Spoofing your IdentityBreaking Self Service Security Mechanisms
IT-SeCX 2016 04/11/2016
@slashcrypto
~$ id
• David Wind
• Bachelor degree in IT Security at the University of Applied Sciences St. Pölten
• Currently Master in Information Security
• Working for XSEC in Vienna (mainly doing Pentesting)
• Privacy enthusiast and bug bounty hunter
“Self Service Security Mechanisms”
© by slashcrypto
Self Service Security Mechanisms
• Password reset– Email
– Voice call, SMS
– Security question
• 2 Factor Authentication
• ...
Basically everything which can be used to identify you without the need of a human.
Bugs affecting SSSM
● 6 digit PIN via SMS or Email ● Rate limiting on facebook.com
– Blocked after 10-12 attempts
● No rate limiting on beta.facebook.com and mbasic.beta.facebook.com
Facebook Password Reset PIN Bruteforce
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
● Attacker initiates password reset● Ebay leaks “secret” token to attacker
What could possibly go wrong?!
Ebay Password Reset Vulnerability
http://yasserali.com/how-i-could-change-your-ebay-password/
http://yasserali.com/how-i-could-change-your-ebay-password/
Alice EbayMallory
Forgot password
Username/Email
Password reset link
Alice clicks link
Mallory intercepts request and saves “secret” token
Mallory changes password
What about Spoofing?
sendEmail -f "[email protected]" -t [email protected] -u "Noten" -s mail.XXX.XXX -o tls=yes -xu [email protected]
-o message-header="From: Haag Johann <[email protected]>" -o reply-to="Haag Johann <[email protected]>"
-o message-file=email_haag.html -a noten.pdf
● Sender of E-Mails can be easily spoofed– Check the Sender Policy Framework (SPF) entry!
● Often used for Spam – normally no impact on SSSM
E-Mail Spoofing
Caller IDSpoofing
VOIP
● Business phone services mostly use VOIP to manage calls● Own phone service within business
– Open source Private Branch Exchange (PBX) (e.g. Asterix) can be used
– Direct inward dialing (DID) assigns every VOIP phone an individual phone number within a PBX
● VOIP made access to the phone network cheap and available for everyone
VOIP (Business)
Business
PBX
Phone1
PhoneX
Phone1
Phone2
Phone3
01555888-0
01555888-0
PSTN01555888-2
01555888-1
01555888-3
Business
PBX
Phone1
PhoneX
Phone1
Phone2
Phone3
01555888-0
01555777-7
PSTN01555888-2
01555888-1
01555888-3
01555888-3
There is one Problem ...
https://shubs.io/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/
● Enter phone number of the victim● Request voice call
– At the same time, call the victim so that the automated call gets redirected to the Voicemail
● Spoof Caller ID to access victims mailbox● Profit
Exploit Flow
Another Password Reset Vulnerability
● 26/09/2016 – Initial report● 28/09/2016 – Response (won't fix)● 28/09/2016 – Provided additional context due to the criticality of
the issue● 04/10/2016 – Accepted the issue – rolling out a fix● 04/11/2016 – FIXED
Reporting Timeline
What about Austrian Mobile Network
Operators ?
● A1 – Not vulnerable– Bob
– Yess
● DREI - Not vulnerable● T-Mobile - Vulnerable
– Telering
– HOT
– S-Budget
Voicemail Issues in Austria - TESTED
● T-Mobile Austria GmbH ATK Telekom und Service GmbH Allianz SIM● T-Mobile Austria GmbH AVIDO Telekommunikationsmanagement GmbH Avido● T-Mobile Austria GmbH DIALOG telekom GmbH & Co KG dialog● T-Mobile Austria GmbH HoT Telekom und Service GmbH HoT● T-Mobile Austria GmbH LTK Telekom und Service GmbH LIWEST Mobil● T-Mobile Austria GmbH Mundio Limited Delight mobile● T-Mobile Austria GmbH Mundio Mobile Austria Limited Vectone● T-Mobile Austria GmbH Russmedia IT GmbH VOLmobile● T-Mobile Austria GmbH Tele2 Telecommunication GmbH Tele2 Mobile● T-Mobile Austria GmbH T-Mobile Austria GmbH T-Mobile● T-Mobile Austria GmbH T-Mobile Austria GmbH tele.ring● T-Mobile Austria GmbH T-Mobile Austria GmbH s-budget
T-Mobile Austria GmbH
https://www.rtr.at/de/inf/KBericht2015/K-Bericht_2015.pdf
~ 3.5 mil. user affected
40.50%
28.00%
27.90%
3.60%
Austrian mobile network operators - Q4 2015
A1T-MobileHutchisonOthers
● Set a Voicemail password● Add user interaction before redirecting to Voicemail
– “Press # if you want to hear the security code”
● Configure a long welcome message
Possible Mitigations
● Mobile network security is poor (nothing new)– Voicemail issue is still wide spread
● Automated voice calls are a security risk regarding SSSM● You should be aware, that it is not too hard to spoof your identity
Conclusion
Q&A@slashcrypto
slashcrypto.org for the slides