1
00:00:00,125 --> 00:00:02,834
So my name is Bogdan Alecu.

2
00:00:03,000 --> 00:00:05,375
And the topic for today will be "Business Logic Flaws

3
00:00:05,375 --> 00:00:07,999
in Mobile Operators Services."

4
00:00:08,999 --> 00:00:12,709
For those that don't know me, everything is about me.

5
00:00:12,751 --> 00:00:16,626
I work as a systems administrator as a day job.

6
00:00:16,626 --> 00:00:22,083
And during my free time, when I have it, I like to break into a lot of mobile stuff.

7
00:00:23,334 --> 00:00:28,083
I started on this particular journey a couple

8
00:00:28,083 --> 00:00:34,292
of years ago with GSM networks by using my old Nokia phone

9
00:00:34,292 --> 00:00:42,334
and continued with voice over IP and got to GSM and mobile phones.

10
00:00:42,334 --> 00:00:46,042
If you want to keep in touch with me, you can find me on Twitter or

11
00:00:46,042 --> 00:00:48,125
on my Web site.

12
00:00:48,292 --> 00:00:51,626
So the goals for today would be for you to have

13
00:00:51,626 --> 00:00:55,999
a really high overview regarding the SIM toolkit.

14
00:00:55,999 --> 00:00:57,667
What it is.

15
00:00:57,667 --> 00:00:58,834
How we will exploit it.

16
00:00:59,584 --> 00:01:02,999
Then a couple of business logic flaws I've identified

17
00:01:02,999 --> 00:01:04,999
on some carriers.

18
00:01:05,083 --> 00:01:07,999
And I think you're going to find them really interesting.

19
00:01:07,999 --> 00:01:11,999
And also in the end if there is a way to protect you

20
00:01:11,999 --> 00:01:16,334
from this that I'm going to show you.

21
00:01:18,125 --> 00:01:24,083
We're going to call these HTTP headers, data traffic, extra digit and

22
00:01:24,083 --> 00:01:26,999
a summary at the end.

23
00:01:27,083 --> 00:01:30,167
So who has heard about SIM toolkit?

24
00:01:31,999 --> 00:01:33,250
Okay.

25
00:01:33,751 --> 00:01:39,083
To keep it simple, think about it as a platform for the carriers

26
00:01:39,083 --> 00:01:46,584
in order that they use it in order to install applications on your SIM card.

27
00:01:47,083 --> 00:01:51,999
This is how SIM toolkit looks like on an Android device.

28
00:01:51,999 --> 00:01:55,292
On some other devices you might find in them like an extra menu

29
00:01:55,292 --> 00:01:59,834
with the carriers namely like Orange, Vodafone and so on.

30
00:01:59,999 --> 00:02:06,375
And from this SIM toolkit menu, you can find things like exchange rates,

31
00:02:06,375 --> 00:02:13,083
the weather, how is the weather like or calling customer support.

32
00:02:13,083 --> 00:02:14,751
So different activities.

33
00:02:14,999 --> 00:02:18,501
And if you think about it, it's a pretty good thing.

34
00:02:18,501 --> 00:02:21,876
Because you have these applications on your SIM card.

35
00:02:21,876 --> 00:02:24,876
And no matter what phone you use and you put your SIM card in,

36
00:02:24,876 --> 00:02:27,918
you'll still have this application.

37
00:02:27,918 --> 00:02:29,584
So you don't need to install anything else in order

38
00:02:29,584 --> 00:02:31,209
to have them.

39
00:02:33,250 --> 00:02:37,542
Since this application sits on your SIM card, the carrier has

40
00:02:37,542 --> 00:02:43,334
a way to update these applications or modify or delete them and so on.

41
00:02:43,459 --> 00:02:46,709
So for example, if the customer support number

42
00:02:46,709 --> 00:02:51,375
changes, the carrier will send an over-the-air update which

43
00:02:51,375 --> 00:02:55,959
is basically a text message to your SIM card saying that

44
00:02:55,959 --> 00:02:59,292
the SIM card should update the phone number

45
00:02:59,292 --> 00:03:02,292
for the customer support.

46
00:03:03,999 --> 00:03:06,667
This message is kind of special message,

47
00:03:06,667 --> 00:03:08,876
a comment message.

48
00:03:08,876 --> 00:03:12,334
And in order to have this comment message,

49
00:03:12,334 --> 00:03:17,959
they may use the SMS of the user data header.

50
00:03:17,999 --> 00:03:21,999
The same user data header is used in cases like when you go

51
00:03:21,999 --> 00:03:26,999
over the 160 characters limit and do concatenated messages.

52
00:03:26,999 --> 00:03:30,584
So you have two messages which are concatenated into one message.

53
00:03:30,584 --> 00:03:33,083
And this makes use of the user data header and

54
00:03:33,083 --> 00:03:36,125
of course also in cases for -- who remembers

55
00:03:36,125 --> 00:03:38,959
the old Nokia ringtones?

56
00:03:38,959 --> 00:03:41,125
They also used user data headers.

57
00:03:42,834 --> 00:03:46,334
This is how the comment packet looks

58
00:03:46,334 --> 00:03:50,542
like for such a SIM toolkit SMS.

59
00:03:50,792 --> 00:03:53,083
So as I -- you have the user data header,

60
00:03:53,083 --> 00:03:57,709
then other fields like comment packet, link comment, header link,

61
00:03:57,709 --> 00:04:01,375
security parameter indicator and so on.

62
00:04:01,375 --> 00:04:06,459
The most important one that I want you to keep in mind this security indicator.

63
00:04:06,584 --> 00:04:10,459
The number you see below represents the number

64
00:04:10,459 --> 00:04:13,999
of bytes each element has.

65
00:04:14,918 --> 00:04:25,626
So this -- all of these specifications can be found on GSM specs.

66
00:04:26,999 --> 00:04:36,083
In order to also have this comment, you also add other two important fields.

67
00:04:36,083 --> 00:04:38,584
Data coding scheme and protocol ID.

68
00:04:38,834 --> 00:04:43,792
By setting the protocol ID to 7F, it means that you do

69
00:04:43,792 --> 00:04:49,999
a SIM data download and data coding scheme to F6 means that this type

70
00:04:49,999 --> 00:04:56,083
of text message is directly addressed to your SIM card.

71
00:04:56,083 --> 00:05:00,667
So according to the GSM specification, what will happen when you receive

72
00:05:00,667 --> 00:05:04,999
such a comment message, the phone will transparently pass this

73
00:05:04,999 --> 00:05:08,999
SIM message this comment message through your SIM card and

74
00:05:08,999 --> 00:05:12,999
will not alert you in any other way so basically when your

75
00:05:12,999 --> 00:05:17,751
carriers sends this message saying okay I want to update the number

76
00:05:17,751 --> 00:05:22,626
for the customer support, you will have no idea that you have just got

77
00:05:22,626 --> 00:05:24,667
a text message.

78
00:05:27,209 --> 00:05:31,209
And I told you keep in mind security parameter indicator.

79
00:05:31,375 --> 00:05:33,501
So you are setting this comment.

80
00:05:33,501 --> 00:05:35,083
But you need some kind of acknowledgement

81
00:05:35,083 --> 00:05:38,999
to know that this comment message has been received.

82
00:05:39,209 --> 00:05:43,417
And this is called proof of receipt which can be set

83
00:05:43,417 --> 00:05:46,417
in the first two bits.

84
00:05:46,876 --> 00:05:49,375
If you set it for example to 01 it means you always want

85
00:05:49,375 --> 00:05:51,918
to get a proof of receipt.

86
00:05:52,250 --> 00:05:54,999
So no matter if there was an error or there wasn't any error, you

87
00:05:54,999 --> 00:05:57,792
will always get a proof of receipt.

88
00:05:57,792 --> 00:06:00,334
And how you get it, you set it in the bit number 6,

89
00:06:00,334 --> 00:06:05,083
and there are two ways of getting this proof of receipt back.

90
00:06:05,083 --> 00:06:09,667
By SMS submit which means by a regular text message which

91
00:06:09,667 --> 00:06:13,999
is sent by our SIM card or by SMS delivery report which

92
00:06:13,999 --> 00:06:19,834
is like a delivery report when you send a text message and you want to know

93
00:06:19,834 --> 00:06:24,918
if the target person has received your text message.

94
00:06:26,751 --> 00:06:29,083
So again, we have this structure.

95
00:06:29,083 --> 00:06:31,083
And we need to fill in the elements.

96
00:06:31,667 --> 00:06:35,999
The user data header the protocol ID, the data coding scheme I have

97
00:06:35,999 --> 00:06:37,999
presented you.

98
00:06:37,999 --> 00:06:39,542
And then the others.

99
00:06:39,999 --> 00:06:43,584
And as you would imagine in order to make this update

100
00:06:43,584 --> 00:06:46,334
of the customer support number, you need

101
00:06:46,334 --> 00:06:49,792
to have some proper security keys.

102
00:06:50,083 --> 00:06:56,834
But if you look at this example, you will see that ciphering keys that are KIC

103
00:06:56,834 --> 00:06:59,209
are set to zero.

104
00:06:59,292 --> 00:07:02,999
Because I do not care about ciphering keys at all.

105
00:07:03,125 --> 00:07:04,125
Why?

106
00:07:04,125 --> 00:07:06,626
Because of the security parameter indicator.

107
00:07:06,709 --> 00:07:08,834
If we drill down to this security parameter

108
00:07:08,834 --> 00:07:11,792
indicator you will see the first two bits are set

109
00:07:11,792 --> 00:07:15,584
to 01 meaning that I want to get a proof of receipt, always get

110
00:07:15,584 --> 00:07:17,792
a proof of receipt.

111
00:07:17,999 --> 00:07:20,751
And I want to get it by text message.

112
00:07:20,999 --> 00:07:25,334
So basically when -- if I'm going to send this text comment message

113
00:07:25,334 --> 00:07:30,083
to you, what will happen, it will get to your phone.

114
00:07:30,250 --> 00:07:32,999
The phone will pass it to the SIM card.

115
00:07:32,999 --> 00:07:34,751
The SIM card will try to execute it.

116
00:07:34,834 --> 00:07:38,417
It will see that I don't have any proper security keys.

117
00:07:38,459 --> 00:07:40,834
But in return, it will send me back a text message

118
00:07:40,834 --> 00:07:44,999
without you controlling it, without you even knowing it.

119
00:07:47,542 --> 00:07:51,834
And in order to make sure that how the things are like, here

120
00:07:51,834 --> 00:07:55,834
is the screen shot of a wire shark capture.

121
00:07:55,834 --> 00:08:00,083
And as you see the comment is to send short message.

122
00:08:00,999 --> 00:08:04,999
It has been initiated by the card application toolkit so it

123
00:08:04,999 --> 00:08:08,167
wasn't a human initiated action.

124
00:08:10,125 --> 00:08:14,792
So SIM card automatically replies to the sending number.

125
00:08:14,792 --> 00:08:17,542
There's nothing in your inbox, nothing in your outbox.

126
00:08:17,667 --> 00:08:19,918
Basically you will have no idea that your SIM card has

127
00:08:19,918 --> 00:08:22,626
just sent a text message back to me.

128
00:08:22,792 --> 00:08:27,083
Only if you look at the -- on your bill, on your call records you

129
00:08:27,083 --> 00:08:30,709
will see that sometimes your SIM card has just sent

130
00:08:30,709 --> 00:08:33,417
a text message to someone.

131
00:08:36,709 --> 00:08:38,834
So let's see it in action.

132
00:08:53,501 --> 00:08:57,417
so here I have the destination number.

133
00:08:58,167 --> 00:09:01,751
I have the user data header.

134
00:09:01,876 --> 00:09:05,125
The binary data, the fields that I filled in.

135
00:09:05,542 --> 00:09:07,999
The protocol ID and the data coding scheme.

136
00:09:08,999 --> 00:09:11,209
And I have the target's phone.

137
00:09:11,250 --> 00:09:14,292
On this phone, this is a prepaid phone.

138
00:09:14,292 --> 00:09:18,417
And there is -- it's balance is zero so I have no credit on it.

139
00:09:18,834 --> 00:09:21,375
So it will try to send a text message.

140
00:09:21,375 --> 00:09:24,417
But since it has no balance, I will get a text message

141
00:09:24,417 --> 00:09:29,083
from the carrier saying: Hey, you don't have any credit.

142
00:09:29,083 --> 00:09:30,417
You need to refill.

143
00:09:46,542 --> 00:09:56,083
Now, once I submit this, it says sending.

144
00:09:56,375 --> 00:10:00,417
And there is no way to stop this.

145
00:10:00,417 --> 00:10:01,999
I can't push any button.

146
00:10:02,375 --> 00:10:05,999
The SIM card just sends -- tries to send a text message.

147
00:10:06,792 --> 00:10:11,209
You cannot control it.

148
00:10:11,209 --> 00:10:13,999
It keeps trying to send if I had a look at it I would have -- if I hadn't looked

149
00:10:13,999 --> 00:10:17,334
at it I would have no idea I just did this so if it's in your pocket you

150
00:10:17,334 --> 00:10:21,334
will have no idea your SIM card is trying to send a text message.

151
00:10:22,417 --> 00:10:27,999
And I also got some text messages from my carrier saying you do not have

152
00:10:27,999 --> 00:10:32,292
enough credit for sending SMS to this number.

153
00:10:32,292 --> 00:10:33,999
Please recharge your account.

154
00:10:33,999 --> 00:10:36,999
But I didn't send any text message by myself.

155
00:10:36,999 --> 00:10:38,417
The SIM card tried to do so.

156
00:10:41,584 --> 00:10:45,584
So maybe you will think that okay maybe this

157
00:10:45,584 --> 00:10:51,709
is not something -- I don't know -- important let's say.

158
00:10:51,709 --> 00:10:54,542
I can make your SIM card send the text message back to me.

159
00:10:54,999 --> 00:10:57,292
Well, maybe that's not a big deal.

160
00:10:57,292 --> 00:11:00,626
But let's think on some other way.

161
00:11:17,334 --> 00:11:23,792
Let's say there are services that allows you to send a text message

162
00:11:23,792 --> 00:11:26,209
from any number.

163
00:11:26,542 --> 00:11:28,792
So you can send someone a text message coming

164
00:11:28,792 --> 00:11:31,584
from whatever number you want.

165
00:11:31,999 --> 00:11:35,375
Now, let's say you also have a premium rate number.

166
00:11:35,417 --> 00:11:37,876
International premium rate number and you send

167
00:11:37,876 --> 00:11:40,999
a comment message coming from the premium rate number

168
00:11:40,999 --> 00:11:43,876
to some target phone number.

169
00:11:44,083 --> 00:11:46,125
What will happen, the target phone number

170
00:11:46,125 --> 00:11:51,375
will send back a text message to the premium rate number you have.

171
00:11:51,999 --> 00:11:56,167
So you're paying like a couple of cents for sending a text message.

172
00:11:56,250 --> 00:11:59,125
And in return you get 20 times more.

173
00:11:59,626 --> 00:12:01,999
So it's a pretty good conversion rate, right?

174
00:12:03,375 --> 00:12:09,209
And the target phone as I told you, some phones don't even though that

175
00:12:09,209 --> 00:12:13,999
there is a text message sending in progress.

176
00:12:14,167 --> 00:12:16,999
Even if you keep your eyes on them.

177
00:12:17,250 --> 00:12:21,167
So until you will get your monthly bill, you have no idea you have just sent

178
00:12:21,167 --> 00:12:24,417
text messages to premium rate numbers.

179
00:12:27,999 --> 00:12:31,584
Now let's talk a little bit about HTTP headers.

180
00:12:31,876 --> 00:12:35,751
The easiest way you can think about them is by identifying

181
00:12:35,751 --> 00:12:38,751
the browser you are using.

182
00:12:38,751 --> 00:12:41,999
So if you're browsing from Firefox let's say, that browser

183
00:12:41,999 --> 00:12:45,876
will have HTTP headers if you're browsing from Safari it

184
00:12:45,876 --> 00:12:49,083
will have other headers and so on.

185
00:12:49,584 --> 00:12:52,999
Now, with this in mind, there are some -- most

186
00:12:52,999 --> 00:12:57,792
of the carriers have a mobile page where you can find your

187
00:12:57,792 --> 00:13:03,167
balance, you can change your services, you can download ringtones,

188
00:13:03,167 --> 00:13:05,999
videos and whatever.

189
00:13:05,999 --> 00:13:11,250
This page addresses using am.carrier.com so the carrier name.

190
00:13:11,918 --> 00:13:15,709
If you try to access that page from your computer you

191
00:13:15,709 --> 00:13:19,792
will most probably get something like this.

192
00:13:19,834 --> 00:13:23,751
So they will detect that you're not connected to their network.

193
00:13:23,751 --> 00:13:25,959
And they will tell you: Okay, you have to connect to our network

194
00:13:25,959 --> 00:13:28,667
in order for us to show you the page.

195
00:13:28,999 --> 00:13:34,083
But in some cases, if you pretend to be browsing from a mobile device,

196
00:13:34,083 --> 00:13:37,167
they will display this page.

197
00:13:37,250 --> 00:13:40,999
So what I did was to use Firefox extension called user

198
00:13:40,999 --> 00:13:42,959
agents feature.

199
00:13:43,083 --> 00:13:48,417
And I identify myself as a Nokia 871 phone once I did that

200
00:13:48,417 --> 00:13:54,918
I got the display page the mobile page of the carrier.

201
00:13:55,083 --> 00:13:58,626
But it was just a general page because I was not authenticated so

202
00:13:58,626 --> 00:14:01,292
I could not see any balance.

203
00:14:01,584 --> 00:14:03,709
I could not download any ringtones.

204
00:14:03,709 --> 00:14:04,959
I couldn't do anything.

205
00:14:05,125 --> 00:14:08,999
Well, this is how -- the things where they start

206
00:14:08,999 --> 00:14:11,584
to get interesting.

207
00:14:12,167 --> 00:14:18,083
The operators, the carriers know how to charge based also on HTTP headers.

208
00:14:18,542 --> 00:14:22,959
So the idea was to well sniff all the traffic my phone does and see

209
00:14:22,959 --> 00:14:28,334
if there are any HTTP headers specifically in my phone number.

210
00:14:28,375 --> 00:14:30,250
But I failed that.

211
00:14:30,250 --> 00:14:33,501
Because there weren't any HTTP headers.

212
00:14:33,999 --> 00:14:39,999
Then after some monitoring I found a research paper called privacy leaks

213
00:14:39,999 --> 00:14:45,375
in mobile phone Internet access where he noticed that when someone

214
00:14:45,375 --> 00:14:51,918
from a mobile device was accessing his Web site, that carrier was also sending

215
00:14:51,918 --> 00:14:54,167
the phone number.

216
00:14:54,209 --> 00:14:57,083
So he did a list with all of the HTTP headers that

217
00:14:57,083 --> 00:14:59,792
the carrier was sending.

218
00:14:59,999 --> 00:15:01,542
And published it.

219
00:15:01,542 --> 00:15:06,834
And the carriers no longer -- are no longer sending these HTTP headers.

220
00:15:06,918 --> 00:15:08,125
Okay.

221
00:15:08,125 --> 00:15:09,999
So they are not sending the headers.

222
00:15:09,999 --> 00:15:14,999
But what if I will inject the headers in the traffic?

223
00:15:14,999 --> 00:15:19,417
So I chose a couple of HTTP headers which identified

224
00:15:19,417 --> 00:15:21,999
the phone number.

225
00:15:22,125 --> 00:15:24,375
And as their value, it is the phone number

226
00:15:24,375 --> 00:15:27,999
in international format so with the country code.

227
00:15:28,417 --> 00:15:32,999
So now I can access that mobile page of the carrier from my computer

228
00:15:32,999 --> 00:15:36,999
by identifying myself as a mobile device and I can also

229
00:15:36,999 --> 00:15:41,876
authenticate myself by injecting these HTTP headers.

230
00:15:42,125 --> 00:15:43,918
And what happens now?

231
00:15:43,918 --> 00:15:45,751
I can see anyone else's balance.

232
00:15:45,751 --> 00:15:47,999
I can change their subscription plan.

233
00:15:47,999 --> 00:15:50,999
I can reveal any other account.

234
00:15:50,999 --> 00:15:51,999
And stuff like this.

235
00:15:51,999 --> 00:15:53,959
Whatever carrier allows me to do so.

236
00:15:53,999 --> 00:15:58,250
And some carriers are even tieing up the phone number

237
00:15:58,250 --> 00:16:03,584
with the bank account so you can even see the bank details

238
00:16:03,584 --> 00:16:06,999
of that specific customer.

239
00:16:08,167 --> 00:16:10,542
But I didn't stop here.

240
00:16:12,417 --> 00:16:15,250
Remember when there was a time we had to call the Internet

241
00:16:15,250 --> 00:16:17,083
with our phones?

242
00:16:17,167 --> 00:16:20,709
Well, I was surprised to see that there are still carriers who

243
00:16:20,709 --> 00:16:22,667
still have CSD.

244
00:16:22,667 --> 00:16:25,083
So think about it just like a dialup connection

245
00:16:25,083 --> 00:16:26,999
from your phone.

246
00:16:27,125 --> 00:16:29,959
So the carrier has the dial-in number.

247
00:16:30,542 --> 00:16:35,876
You set up a dialup connection from your phone to that number.

248
00:16:35,876 --> 00:16:38,584
And you're browsing the Internet with 9.6 kilobits per second

249
00:16:38,584 --> 00:16:42,876
around 1 kilobyte per second pretty good speed right?

250
00:16:43,209 --> 00:16:47,083
But since it's just a phone call it also has

251
00:16:47,083 --> 00:16:53,999
the vulnerabilities of a phone call, which is are caller ID spoofing.

252
00:16:54,501 --> 00:16:59,167
Now, guess what was my reaction when I first set up that connection

253
00:16:59,167 --> 00:17:02,459
to a Voice over IP provider which was spoofing

254
00:17:02,459 --> 00:17:07,209
my caller ID and then forwarding the call back to the dial-in number

255
00:17:07,209 --> 00:17:09,999
and I was authenticated.

256
00:17:27,375 --> 00:17:29,999
So this is just the target phone.

257
00:17:29,999 --> 00:17:32,209
The screen of the target phone.

258
00:17:32,334 --> 00:17:37,959
And also I have connected mobile phone via Bluetooth because I want

259
00:17:37,959 --> 00:17:42,876
to have a GSM modem attached to my computer.

260
00:17:42,959 --> 00:17:47,999
So first I'm calling myself on my own number.

261
00:17:47,999 --> 00:17:49,083
With my own number.

262
00:17:49,375 --> 00:17:52,999
So this is what it means own number.

263
00:17:54,250 --> 00:17:57,334
So this works then I'm making up the connection

264
00:17:57,334 --> 00:18:00,292
as you see I'm using a pretty old Nokia phone

265
00:18:00,292 --> 00:18:04,083
and I'm connected to the carrier's network.

266
00:18:05,999 --> 00:18:09,999
What is the goal of this?

267
00:18:09,999 --> 00:18:14,209
Is, well, if I do the caller ID spoofing will I be authenticated

268
00:18:14,209 --> 00:18:19,999
like any other user and incur charges to that target account?

269
00:18:21,083 --> 00:18:26,417
So once I'm registering to the network, I'm going to check for my balance

270
00:18:26,417 --> 00:18:32,083
in order to see the initial balance and the after attack balance.

271
00:18:32,125 --> 00:18:36,626
So the current balance is 6.05 euros.

272
00:18:36,999 --> 00:18:40,292
Next I'm going to choose something to download.

273
00:18:40,584 --> 00:18:42,999
And I'm choosing some image.

274
00:18:44,999 --> 00:18:47,792
It goes pretty slow because remember, I'm browsing

275
00:18:47,792 --> 00:18:50,209
with 1 kilobyte per second.

276
00:18:50,209 --> 00:18:56,083
So and also the call goes internationally.

277
00:19:01,083 --> 00:19:02,459
Okay.

278
00:19:02,459 --> 00:19:09,667
I am choosing some image which cost 1.99 euros.

279
00:19:09,918 --> 00:19:12,667
And once I click buy now, I will get a text message

280
00:19:12,667 --> 00:19:14,999
on the target phone.

281
00:19:17,083 --> 00:19:20,959
So the thing worked apparently and it says thank you

282
00:19:20,959 --> 00:19:23,959
for your purchase and so on.

283
00:19:23,999 --> 00:19:29,999
So now I'm going to check again for the balance so previously I had 6.05

284
00:19:29,999 --> 00:19:32,999
and this one cost 1.99.

285
00:19:32,999 --> 00:19:37,125
So now I should have 4.06 euros.

286
00:19:54,209 --> 00:19:58,417
And indeed I have 4.06 euros so I was successful just by spoofing

287
00:19:58,417 --> 00:20:03,417
the caller ID I was authenticated just like any other customer.

288
00:20:18,876 --> 00:20:21,667
Let's talk a little bit about data traffic.

289
00:20:22,459 --> 00:20:26,083
Let's say you have a prepaid account.

290
00:20:26,584 --> 00:20:30,999
And you have some data included in your subscription.

291
00:20:31,584 --> 00:20:34,959
You have no more money on your account.

292
00:20:34,959 --> 00:20:38,999
And you have finished all your data in your subscription, what will happen?

293
00:20:39,209 --> 00:20:42,709
Will you still be able to have data connection?

294
00:20:42,834 --> 00:20:46,709
Well, you will still be able to have data connection.

295
00:20:46,709 --> 00:20:48,999
But the only page you will be able to browse would be

296
00:20:48,999 --> 00:20:51,999
the carriers web page because maybe you want to do

297
00:20:51,999 --> 00:20:55,417
a refill and browse again the Internet.

298
00:20:55,999 --> 00:20:58,999
While I had no more money in my account,

299
00:20:58,999 --> 00:21:05,083
then I thought well what would happen if I performed a DNS query.

300
00:21:05,083 --> 00:21:09,501
So I tried to find the IP address of Google.com and I got a reply

301
00:21:09,501 --> 00:21:13,417
from the DNS that my carrier was using.

302
00:21:13,876 --> 00:21:15,083
Okay.

303
00:21:15,083 --> 00:21:16,083
That works.

304
00:21:16,083 --> 00:21:19,999
But what happens if I use open DNS servers.

305
00:21:19,999 --> 00:21:22,792
And I also got a reply from open DNS servers although

306
00:21:22,792 --> 00:21:27,501
I could not browse any web page but the DNS replies worked.

307
00:21:27,999 --> 00:21:31,792
So then I thought of this: What if I set up a VPN server

308
00:21:31,792 --> 00:21:34,918
on my cable connection at home.

309
00:21:35,125 --> 00:21:38,959
And make that server run on port 53 UDP which

310
00:21:38,959 --> 00:21:42,999
is the DNS port and then set up the VPN connection

311
00:21:42,999 --> 00:21:46,083
from my phone to my server.

312
00:21:46,083 --> 00:21:49,626
So think about it just like a regular VPN connection.

313
00:21:49,709 --> 00:21:54,083
But this VPN server is listening on port 53 UDP.

314
00:21:54,417 --> 00:21:56,334
Guess what happens?

315
00:21:56,334 --> 00:21:58,626
You have free Internet.

316
00:21:58,751 --> 00:22:03,501
(Applause)    BOGDAN ALECU: It and even though I had

317
00:22:03,501 --> 00:22:10,083
the spend limit now with this, the spend limit is gone.

318
00:22:12,334 --> 00:22:14,209
But I didn't stop here.

319
00:22:14,792 --> 00:22:18,083
Since I'm living near the border at home I thought, okay,

320
00:22:18,083 --> 00:22:21,584
what happens if I force my phone to connect to our network

321
00:22:21,584 --> 00:22:24,709
across the border and try the same.

322
00:22:24,959 --> 00:22:27,459
And it also works in roaming.

323
00:22:27,459 --> 00:22:28,459
(Applause).

324
00:22:28,459 --> 00:22:34,125
BOGDAN ALECU: So right now instead of paying $12 per megabyte I'll

325
00:22:34,125 --> 00:22:38,999
let you guess how much I'm paying.

326
00:22:39,334 --> 00:22:40,792
(Chuckles).

327
00:22:41,083 --> 00:22:45,375
BOGDAN ALECU: Next the extra digit.

328
00:22:46,542 --> 00:22:49,751
I'm pretty sure you have here a flat rate plan

329
00:22:49,751 --> 00:22:54,375
with unlimited minutes inside your operator's network.

330
00:22:54,375 --> 00:22:55,792
So if you're from Verizon you'll have unlimited

331
00:22:55,792 --> 00:22:57,667
minutes in Verizon.

332
00:22:57,834 --> 00:23:03,667
But if you call to AT & T, for example, you will not have unlimited minutes.

333
00:23:03,999 --> 00:23:07,083
And you also have mobile number portability.

334
00:23:07,083 --> 00:23:11,417
So you can transfer your current number to a different operator.

335
00:23:11,999 --> 00:23:16,792
Well, let's think of this scenario: You have two mobile

336
00:23:16,792 --> 00:23:21,083
numbers, two phone numbers, a operator.

337
00:23:21,083 --> 00:23:24,999
And you decide to transfer the second number to the B operator.

338
00:23:25,292 --> 00:23:27,834
If you're calling now from the first number

339
00:23:27,834 --> 00:23:31,417
to the second number, you will be charged like calling

340
00:23:31,417 --> 00:23:33,542
across the network from A to B.

341
00:23:33,542 --> 00:23:37,083
But in some cases, if you dial the same second number

342
00:23:37,083 --> 00:23:40,959
but add some extra digits at the end of it, the carrier

343
00:23:40,959 --> 00:23:45,626
will have no idea that the number has been transferred.

344
00:23:45,626 --> 00:23:49,999
So you will be billed like calling inside the same A operator.

345
00:23:51,709 --> 00:23:55,918
And also it also works the other way around.

346
00:23:55,918 --> 00:23:58,999
So if you have two different numbers in two different networks

347
00:23:58,999 --> 00:24:02,876
and you decide to transfer the second number to the A network,

348
00:24:02,876 --> 00:24:05,876
if you're going to call with the extra digit you

349
00:24:05,876 --> 00:24:08,501
will pay more because it will not know it's

350
00:24:08,501 --> 00:24:11,250
in the same network as yours.

351
00:24:11,459 --> 00:24:16,667
So this on this side, it's not so good.

352
00:24:16,667 --> 00:24:20,375
But if you have them on different networks, then it

353
00:24:20,375 --> 00:24:22,999
will be even good.

354
00:24:26,417 --> 00:24:31,501
So let's see how that worked.

355
00:24:39,959 --> 00:24:44,459
So here I have 2077 minutes inside my whole network

356
00:24:44,459 --> 00:24:50,792
and 58 minutes national minutes and international minutes.

357
00:24:51,125 --> 00:24:55,292
So what I'm going to do, I'm going to call a regular ten-digit number,

358
00:24:55,292 --> 00:24:59,999
which has been transferred in the same network as mine.

359
00:24:59,999 --> 00:25:05,501
So it's the second case scenario where I am paying more than I should.

360
00:25:19,250 --> 00:25:34,959
Now I'm going to check again for my balance now I have 2076 minutes

361
00:25:34,959 --> 00:25:48,125
so one minute has gone from the national minute plan.

362
00:25:48,959 --> 00:25:51,083
Now I'm going to dial the same number again

363
00:25:51,083 --> 00:25:54,334
but add two extra digits at the end of it.

364
00:26:01,751 --> 00:26:04,667
I'm going to add 1-5 at the end.

365
00:26:10,834 --> 00:26:12,876
I'm going to hang up.

366
00:26:13,709 --> 00:26:16,125
Check again for the balance.

367
00:26:19,626 --> 00:26:29,626
And now I should have 2075 national minutes but the national minutes have

368
00:26:29,626 --> 00:26:31,918
the same.

369
00:26:31,999 --> 00:26:36,083
And you see it has been deducted from the 57 minutes even though

370
00:26:36,083 --> 00:26:39,375
the number is in the same network.

371
00:26:39,501 --> 00:26:42,292
So I wasn't -- it wasn't deducted from these minutes

372
00:26:42,292 --> 00:26:45,459
but from the minutes to other networks.

373
00:26:48,209 --> 00:26:52,334
And what's even funnier is that on some carriers,

374
00:26:52,334 --> 00:26:56,918
this first when I dial the number, you see it has a P

375
00:26:56,918 --> 00:27:02,834
at the end which means it has been transferred and it has been deducted

376
00:27:02,834 --> 00:27:06,999
my call from the 150 national minutes.

377
00:27:06,999 --> 00:27:10,999
The second time I added two extra digits and this one means unknown so

378
00:27:10,999 --> 00:27:14,792
I've been deducted from the unknown plan.

379
00:27:14,999 --> 00:27:20,876
Which means I get to talk free for this ported number.

380
00:27:20,876 --> 00:27:23,125
Even though I do not have unlimited calls.

381
00:27:26,083 --> 00:27:29,999
If that doesn't work, try with all of the digits,

382
00:27:29,999 --> 00:27:34,250
one carrier was working -- worked with this attack only

383
00:27:34,250 --> 00:27:39,334
if I had used one digit and that digit had to be No.

384
00:27:39,334 --> 00:27:40,334
2.

385
00:27:40,334 --> 00:27:41,375
I have no idea why.

386
00:27:41,375 --> 00:27:43,626
But if I put 2, then it worked.

387
00:27:44,501 --> 00:27:49,083
Well, after reporting this, be the carriers, most of them have fixed it.

388
00:27:49,250 --> 00:27:52,584
So now when I'm calling with the extra digit, I get

389
00:27:52,584 --> 00:27:57,999
a voice prompt back saying you have dialed the wrong number.

390
00:27:57,999 --> 00:28:01,542
So I can no longer dial myself the wrong number.

391
00:28:01,542 --> 00:28:05,334
But how can I make the carrier dial the number instead of me?

392
00:28:05,501 --> 00:28:07,125
Well, it's pretty simple.

393
00:28:07,501 --> 00:28:11,999
My code for wording for all calls and to the -- I put the wrong number

394
00:28:11,999 --> 00:28:16,459
and once the call reaches to that forwarded number your carrier

395
00:28:16,459 --> 00:28:20,999
will successfully dial the wrong number for you.

396
00:28:23,083 --> 00:28:25,334
So it will still work.

397
00:28:27,999 --> 00:28:31,918
As a summary I would like to start with some reply I got

398
00:28:31,918 --> 00:28:34,334
from customer support.

399
00:28:34,501 --> 00:28:37,584
Our technology does not allow unauthorized access.

400
00:28:37,999 --> 00:28:40,999
Occurrence of errors in billing regarding data traffic

401
00:28:40,999 --> 00:28:44,876
or voice is excluded because of their technology.

402
00:28:45,083 --> 00:28:46,709
Okay.

403
00:28:46,709 --> 00:28:47,999
Alien technology?

404
00:28:49,999 --> 00:28:54,375
Test yourself all of this and maybe report into your carrier.

405
00:28:54,999 --> 00:29:01,375
Check if your carrier allows you to disable prememory numbers access.

406
00:29:01,542 --> 00:29:04,751
This way you will at least be protected

407
00:29:04,751 --> 00:29:08,292
from the SIM comment attack.

408
00:29:09,626 --> 00:29:13,375
The carriers can filter all of these SIM toolkit messages

409
00:29:13,375 --> 00:29:18,334
but until now I haven't found any of them that will do this.

410
00:29:18,834 --> 00:29:22,876
Because they could say only allow SIM toolkit messages that are coming

411
00:29:22,876 --> 00:29:27,459
from specific numbers and the other ones, just drop them.

412
00:29:27,999 --> 00:29:30,999
Also, do not rely on the caller ID.

413
00:29:31,083 --> 00:29:36,999
There are still a lot of services that rely on caller ID.

414
00:29:37,083 --> 00:29:41,167
And they consider this as a good authentication.

415
00:29:41,167 --> 00:29:43,999
This is really not proper authentication.

416
00:29:43,999 --> 00:29:45,667
Do a proper authentication.

417
00:29:46,083 --> 00:29:51,792
And an example of some really good authentication.

418
00:30:02,167 --> 00:30:05,250
I don't know why sound is not working.

419
00:30:05,250 --> 00:30:06,250
(Beep).

420
00:30:06,250 --> 00:30:15,417
BOGDAN ALECU: Okay.

421
00:30:15,417 --> 00:30:19,083
I don't know if you're going to hear it.

422
00:30:25,167 --> 00:30:26,626
(Ringing).

423
00:30:32,709 --> 00:30:36,959
Starting with the area code please enter

424
00:30:36,959 --> 00:30:40,999
the number you're calling about.

425
00:30:41,667 --> 00:30:50,999
If you're not a customer -- (Beep).

426
00:30:50,999 --> 00:30:54,375
BOGDAN ALECU: So basically what I'm doing now, I'm calling

427
00:30:54,375 --> 00:30:58,792
the customer support of some carrier in the U.S.

428
00:30:59,167 --> 00:31:02,999
And I'm using Skype because it's free to call 1-800 numbers.

429
00:31:02,999 --> 00:31:04,999
And if you're calling the customer support

430
00:31:04,999 --> 00:31:08,375
from a different network, it will ask you to authenticate

431
00:31:08,375 --> 00:31:11,876
by inputting -- by entering your number.

432
00:31:11,999 --> 00:31:12,999
Your number.

433
00:31:12,999 --> 00:31:13,999
Right?

434
00:31:19,999 --> 00:31:24,999
Main menu for your minutes or usage or your account balance,

435
00:31:24,999 --> 00:31:26,667
press 1.

436
00:31:27,083 --> 00:31:28,667
Payments, 2.

437
00:31:28,959 --> 00:31:30,999
Technical -- all right.

438
00:31:30,999 --> 00:31:31,999
Payments.

439
00:31:31,999 --> 00:31:34,626
Please enter your billing account password.

440
00:31:34,626 --> 00:31:38,250
BOGDAN ALECU: Oh, so it has some kind of protection.

441
00:31:38,250 --> 00:31:39,999
It has the password I need to enter.

442
00:31:39,999 --> 00:31:41,999
Well, what do I have to lose.

443
00:31:41,999 --> 00:31:45,250
Let's enter some passwords, random passwords.

444
00:31:54,918 --> 00:31:58,250
Your entry does not match our records.

445
00:31:58,709 --> 00:32:02,125
BOGDAN ALECU: Maybe better luck next time.

446
00:32:02,125 --> 00:32:04,834
Please press the corresponding keypad number.

447
00:32:10,459 --> 00:32:13,626
Your entry does not match our records.

448
00:32:13,626 --> 00:32:15,459
BOGDAN ALECU: Maybe a third time.

449
00:32:15,459 --> 00:32:27,125
Your current balance is (speaker off mic).

450
00:32:27,542 --> 00:32:28,959
(Applause).

451
00:32:29,083 --> 00:32:34,334
BOGDAN ALECU: So I don't know if we implemented this.

452
00:32:34,334 --> 00:32:35,334
But I love this guy.

453
00:32:35,417 --> 00:32:37,584
Because usually on the third failure attempt you get

454
00:32:37,584 --> 00:32:40,501
kicked out but in this case on the third failure attempt,

455
00:32:40,501 --> 00:32:42,250
they let you in.

456
00:32:42,250 --> 00:32:43,250
(Chuckles).

457
00:32:43,250 --> 00:32:45,083
BOGDAN ALECU: How cool is that?

458
00:32:45,083 --> 00:32:46,584
If I knew that previously, I would have tried it

459
00:32:46,584 --> 00:32:48,626
on some many systems.

460
00:32:48,626 --> 00:32:49,626
Really.

461
00:32:49,792 --> 00:32:52,999
Just enter three wrong passwords and you are in.

462
00:32:53,083 --> 00:32:54,083
Okay.

463
00:32:57,999 --> 00:32:59,375
Okay.

464
00:33:00,999 --> 00:33:06,876
To summarize, this is the good authentication.

465
00:33:07,334 --> 00:33:09,999
So thank you very much for your attention.

466
00:33:09,999 --> 00:33:13,083
I hope you enjoyed all of the things I showed you.

467
00:33:13,083 --> 00:33:15,751
If you have any questions, you can follow me on Twitter,

468
00:33:15,751 --> 00:33:19,250
send me an e-mail address or on my Web site.

469
00:33:19,250 --> 00:33:20,334
Thank you once again.