Thursday, December 29, 2005

Some time ago I published a two part article (part one, two) in the Security Focus on the subject of Bluetooth security. As part of the article I discussed worms that were appearing on mobile phones at that time. I am still active in researching the Bluetooth security, but my current attention is more on Symbian OS related aspects, rather than communication medium such as Bluetooth. As part of my research I’ve been analysing various worms that appeared on mobile phones. As part of my analysis I tried to capture some mobile viruses in the wild. Over the period of one month the following mobile malware files were sent to my Bluetooth discoverable device:

0skhpg_o.sis, 1x2iz6bcy.sis, 44wp7kjbxp.sis, e9e7p7gr9v.sis, ohvrl0xy.sis, p39ej_em.sis, w_pp2ercgk.sis, xgjgxj7bu.sis, xix4w39.sis, y9wwx06.sis, yoejh0v0.sis.

This is total 11 files, which I consider as quite a big number. I observed that the perfect place to catch a mobile worm was to stand near the photo printing machines that can print photos from mobile phones. The can be transferred via memory card but also can be sent via Bluetooth. The most mobile worm infested locations seem to be photo kiosks a Plaza Semangi and Kelapa Gading mal. More than half of these worms were received within 10 m proximity form these places and it seems in both cases the infected mobile phones were owned by employees working at the place.

The most common worm was CommWarrior.B (7 files) followed by its earlier version CommWarrior.A (4 files). It’s easy to difference those two as the old version of CommWarrior sends SIS files 30582 bytes in size, while the newer version CommWarrior.B sends SIS files 27162 bytes in size. I haven’t noticed any other mobile worms around. Both worms CommWarrior.A and CommWarrior.B replicate over MMS and Bluetooth, but due to the incompatibilities in MMS systems, it seems that Bluetooth is the most effective way of replication for these worms. This makes it very interesting, as the proximity of Bluetooth on mobile phones is approximately 10 meters. Thus, to get your phone infected you need to be holding your phone within 10 meters distance of infected mobile phone. That sounds pretty much like a human virus, it’s just that instead of sneezing and coughing, mobile viruses prefer to use Bluetooth! The CommWarrior worm originated from Russia, thus it very interesting to see it appear in Indonesia. Base on that fact we could assume that if some new flu virus appears in Russia, we can expect it to arrive to Indonesia soon or later. If poorly written mobile viruses can travel from Russia to Indonesia a real human virus have even greater chance of travelling that far distance.

I still remember a very funny situation related to that. When I went to a doctor after catching flu, I was seating at the hospital and waiting for my turn. It was quite late and pretty empty and I just noticed some guy seating behind me and playing soccer on his mobile phone. After a while a file was beamed to my hand phone via Bluetooth. After a quick check found out that it was CommWarrior.B. So while sitting at hospital you can catch not only flu or other virus, but also a mobile virus :-) I just hope this guy sitting behind me got flu from me in exchange :-)

One aspect is also interesting to notice. The CommWarrior worms in order to infect a hand phone depending on the model require from 3 up to 5 confirmations from mobile phone user. Thus, it looks the process of infection via Bluetooth looks most of the time like that:

  1. A file is being beamed to a mobile phone from infected mobile phone within Bluetooth range.
  2. User is asked to accept the file transfer (YES / NO) - mostly Nokia phones, on majority of other phones such as all Sony Ericsson models, the file transfer is being automatically accepted.
  3. User is being asked to open the transferred file – (YES / NO).
  4. User is asked if application should be installed – (YES / NO).
  5. Optional: User is being informed about lack of vendor signature on the file and asked if still install. – (YES / NO).
  6. Mobile becomes infected and starts to spread.

Note: During this process no activity is visible to owner of infected mobile phone, except of a change in Bluetooth icon on some phones to transfer mode.

Einstein said “Two things are infinite: the universe and human stupidity; and I’m not sure about the universe”. This quotation helps to imagine how knowledgeable are people who got their mobile phones infected with CommWarrior. First, in order to get your mobile phone infected, you need to have your Bluetooth enabled and discoverable mode – basic rule of mobile security says to disable Bluetooth or set it to non-discoverable mode. Second, you need to accept the Bluetooth beam transfer of a strange looking file – another basic rule says you should not accept any unexpected file transfers. Third you need to click YES three or four times in order to install the worm, while seeing number of warning that it might not be good idea to click YES. Thus, I really think there is clearly something wrong with these people. I think the answer could be that warning messages on hand phones are often displayed in English language, thus some users in Indonesia may not understand the warnings and simply click YES. Some have seen that on job interviews – people just answer YES to every question, like Q: “Where do you live?” A: “Yes!” :-)

Anyway, thanks to their ignorance their phone will drain battery 30-50% faster, they may receive high bills for MMS sent via worm plus their phone will be quite unstable and require often restart. They can just feel lucky that worm didn’t do something else, such as send message “I placed a bomb at the police station!” to every user in the mobile phone book :-)

At the end of this post I give you one good and one bad news. The good news is that as we can see the mobile viruses are pretty much primitive and require number of confirmations from the user before being able to infect the phone. This dramatically reduces infection rate – only few poor people who like to click YES will get infected. Plus, the worms are also not very destructive. The bad news is that these are just one of the first mobile worms that appeared in the wild and unfortunately more advanced and destructive worms may appear in near future. The methods of infections may also be very sophisticated and may even not require a single confirmation from a user.

To get more information on CommWarrior and removal instruction, refer to the following sites:

F-Secure-CommWarriorA

F-Secure-CommWarriorB

Symantec-CommWarriorA

Symantec-CommWarriorB

If you are sadomasochist and would like to infect your phone with a mobile virus, you can download CommWarrior worm files from here: CommWarriorA, CommWarriorB. I’ve bravely captured these in Jakarta. Download and use at your own risk!

Sunday, December 25, 2005

Wireless Internet access points also called “hotspots” are increasingly available at cafes, malls and restaurants within business districts of Jakarta. The popularity of hotspots is increasing and more and more business people equip their laptops with wireless cards in order to have access to Internet while they are away of their desks. If you are a happy owner of a wireless enabled laptop, you can access your business e-mail, your on-line banking facility and your organization's network while enjoying your lunch meal at a restaurant. This certainly sounds exciting and user-friendly, yet are there any negative aspects of this new technology? This text presents results of my investigation in this area, plus explains how malicious hackers can access Internet on commercial hotspots, while real customers are paying for the connection.

Few weeks ago, a friend of mine told me about his problem related to use of a wireless hotspot service in Jakarta. As a happy owner of a laptop with wireless card, he started to use commercial wireless hotspot service provided by one of the local ISPs (Internet Service Providers) – unfortunately no free wireless is available at a mall near his office. The service is charged per minute and the price is within acceptable range if compared to ridiculously high fees charged by GPRS or CDMA service providers. Everything seemed to work fine for the first month, but then my friend noticed some irregularities in the use of the wireless hotspot service and the cost. So to speak, the cost of the service seemed to be double of what he thought he had actually used. Surprisingly, the ISP didn’t seem to be anyhow interested in this customer’s concern and simply answered “there is no problem with our service”, thus he asked me if I could help. Since the security of wireless communication has been within my interest for quite long, I decided to investigate.

Ground-Zero

For a preliminary testing ground we’ve chosen known mal in central Jakarta. The place got quite a few restaurants and cafes with commercial wireless hot-spot service available, plus there are many offices around and you can often see people using their laptops during lunch time.

At the day of testing, we are quipped with two IBM ThinkPad laptops using Windows XP Professional OS and with preinstalled tools used in this article. I realise most of you elite 31337 hackers would call me a total lamer for using Windows XP, so let me explain. To make it easier to understand the basis of wireless security and less likely to say “our systems are secure”, I decided use Windows XP. Additionally, I also want to show the simplicity of techniques presented here. Thus, if you are an advanced computer user or expert, please have in mind that this text is targeted to less experienced computer users.

Let's start

While seating at one of the caf├ęs I fired-up my laptop and discovered several wireless networks available. Two of these hotspots were providing commercial wireless access service, among which one was often used by my friend. I connected to this wireless hotspot, ignored warnings displayed by Windows XP considering insecurity of the wireless network I am and simply tried to connect to www.google.com.

As expected, an ISP web-site popped up with information that I need to log-in with my username and password in order to use the service. At the same time my friend using his laptop logged-in to the site and browsed through some web-sites.

I disconnected from the wireless network and connected back several times, until this message box appeared on my screen:

Figure 1: IP Address Conflict Warning.

The same warning appeared on my friend’s laptop, and which was obvious conflict of the network IP address between our laptops. This was very surprising as the IP address was suppose to be automatically assigned by DHCP server and normally this should prevent from having two computers with same IP on the network. I ignored the message and tried to connect to www.google.com. To my even greater surprise, I was successful connected – without any authentication to the ISP hotspot.

Meanwhile, my friend could not connect anywhere and disconnected from the network. By simply connecting and disconnecting from the network I could get “free” access to Internet through commercial hotspot! Now the question was, if my friend was paying for this connection. I continued to use this Internet access for half an hour, checking my e-mail and reading news, after which we checked the status. Clearly, I was using Internet on my friends account and he was not happy about it. Well, frankly he got MAD. He remembers seeing IP conflict warning several times, which could be the first clue explaining why he was paying more for the hotspot service that he should. Apparently, there was some bug in the hotspot application that allowed this thing to happen.

All very interesting, but we also wanted to know if this problem affects only this particular hotspot or also other hotspots of the same ISP. For this reason we moved to another mall in the central Jakarta – we got the list of hotspots from ISP web-site, thanks guys!

Initial analysis

The previously used approach tested on the other hotspot of the same ISP did not produce the same result. This indicates that DHCP issue might be only affecting only one hotspot. However, since we didn’t get the IP conflict automatically, the interesting idea was to try to reproduce it manually and try to get access to Internet.

In order to do that I had to capture data traffic from wireless network and identify IP addresses of other hosts (laptops) that are currently active on the networks. One of the best tools that could help is a network protocol analyzer called Ethereal (www.ethereal.com). Ethereal is free and provides advanced methods of analysing packets captured from LAN, Wireless or other networks. Yet, to be able to capture packets from the network, WinPcap (www.winpcap.org) must be installed on our system – it may also come in the package together with Ethereal. In our tests we used Ethereal version 0.10.6 (there is already a newer version available).

I ran the Ethereal, configured it to capture packets from the wireless interface (Capture -> Interfaces) [Figure 2], configured interface to show packets in real-time [Figure 3] and started to capture the packets – the screenshot provided here is just a sample, so on your PC the interface will most likely be different.

Figure 2: Chose Wireless interface to capture packets.

Figure 3: Prepare packets configuration to update in real-time.

After few minutes of collecting packets from the wireless network I had a list of other wireless clients that could use the service as well as data transmitted through the wireless network I was using. While I was capturing the data from the network, my friend was again using the hotspot Internet access to browse web-sites.

Figure 4: Identify IP address and MAC address of other clients on the network.

Base on the data traffic I specified five different wireless clients on the wireless network, including my and my friend’s laptop that I identified by MAC address (unique 6 bytes identifier of each network card) of his wireless card. The screenshot above [Figure 4] shows two different clients on the network. One with IP ending *.*.147.223 and the other with IP ending *.*.147.132 (Note: The full IP address was hidden in presented screenshots to protect identity of the insecure ISP and save them embarrassment). Base on the MAC address (in the screenshot "Destination address 00:0e:35:46:2c:**") I identified IP address of my friend’s laptop (Dst Addr: *.*.147.223 under Internet Protocol).

Knowing his IP address from the data traffic I manually changed the IP address of my wireless network interface [Figure 5] to the one set on my friend’s laptop (*.*.147.223). After the change familiar message box [Figure 1] appeared indicating IP conflict between our laptops.

Figure 5: Manually configured IP address of the network interface.

Again, I could freely access Internet from my laptop and my friend had to pay for it. I didn’t even need his username and password to get Internet connection, only his IP address captured from the wireless traffic. Thus, to access Internet through wireless hotspot without paying, we simply need to change IP address of our wireless interface to IP address of any user who is already logged-in to the hotspot ISP. Obvious conclusion was that this simple technique could be easily repeated by malicious hackers who want to use Jakarta’s commercial wireless Internet hotspot for “free”. It is also important to notice that the unaware hotspot customers will pay for that connection. Or, if they are aware, the answer of ISP is always the same “Our networks are secure”. Yes, yes … we see that indeed.

Another ISP

The ISP providing hotspot service we tested before is known for ignoring basic security measures and leaving their customers vulnerable to all sorts of hackers. Anyway, this type of attitude is fairly common in Jakarta, as many major companies leave their networks completely insecure and simply don’t care for privacy of their customers. Just out of curiosity we wanted to see if other commercial hotspots around are as much vulnerable as the one we tested, or simply this single ISP company is just so ignorant about security.

First we discovered two other hotspots at the location, connected to one and try to connect to www.google.com. As expected a login page appeared and we had to type username and password to access the Internet. The hotspot reconnecting technique didn’t work, so I continued analysis with capturing packets using Ethereal (method described earlier in this text).

Using previously described method, I browsed through data capture from wireless traffic and base on information provided in Ethereal I noted the IP addresses (Dst Addr: * under Internet Protocol in Ethereal) and MAC addresses (Destination address under IEEE 802.11 in Ethereal) of clients on the network – refer to previous screenshot [Figure 4].

In the next step I changed my IP address to the IP address of other clients on the network, which generated familiar IP address conflict warning message. Next, I tried to connect to www.google.com and unfortunately the connection was forbidden. It looked like this ISP already anticipated such threat and hotspot verifies not only the IP address but also the MAC address, which should be unique for each wireless card. Sounds secure, but is it really secure?

In fact this so called security measure can be pretty weak. It is mostly due to the simple fact that any user connected to wireless network by capturing data traffic can capture the IP address of other wireless clients as well as MAC address of their wireless cards - that often include users who are already permitted to access the Internet. And as what may surprise some of you, MAC address of wireless card can also be changed. Thus, we can change MAC address of our wireless card to MAC address of other user on the network that is already permitted by the hotspot to access the Internet. In this way we bypass connection filters on hotspots and gain access to Internet.

So, how to change MAC address of wireless card under Windows XP? The simplest method of changing wireless card MAC address under windows is using small application called Macshift - can be downloaded from here. This little application provides very comfortable way of changing the MAC address of wireless or LAN card under Windows XP.

Using this tool, we can for instance change our Wireless interface named “Wireless Network Connection” [Figure 6].

Figure 6: Sample Wireless Interface under Windows XP.

But first before we change it, let’s first check the current MAC address of our wireless interface. To see the current MAC address we can run the following command from command prompt:
C:\> ipconfig /all
The sample result of this command is presented below:

Figure 7: MAC address.

In the result of ipconfig command we can see several network interfaces available. There are two wireless interfaces WiFi-Compaq and Wireless Network Connection and one LAN interface that is not visible in the above screenshot. For the purpose of the test I use the Wireless Network Connection interface, which as we can see currently have MAC address 00-0E-3F-78-EF-99 assigned

In order to change the MAC address of this interface I had to use macshift. Following command syntax applies:
C:\> macshift NEW_MAC_ADDRESS -i "Interface Name"
Accordingly, to change MAC address of our Wireless Network Connection interface to 00-0E-35-78-77-77, I had to execute the following command:
C:\> macshift 000E35787777 -i "Wireless Network Connection"
The result of the command execution is visible on the screenshot above [Figure 7]. Macshift changed the old MAC address 00-0E-35-78-EF-99 to a new MAC address 00-0E-35-78-77-77 and restarted the interface. This change is not permanent and will be only active until next restart of your Windows XP.

At this point all other devices on the wireless network will see our network card with this MAC address. If previously there was already another wireless card with the same MAC address connected to the network, we will certainly conflict with this card. The effect may be quite unpredictable, usually our connection will be bit unstable until one card disconnects. However, if this card with the MAC address we are using previously had access to the Internet through hotspot we should be able to access the Internet as well, despite the filter.

Just as predicted, the another hotspot of a different ISP we tested was vulnerable to this attack and again, if someone decide to use this technique to gain access to the Internet, client currently using the hotspot service will most likely pay for it.

Cleary, the security of commercial hotspots in Jakarta is very weak and the worst issue is that customers of these hotspots can easily become a victims of malicious hackers.

In a very brief summary, the following method can be used by malicious hackers to access the Internet through commercial hotspots without paying:
  • Changing the IP address of your wireless card to the IP address used by laptop of a user authenticated to the hotspot,
  • Optionally if necessary, changing the IP address and the MAC address of our wireless interface to the IP address and the MAC address of wireless interface used by laptop of a user authenticated to the hotspot.
There are certainly many other hotspot vulnerabilities that could be used to access the Internet without paying. I’ll probably present it after the ISPs fix this current vulnerabilities, which I believe will take months.

Conclusion

Considering the fact, that vast majority of wireless hotspots in Jakarta seriously lack security, I would seriously advise to consider use of this service for anything more than reading Internet news – unless you perfectly understand use of SSL encryption or encrypted tunnelling through SSL/SSH.

Clearly, majority of ISPs in Jakarta are ignorant about security and leave their customers vulnerable to attacks of a malicious hackers. If you use such service face the fact that your Wireless connection is insecure and not encrypted, thus any user with a wireless card can capture information you wirelessly send and receive! This may include your passwords, your e-mails and other sensitive information that might be pretty useful for hackers. Also, it’s important to notice the problem is not in the wireless technology but in the poor implementation.

As for the legal aspect of running insecure hot-spot service, you may find more in the following article. Credits:
  • Great Indonesian Arabica coffee producers, brewers etc. – keep up the good work guys allowing me to work late nights,
  • Authors of Ethereal,
  • Nathan True - author of Macshift,
  • Authors of WinPcap library,
  • All the Jakarta ISPs that don’t consider safety of their customers as something anyhow important.

Disclaimer:

Information presented here intends to make consumers of commercial wireless hotspots aware of the potential problems related to the use of such service and which internet service provides don’t inform about. Do not try to use techniques described here on real commercial hotspots as it “may” be considered as illegal - hence lack of Cyber law in Indonesia. Any use of techniques described here is at your own risk!

I decided to start my blog. This is the first post!

web statistics