Wednesday, November 7, 2012

Video: Owning a PC via GPRS/EDGE

We have decided to make public a video that we have used on several talks in the past, demonstrating a network attack against a PC, performed via GPRS/EDGE (which is the important point here), using a fake GSM/GPRS/EDGE base station. The video is available for online viewing at our YouTube channel (direct link here), and for direct download, at our lab.

The point of the video is to show that GPRS/EDGE communications are as easy to intercept, manipulate, and take advantage of, as GSM (voice and SMS) communications, using a fake GSM/GPRS/EDGE base station.

In the past, we have explained the underlying GSM/GPRS/EDGE vulnerabilities and shown this kind of attack, live. If you are interested in this details, check out "A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications" (English) and "Un ataque práctico contra comunicaciones móviles" (Spanish).

With the publication of this video we hope to contribute in creating awareness of this problem, and help organizations realize it is necessary to take into account these weaknesses when performing a risk assessment.

The example shown in the video is a victim PC, running XP SP3 with a version of Java Runtime Environment (JRE) prior to version 6 update 24. The victim connects to the Internet using a 3G/2G modem, getting EDGE service from a rogue base station that the attacker has set up using the open source suite OpenBSC+OsmoSGSN+OpenGGSN+LCR.

The attacker then injects HTML content in the HTTP traffic of the victim, redirecting his browser to the Metasploit exploit "java_codebase_trust". This allows him to get a Meterpreter session in the victim PC, giving him full control over the victim PC.

To demonstrate the control over the victim's PC, the attacker obtains a screenshot of the victim PC. Then, the attacker scrolls up and down through the list of available commands offered by Meterpreter, and the video ends when the attacker invokes a shell (cmd.exe) of the victim PC.

The point of the video is not that this particular java vulnerability, which is quite old, can be exploited by an attacker. The point is that any remote vulnerability that you might have in your systems, either well known or zero day, could be exploited by an attacker using a fake GSM/GPRS/EDGE base station, if you use such communication.

If you want to avoid this path of attack, make sure all of your mobile devices use 3G (UMTS) and (and this is critical) do not accept 2G service (GSM/GPRS/EDGE) under any circumstances, and/or protect all of your network traffic at a higher level.