Blackhat talk: Fuzzing the Phone in you Phone – Charlie Miller and Collin Mulliner
This is the talk that I blogged about earlier about owning the iPhone through SMS. The work Charlie and Collin did was actually amazing.
In their presentation they first looked at SMS. SMS is a building block of the phone system and essential to the working of the modern network because it is used for all kinds of stuff. Why is it good to attack? No firewall, processed by all phones, no user interaction and you only need a phone number to send an SMS.
So how is an SMS processed? Phones have two processors: CPU and Modem which talk via an (often simulated) serial line. The modem is controlled by a specific set of AT commands. If an SMS is received by the modem, the modem sends an unsolicited AT result to the CPU. This is what can be fuzzed.
For practical reasons they did not want to send all these SMS’s that where coming out of their fuzzer over the network. First of all I would cost too much money. During the tests they sent over 500,000 messages. Secondly if the messages where sent over the air, it would mean that the would be able to watch the fuzzing going on. Last but not least they might get into trouble because the tests might actually crash the equipment of the telco’s. So for various different phones (iPhone, Android and Windows Mobile) they developed a MitM SMS injection application which sits in the middle of the virtual serial line. This gave them a fast way to send messages and gives free SMS sniffing capabilities
The testing results had to be tested in real life because not all messages could be sent through all mobile networks.
It turns out that it is very easy to perform a DoS attack on various phones. While DoS may be a lame attack, it is still a very useful attack.
On the iPhone the bugs are in the section of code that handles concatenated test messages. If a single message gets too big, it is split up in multiple messages. It turn out that these routines act funny when they are presented with the number -1.
If you tell the iPhone to expect -1 messafes parts of it crash and prevent the phone from working normally. They demoed this attack agains a guy from Vodafone who volunteered.
It turns out that if you tell the iPhone to expect a reasonable amount of messages and you then send it message number -1 you get, under the right conditions, the ability to overwrite memory. But, is it possible to exploit the heap via SMS?
Via subtle SMS manipulation the heap can be controlled via “mini heap feng shui”. And actuall exploitation is possible even though it takes about 519 SMS’s (@ 1/sec)
The is also a DoS against Android powered phones. Google was notified June 19 and fixed the vulnerability last week.
Windows Mobile Phone: Any text messages with %n crashes an HTC Windows mobile phone.