How to Identify (and contribute) mobile platform vulnerabilities - Building your own SMS/MMS fuzzer

Every time you hand out your phone number you are giving adversaries access to an ever-increasing attack surface. Text messages and the protocols that support them offer attackers an unbelievable advantage. Mobile phones will typically process the data without user interaction, and (can incorrectly) handle a large number of types of data, including various picture, audio, and video formats. To make matters worse, in many cases you are relying on the carriers to be your front line defense against these attacks. Honestly, it sounds like a recipe for remote exploitation.

Complicating the threat to mobile security is the fact that most mobile phone manufacturers end-of-life products at release or shortly thereafter.  And to further complicate any secure development life-cycle potential, carriers must be involved in the update process. Vulnerability disclosure is still a new thing for this industry.  We hope that with the growing amount of mobile security research being released the community will gain a better understanding of the importance of securing these devices.

 

This past weekend at DEF CON 22, Matt Molinyawe and I presented “Blowing up the Celly - Building Your Own SMS/MMS Fuzzer” to a full house. Clearly, there is a growing interest in mobile phones as an attack surface.

 

For those interested in researching security vulnerabilities on mobile platforms, the talk focused on the "do-it-yourself" aspect of building your own SMS/MMS fuzzer - exercising this attack surface virtually, using emulators, and on the physical devices, using OpenBTS and a USRP.  If you are a newcomer to researching mobile platforms, we presented ways to ‘roll your own’ fuzzing framework. We discussed messaging specifications (SMS/MMS/CMAS) and file formats (audio/video/etc.) available for testing. Testing may require less hardware than you imagined. We provided links to emulators and options for scripting and automation.  In the end, our bill of goods was a few thousand bucks.

 

The interest in identifying vulnerabilities in mobile platforms has never been higher.  Our goal is to ensure you have all the details you need to quickly find vulnerabilities to help ensure a more secure ecosystem.  As an added bonus, you could even make a few dollars in the process.  Just submit your findings to the ZDI, and if accepted, the ZDI will pay you for the findings.

 

To learn more, consider joining us for our Mobile Pwn2Own competition to be held at the 12th annual PacSec conference, Nov 12-13 in Tokyo.  The rules and details are coming soon!

Labels: HPSR
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.