During his presentation at the DefCamp 2012 security conference, independent security researcher Bogdan Alecu showed that a flaw in the systems of mobile operators allowed users to have unlimited access to mobile data traffic.
The expert has found that many companies allow their customers to access the operator’s webpage even after they have eaten all the monthly data included in their contract, in order to allow them to access their user accounts.
However, this access can be exploited by utilizing two different methods.
If the operator doesn’t check the type of traffic that passes through the DNS port, users can set up a VPN server – with a routable IP – on the UDP port 53, which is the same one utilized by the DNS.
By making a connection from the mobile phone (or from a modem connected to a computer) to the VPN server, and by ensuring that all the traffic passes through this VPN tunnel, users can gain unlimited access to the Web.
Although operators can monitor DNS traffic passing through a VPN, this traffic is not taken into consideration because companies allow their customers to access DNS queries for recharging their pre-paid cards or to pay for their monthly subscriptions.
The second scenario is the one in which the mobile operators allows only DNS queries on the specific port and not through VPN.
In this case, you need a subdomain that gives you control over the DNS, your own DNS server with a routable IP, and a client and a server for rewriting the traffic.
“On your subdomain, you must configure an address record DNS entry in which you specify the IP allocated to this subdomain. In practice, you must set subdomain.domain.com to point to the IP of your DNS server,” Alecu explained.
“Then, for a subdomain of the previous address (sub.subdomain.domain.com) you set a name server record entry that points to the initial subdomain (subdomain.domain.com). This way, you’re delegating all DNS requests to this subdomain to your DNS server with a routable IP,” he added.
“Once this is set up, all you need to do is find a way to rewrite your request to google.com as a request to the previous sub-subdomain, and to ensure that the reply to the DNS sent by your server encapsulates IP traffic.”
This task can be accomplished with an application called Iodine, which is able to create a DNS tunnel between the client and your server. Some modifications must also be made on the client-side to ensure that all the Internet traffic goes through this DNS tunnel.
So, when you write www.google.com in the web browser, the Iodine client rewrites the request as www.google.com.sub.subdomain.com so the query reaches the server part of Iodine (represented by your server with routable IP).
The server encapsulates in its response the contents of google.com and the client will know how to interpret the server’s reply to display the webpage you want to access.
One noteworthy aspect is that because of the way the DNS works, the connection speed is much lower.
Some of the mobile operators contacted by the researcher claim they’re aware of the issue. However, they will not address it, unless they discover that the flaw is being abused.
Here is a video of the presentation made by Bogdan Alecu at DefCamp 2012 (Romanian only). You can also check out his work on his Romanian