-theft tools / in-

app billing Fixing issues – e.g. old SIMlocked device, can’t contact operator


2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012

EICTA / GSMA 9 Principles

OMTP Trusted Environment:

OMTP TR0

OMTP Advanced Trusted Environment: OMTP TR1

TCG MPWG Specification

GSMA Pay-Buy-Mobile

Fragmented Security

Handset Embedded Security Evolution (to 2012)

Google / Apple Proprietary hardware

security features

Banking / film industryrequirements

WAC

RIM / Nokia proprietary security features

webinos


http://www.etsi.org/

http://www.openmobilealliance.org/index.html

https://www.trustedcomputinggroup.org/

http://www.globalplatform.org/

http://www.globalplatform.org/

Evad3rs, i0n1c, geohot, RedSn0w – iOS6 & iOS7

iOS6 hack “used more zero-days than stuxnet”* Millions of downloads – huge market Evasi0n iOS7 jailbreak rushed out due to competition (and 7.1

release), packaged with Chinese app store (Taig)– Rumoured to be $1million– Rumours of dirty tricks / questionable sources for some holes– Strategic and tactical thinking, all ‘untethered’

Some holes allegedly held back by various teams for future cracks on iOS8

Teams still reverse and hack each others tools (like SIMlock) George Hotz tried to sell to a Chinese team (via a broker) for

$350,000– Audio clip released with negotiation discussions

* Ref: http://www.forbes.com/sites/andygreenberg/2013/02/05/inside-evasi0n-the-most-elaborate-jailbreak-to-ever-hack-your-iphone/


http://www.forbes.com/sites/andygreenberg/2013/02/05/inside-evasi0n-the-most-elaborate-jailbreak-to-ever-hack-your-iphone/






May 2014 – Root Bounty for Verizon & AT&T


Kill Switch / Anti-Theft Mechanism Targeting?

Obvious this would happen



Car Radio Hacking - 2014

Questions?

david.rogers {@} copperhorse.co.uk@drogersuk

Mobile Systems Security course: http://www.cs.ox.ac.uk/softeng/subjects/MSS.html

Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-guide-for-users/paperback/product-21197551.html


http://www.mobilephonesecurity.org

mailto:david.rogers%7B@%7Dcopperhorse.co.uk

mailto:david.rogers%7B@%7Dcopperhorse.co.uk

http://www.cs.ox.ac.uk/softeng/subjects/MSS.html

http://www.cs.ox.ac.uk/softeng/subjects/MSS.html

http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-guide-for-users/paperback/product-21197551.html

http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-guide-for-users/paperback/product-21197551.html

Phone Hacking: A lucrative, but largely hidden history

Devices & Hardware

Transcript of Phone Hacking: A lucrative, but largely hidden history